Re: [TLS] 115 Proposal - ECH, server-side deploy risks and trade-offs

2022-10-18 Thread Andrew Alston - IETF 
Hi Marwan,

While refraining from commenting on this point on the body of your email, I do 
feel compelled to remind that all postings and contributions are covered by the 
notewell at https://www.ietf.org/about/note-well/

Specifically:

• As a participant in or attendee to any IETF activity you acknowledge that 
written, audio, video, and photographic records of meetings may be made public.

Thanks

Andrew


From: TLS  On Behalf Of Marwan Fayed
Sent: Tuesday, October 18, 2022 3:01 PM
To: tls@ietf.org
Subject: Re: [TLS] 115 Proposal - ECH, server-side deploy risks and trade-offs

Folks,

A personal opening set of words for the public audience: The comments
below are not for public use outside the mailing list without
discussion or consent; it would be far too easy to take these words
out of context for use by special interests.

A big thanks for the thoughtful replies. The contents of this thread
so far suggest that the design of ECH, and specifically the outer-SNI,
either strongly affects or is strongly affected by deployment matters.
I claim that outer-SNI and deployment are entwined and cannot be
disentangled.

The design of outer-SNI makes assumptions and/or has dependencies, and
with details that are subtle. We might claim that deployment matters
are separate and independent, but that cannot be true if there are
logical and direct technical effects on or by servers, clients, and
the Internet that connects them. "I claim" that the community is both
professionally and ethically obliged [6] to consider deployment
matters. Also within the bounds of IETF, arguably any wg charter is
supplemented or superseded by the IETF Mission Statement and
Principles in RFC3935 [8, 9] that, in context of this thread, is full
of statements that compel consideration of deployment matters.

Permit me to be direct: There are sound technical reasons that the
current design of outer-SNI may achieve the exact opposite of what ECH
sets out to do and/or, quite possibly, that outer-SNI has an adverse
effect on the health of the Internet ecosystem. As a motivating
opener, the technical community lives and breathes notions of
“everything has a trade-off” and “nothing comes for free.” In that
spirit, I note that the challenges faced by the original ESNI in 2018
have not disappeared; at best, outer-SNI has shifted challenges from
‘middleboxes’ (although not entirely) to the clients and servers at
the endpoints. Those trade-offs and impacts should at least be
acknowledged, if not actioned.

So, first technical point: Each and every claim that bolsters ECH by
notions of “IP is identity” is a logical fallacy or factually
incorrect, and is duly ignored. For the purpose of illustration,
expansions and explanations are provided in 'Appendix' trailing this
post. However, it is of course true that “IP blocking is
easier/cheaper than SNI filtering or blocking.” Focussing on
outer-SNI, then, I’ve ‘bucketed’ the deployment details as follows:

1. Reason to revisit: ECH appears to violate the Anonymity Trilemma.
2. Server-side assumptions, considerations, and vulnerabilities.
3. Client-side considerations; inconsistent privacy means misinformed clients
4. Next steps
References
Appendix


1. The Anonymity Trilemma [7] states, “an [anonymous communication
protocol] can only achieve two out of the following three properties:
strong anonymity…, low bandwidth overhead, and low latency overhead.”

If the trilemma exists, and there is no reason to believe it doesn’t,
then it is violated by the ECH. But if and since it is a lemma, it
cannot be violated. So either it is not a lemma, OR ECH doesn’t
violate the lemma directly, which means that ECH must be imposing a
cost, or sacrifices, of one of those properties elsewhere --- and
deserves to be inspected more closely on that basis.

Clearly, ECH is low latency and low b/w overhead, which leaves
anonymity. Note that privacy in ECH is achieved via an anonymity set
of domain names -- not of clients nor operators. In effect, privacy is
conferred on clients by ‘proxy’ of the outer-SNI. If the lemma is
true, then the gained or perceived privacy must be ‘paid’ by some
other means.

Indeed, (i) if an operator is small, or a single IP has few-to-1
domain names, then anonymity doesn’t exist; or (ii) if the operator is
large or there are lots of domain names then anonymity comes at the
cost of the operator’s identity that cannot be reliably assumed or
understood by IP (see Appendix).

I have no wish to make the following statement, especially given the
hard work that’s gone into ECH and that it’s something (certainly I
find) highly desirable, but here goes: On the basis of the lemma, one
could humbly reason that ECH fails to provide privacy as it should be
because it either offers little-to-no more privacy in some cases, or
achieves some level of privacy strictly by always trading operator
identity.

Only the wg can determine whether that means ECH meets, or is unable
to meet, its stated privacy

[TLS] 115 Proposal - ECH, server-side deploy risks and trade-offs

2022-10-16 Thread Andrew Alston - IETF 
Hi TLS Working Group,

Writing strictly in personal capacity wearing no other hats.

The email with the above subject line was brought to my attention, and having 
read it, I felt the need to subscript to the list and make some observations

> Having said that, mine is a new personality to many in the wg. So, ECH
> being an understandably sensitive topic, a few (personal) qualifiers
> before the main discussion: (i) Yes, the purpose of this note is to
> raise matters related to larger-scale risks to content operators,
> their end-users, and maybe customers; also (ii) no, none of the
> discussion suggests that ECH should be halted.

> **Short setup**: There is more attention than ever on Internet
> operations from non-Internet governance and, in this context, it is
> possible that ECH presents a greater risk to the Internet than
> benefit, if deployed. And as a result, it is possible that servers and
> content operators *may* have more reasons not to deploy.

I want to say to the TLS working group that in my experience, working for an 
operator, the exact opposite of this is true.  In fact, the faster that ECH 
goes into production the better, and this is both from a privacy perspective 
and a legal perspective.

Recently, a content broadcaster issued take down notices in Kenya for more than 
800 sites that apparently contained pirated live streams of sports games.  They 
demanded that all such sites be blocked forthwith.  The sites were not hosted 
by the providers these notices were issued to, they were general across the 
internet.  Using a clause in the current Kenyan law, when the take down notices 
were ignored, they sued one of the ISP's and the largest of the mobile networks 
in Kenya under an obscure clause in the copyright act.  They won the case and 
the case is now going to appeal.  (See 
https://www.businessdailyafrica.com/bd/corporate/companies/safaricom-loses-fight-over-dstv-pirating-dispute-3858050)

The only real hope to get this overturned is to argue that what they are asking 
for is impractical and cannot be done.  ECH - apart from being a good idea in 
terms of privacy and other aspects, is also a critical part of the arguments 
that will be made, because while now using the SNI, ISP's can filter based on 
the domains, once ECH is there, it becomes impossible to see even the domains, 
and practicality kicks in here.  So, rather than creating legal risk, ECH 
creates a situation where absurdity can be fought against in a court of law.

Basically - ECH takes what these broadcasters are asking for from the 
impractical, bizarre and damaging to the internet and makes it almost 
impossible to do on any scale, and this argument is almost sure to end up in 
court soon, citing the draft and the fact that ECH exists in beta form in 
multiple browser implementations.  

So - Rather than arguing that ECH creates liability, from my perspective, ECH 
REDUCES liability, because strengthens the case for "plausible deniability" and 
gives far stronger teeth to the argument that the ISP cannot filter what the 
ISP cannot see.

I long for the day this goes to last call - and gets ratified - because 
speaking with an operator hat on - particularly in my part of the world - it 
will be a welcomed and applauded development.

Thanks

Andrew


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls