Re: [TLS] ESNI/ECH: minor progress, much githubbery

[David Fifield]

On Tue, Sep 29, 2020 at 03:55:54PM +0100, Stephen Farrell wrote:
> On 29/09/2020 15:50, Christopher Patton wrote:
> > 
> >> Are there OpenSSL / NSS / etc implementations others can work from?
> >> Probably the best way to lock this in and ship is to write the code.
> >>
> > 
> > There are three implementations I'm aware of, all works in progress:
> > 
> >1. Cloudflare's prototype (written by me):
> >https://github.com/cloudflare/go/pull/30
> >2. boringSSL: https://bugs.chromium.org/p/boringssl/issues/detail?id=275
> >3. NSS: https://bugzilla.mozilla.org/show_bug.cgi?id=1654332
> 
> Mine has a readme at [1]. It works fine for draft-02 to
> draft-04. Later stuff (draft isn't working yet. As I said
> I had parked it for a bit, but am back working on it now.
> 
> [1] https://github.com/sftcd/openssl/tree/master/esnistuff

There is also this, implementing draft-05:
https://www.tunnelbear.com/blog/tunnelbear-implements-encrypted-sni/
https://boringssl-review.googlesource.com/c/boringssl/+/42644

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Possible blocking of Encrypted SNI extension in China

[David Fifield]

On Thu, Aug 13, 2020 at 01:04:48PM -0700, Carrick Bartle wrote:
> Weird. Thanks for the update. How are you confirming that it's blocked from 
> inside-out?

I couldn't test it myself, so I am relying on the reports of colleagues
in China. GFW Report is able to test directly from China.

Measurement vantage points in China are tricky to get ahold of. A
possible alternative is to use a reflected measurement system in the
style of Quack, which uses infrastructural echo servers:
https://censorbib.nymity.ch/#VanderSloot2018a
https://www.usenix.org/conference/usenixsecurity18/presentation/vandersloot
https://github.com/net4people/bbs/issues/2
Censored Planet does regular Quack measurements, but I don't think they
are testing ESNI yet: https://censoredplanet.org/data/raw

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Possible blocking of Encrypted SNI extension in China

[David Fifield]

On Fri, Aug 07, 2020 at 05:56:30PM -0600, David Fifield wrote:
> Most of the functions of the Great Firewall work bidirectionally, and
> the ESNI detection and blocking are no exception. Sending an
> ESNI-containing ClientHello from *outside* of China to a server
> *inside* results in temporary blocking, just the same as sending one
> from the inside to the outside. This makes it easy to experiment with,
> even if you don't control a host in China.

Triggering blocking from the outside no longer works. ESNI connections
that originate inside the firewall are still blocked. This was first
observed by GFW report, who were able to isolate the change from
bidirectionality to unidirectional to a five-minute window: between
06:27 and 06:32 UTC on 2020-08-13. I tried it myself, and I confirm that
I am not now able to trigger ESNI blocking from outside the firewall.
https://github.com/net4people/bbs/issues/43#issuecomment-673322409

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Possible blocking of Encrypted SNI extension in China

[David Fifield]

On Wed, Aug 12, 2020 at 06:51:48AM +, Peter Gutmann wrote:
> David Fifield  writes:
> 
> >Peter is surely referring to the influential "The Parrot is Dead" paper from
> >2013
> 
> Yep, that was it, thanks (at least one person catalogues their reading by the
> looks of it :-).  Thanks for the ref to the followup, can't remember seeing
> that, but doesn't that just reinforce the Parrot paper?

Both papers are about detection, but I would not call one a
reinforcement of the other. Section 4 of "Seeing through
Network-Protocol Obfuscation", "Semantics-based attacks," finds problems
in the attacks proposed by "The Parrot is Dead". The authors design new
styles of attack (Section 5, "Entropy-based attacks", and Section 6,
"ML-based attacks") and apply them to deployed covert communications
systems. But of these systems, only one (FTE) is a "parrot" or mimicry
system (see the trichotomy of categories under "Network protocol
obfuscation" in Section 2). obfs3 and obfs4 are randomizing protocols,
not designed to resemble any particular cover protocol, and meek uses
exactly the tunnelling approach advocated in "The Parrot is Dead,"
sending its requests via a headless Firefox for the sake of a proper TLS
fingerprint (Section 5.1 of https://censorbib.nymity.ch/#Fifield2015a).
The results do not really support the thesis that tunnelling is
essential or necessarily more resistant to blocking, though it remains a
good rule of thumb. Both tunnelling-based and non-tunnelling-based
systems are widely used today, with success in practice.

> The "Grounding Censorship Circumvention in Empiricism" paper is an important
> one too, you need to look at what the attackers are doing otherwise you'll end
> up throwing a ton of crypto at something that makes no difference.  In
> particular in reference to a question someone else asked about ECH and TLS
> 1.3, since it's not defending against anything the censors are doing I can't
> see what its presence or absence would do.  Something like ECH seems like
> classic inside-out design, "here is our cool piece of crypto trickery, and
> whatever it happens to defend against is the threat".

Rob is correct. Blocking on the basis of plaintext SNI is common and
extensively empirically documented. It would be unusual, these days, for
a firewall to support DNS, IP address, and HTTP keyword blocking,
without also supporting SNI blocking. A few examples:
https://ooni.org/post/2020-tls-blocking-india/
We recorded SNI-based blocking on both Bharti Airtel and
Reliance Jio.
https://ooni.org/post/2020-iran-sni-blocking/
To evaluate this methodology, we ran experiments in Iran because
we know that Iran implements SNI based blocking.
https://censorbib.nymity.ch/#Chai2019a Section 4.2
We detect that 21,446 sites are under SNI filtering in China.
One interesting observation is that only 70 websites are
exclusively censored by SNI filtering. In other words, SNI
filtering is almost always used in a combination with other
censorship techniques.
https://ooni.org/post/2019-egypt-blocks-bbc-and-alhurra/
This is quite a strong indication of the presence of some form
of Deep Packet Inspection (DPI) technology that is aware of TLS
and which is most likely fingerprinting the SNI field of the TLS
handshake.
https://censorbib.nymity.ch/#VanderSloot2018a Section 6.4
Unfortunately, SNI places the domain name in clear-text in the
first message sent by the client to the server, making it easy
to detect when a client is connecting to a particular site from
only the first message in a TLS handshake. We find that networks
do interfere based on this first message alone.

But you don't have to take anyone's word for it, at least in the case of
the Great Firewall; this is another aspect that's easy to test from
outside. Start a packet capture on port 443 and send a ClientHello,
containing an SNI field known to be blocked, to a responsive HTTPS host
in China. You will immediately receive three RST packets, which are not
sent by the remote server but are injected by the firewall.

$ openssl s_client -connect www.tsinghua.edu.cn:443 -servername www.facebook.com

10:03:30.857872 IP localhost.60084 > www.tsinghua.edu.cn.https: Flags [S], seq 
864764526, win 64240, options [mss 1460,sackOK,TS val 2739496015 ecr 
0,nop,wscale 7], length 0
10:03:31.188496 IP www.tsinghua.edu.cn.https > localhost.60084: Flags [S.], seq 
4063746934, ack 864764527, win 2105, options [mss 1460,nop,wscale 2,sackOK,TS 
val 202217658 ecr 2739496015], length 0
10:03:31.188555 IP localhost.60084 > www.tsinghua.edu.cn.https: Flags [.], ack 
1, win 502, options [nop,nop,TS val 2739496346 ecr 202217658], length 0
10:03:31.189

Re: [TLS] Possible blocking of Encrypted SNI extension in China

[David Fifield]

On Tue, Aug 11, 2020 at 01:38:50AM -0700, Rob Sayre wrote:
> On Tue, Aug 11, 2020 at 12:14 AM Peter Gutmann 
> 
> There was a paper that looked a traffic morphing published a year
> or two ago that came to the same conclusion, to look like you're Skype or 
> a
> SIP VoIP call you need to actually be Skype or a SIP VoIP call.
> 
> You could link it, perhaps.

Peter is surely referring to the influential "The Parrot is Dead" paper
from 2013, which found discrepancies in so-called "parrot" systems that
superficially imitate some other cover protocol. The authors recommend
not mere imitation, but tunnelling through a real implementation of the
cover protocol (Section XI).
"The Parrot is Dead: Observing Unobservable Network Communications"
https://censorbib.nymity.ch/#Houmansadr2013b
A point of clarification: "The Parrot is Dead" is not about "traffic
morphing" in the restricted sense of Wright et al.
(https://www.freehaven.net/anonbib/#morphing09), which is solely about
shaping packets' sizes, not their contents nor the interpacket timing.

"The Parrot is Dead" is rightly well-regarded, but one should not cite
it without also mentioning some follow-on work, like "Seeing through
Network-Protocol Obfuscation," which found many of the dead-parrot
attacks impractical due to high false-positive rates or easy
remediation. The authors proposed new detection attacks, optimizing for
low false-positive rates and low cost of deployment, in terms of state
and computation.
"Seeing through Network-Protocol Obfuscation"
https://censorbib.nymity.ch/#Wang2015a

It is worth noting that, despite these papers' claims of easy detection
of covert protocols, classification attacks of the type they propose are
not really observed in practice. Available evidence indicates that
network intermediaries, when they block, prefer to block using methods
that are simpler and more robust, generally preferring a large number of
false negatives to a small number of false positives. The following
paper takes a contrarian view and proposes more realistic threat models
based on the observed behavior of blockers: see the three "disconnects"
between research and practice in Section I.
"Towards Grounding Censorship Circumvention in Empiricism"
https://censorbib.nymity.ch/#Tschantz2016a
As an example, "Seeing through Network-Protocol Obfuscation" was
published in 2015, but none of its proposed attacks (Figure 1) have come
to pass, despite their ≈1.0 true-positive rates and ≈0.0 false-positive
rates. obfs3 was defeated by active probing
(https://censorbib.nymity.ch/#Ensafi2015b); even in China obfs4 is
attacked by enumeration at the proxy distributor, not passive detection;
and meek kept working until it was shut down by the CDNs, not the
network blockers it was intended against. (FTE did not have enough users
to make any strong statements about, I think.)

Attempts to infer information about the contents of an encrypted network
stream based on packet size and timing are usually filed under the term
"website fingerprinting." You'll find many papers with that term in the
title at https://www.freehaven.net/anonbib/. I am not as familiar with
that field, but I understand that a common criticism of website
fingerprinting research is that it may use unrealistic data or
assumptions, such that it's not clear that the results generalize or can
be effectively deployed. (There are echoes of this in Table 8 of "Seeing
through Network-Protocol Obfuscation," which reports a large loss in
accuracy when training and testing across corpora.) For a critical look
at research earlier than 2014, see:
"A Critical Evaluation of Website Fingerprinting Attacks"
https://www.freehaven.net/anonbib/#ccs2014-critical

With that said about website fingerprinting, on the topic of inference
using packet sizes, timing, and other metadata, I have been impressed
with this series of articles on inference against TLS and HTTPS, which I
think avoid common missteps:
"Enhanced telemetry for encrypted threat analytics"
http://gen.lib.rus.ec/scimag/?q=10.1109%2FICNP.2016.7785325

"Deciphering Malware's use of TLS (without Decryption)"
https://arxiv.org/abs/1607.01639

"Identifying Encrypted Malware Traffic with Contextual Flow Data"
http://gen.lib.rus.ec/scimag/?q=10.1145%2F2996758.2996768

"Limitless HTTP in an HTTPS World: Inferring the Semantics of
the HTTPS Protocol without Decryption"
http://gen.lib.rus.ec/scimag/?q=10.1145%2F3292006.3300025
https://www.youtube.com/watch?v=pBVu9GEfE1I=80

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Possible blocking of Encrypted SNI extension in China

[David Fifield]

On Tue, Aug 11, 2020 at 12:08:11AM -0700, Christian Huitema wrote:
> There is also the question of what the anonymity set is. I just did a little
> experiment of resolving 25000 domain names and looking at how many resolved to
> the same IP address (https://huitema.wordpress.com/2020/08/09/
> can-internet-services-hide-in-crowds/). And then I redid the stats with 5
> domain names. Did not find a lot of crowds. 75% of domain names in my sample
> resolve to their very own address, not shared with anybody. Only 8% resolved 
> by
> addresses shared by 10 sites or more, and 1.3% resolved to addresses shared by
> 100 sites or more.  Of course, 1% of the Internet is already something big. 
> But
> still, not quite the whole world...

Here is a related experiment done last year.

"On the Importance of Encrypted-SNI (ESNI) to Censorship Circumvention"
https://censorbib.nymity.ch/#Chai2019a
https://www.usenix.org/conference/foci19/presentation/chai
My capsule summary: https://github.com/net4people/bbs/issues/10

The authors tested an Alexa top 1 million list for blocking from China,
under three different modalities: DNS poisoning, SNI filtering, and IP
address blocking. (The GFW blocked different web sites in different
ways; ESNI is effective against DNS poisoning and SNI filtering but not
IP address blocking.) Of 24,210 domains blocked by either DNS poisoning
or SNI filtering, 16,928 (70%) were additionally blocked by IP address,
so ESNI would not help to unblock them if they remained at their current
hosting. The other 30% of domains would have been unblocked by ESNI.
This analysis, of course, assumes a static situation; if ESNI were
deployed and found to be effective, then blocked sites might choose to
move to shared co-hosting, or the GFW might increase the scope of its IP
address blocking to include addresses with small anonymity sets.

I'll add that it's not just the size of the anonymity set that matters.
The domains that make up the anonymity set, and the cost of blocking
them, matters as well. An anonymity set of 100,000 could still be
blockable if none of the 100,000 is disruptive or costly to block.
(Measure cost however you like: effect on the local economy, for
example.) An anonymity set of size 10 might be hard to block, if just
one of those 10 is one that the would-be blocker greatly cares to
preserve.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Possible blocking of Encrypted SNI extension in China

[David Fifield]

On Sun, Aug 09, 2020 at 11:15:25PM -0700, Christian Huitema wrote:
> 
> On 8/9/2020 8:31 PM, Peter Gutmann wrote:
> > >From the writeups I've seen, what they're blocking is TLS 1.3, not ESNI.
> 
> Please check David Fitfield's message above in the thread. The research
> that he quoted is quite specific, "The ESNI detector only matches the
> ESNI encrypted_server_name extension 0xffce (draft-ietf-tls-esni-00
> through -06), not the ECH extensions encrypted_client_hello 0xff02,
> ech_nonce 0xff03, outer_extension 0xff04 (draft-ietf-tls-esni-07)."

That's right. The block is specifically against ESNI, not all TLS 1.3.
There is still a minor open question on the issue of ECH extensions
specifically (0xff02, 0xff03, 0xff04). When we tested ECH, we did not
try syntactically well-formed extension values, which proved to be
necessary in the case of ESNI, since the GFW's detector has at least a
rudimentary TLS parser. This leaves open the possibility that a
ClientHello with well-formed ECH extensions would also trigger a block:
https://github.com/net4people/bbs/issues/43#issuecomment-670794117

TLS 1.3 without SNI, ESNI, ECH  not blocked
TLS 1.3 with SNI only   not blocked
TLS 1.3 with ESNI only  blocked
TLS 1.3 with ECH only   still uncertain

The vast majority, I'm sure, of today's TLS 1.3 connections are
unaffected by the GFW's new block, because they do not use ESNI.
(Personally, I argue that it is *because* ESNI is not yet widely used
that it can be effectively blocked now.)

The bidirectional nature of the GFW makes it easy to test blocking
hypotheses, following the instructions at
https://mailarchive.ietf.org/arch/msg/tls/Dae-cukKMqfzmTT4Ksh1Bzlx7ws/.
One can try the 64-byte payload given there, or modify it to remove the
0xffce marker. To capture your own genuine ESNI ClientHello, use
Firefox 68 or later and change these settings in about:config:
network.security.esni.enabled=true
network.trr.mode=3
network.trr.uri=https://mozilla.cloudflare-dns.com/dns-query
network.trr.bootstrapAddress=104.16.249.249
Then visit an ESNI-capable web site. A convenient choice is
https://www.cloudflare.com/cdn-cgi/trace because it has a
"sni=encrypted" or "sni=plaintext" diagnostic.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Possible blocking of Encrypted SNI extension in China

[David Fifield]

On Thu, Jul 30, 2020 at 11:16:50AM -0700, Christian Huitema wrote:
> Thanks for the report. I think this relates to our ambivalence about the
> requirement for ESNI to not "stick out". That requirement is hard to
> meet, and designs have drifted towards an acceptation that it is OK to
> stick out as long as a sufficiently large share of the traffic does it.
> If that share is large, goes the reasoning, it would be too costly for
> censors to just "drop everything that looks like ESNI". Well, given
> actors like the Great Firewall, one wonders.

There's nothing wrong with that reasoning, in my opinion. To blend in
with a crowd, you can change yourself to match the crowd; or you can
change the crowd to match yourself. My feeling is that ESNI is currently
easy to block (or to put it in terms I like, *inexpensive* to block)
because very few TLS connections use it--nothing valuable depends on it
yet. Whereas if encrypted SNI were somehow deployed suddenly and
massively such that it became a normal feature of TLS connections both
essential and inessential, it would be more difficult (read: expensive)
to block.

After all, even the GFW is not all-powerful. Surely it would prefer to
abolish TLS altogether, but it's too late for that. At this point,
blocking TLS would cost too much--not in terms of implementing firewall
rules, but in how much essential communication it would damage. Put
another way, the GFW itself, and the people who operate/manage it, would
feel some of the pain of blocking.

I don't mean to imply that coordinated deployment is the only path to
success, just saying that if SNI encryption were already widespread,
even an obvious tag like 0xffce would not be a useful distinguisher. And
though I find it useful to think of these things in terms of the costs
of overblocking, it's not an infallible guide. A large organization like
the GFW is made up of many conflicting motivations, and it is as prone
as any other to making bad decisions and enacting policies that are
evidently against its own interests. For that reason I believe it's
possible to reduce the risk surrounding the deployment of encrypted SNI,
but not eliminate it completely.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Possible blocking of Encrypted SNI extension in China

[David Fifield]

On Thu, Jul 30, 2020 at 03:45:48PM +, onoketa wrote:
> The Great Firewall of China may have identified and blocked
> Cloudflare's ESNI implementation.
> 
> I have found that when using a TLS client hello with ESNI extension to
> connect to servers behind Cloudflare's CDN, the connection will be cut
> off after the whole TLS handshake is done. And then that IP address
> will be blocked at the TCP level for several minutes.

There is now a detailed written report on the new phenomenon of ESNI
blocking in China. It was produced by a collaboration of researchers
from Geneva (https://censorship.ai/), GFW Report (https://gfw.report/),
and iYouPort (https://www.iyouport.org/).

https://geneva.cs.umd.edu/posts/china-censors-esni/esni/(English)
https://geneva.cs.umd.edu/zh/posts/china-censors-esni/esni/ (Chinese)

Here are some of the points most likely to be of interest to this group:
 * The detector is not merely matching on the lack of plaintext SNI; it
   is specifically looking for the ESNI extension 0xffce.
 * The ESNI detector only matches the ESNI encrypted_server_name
   extension 0xffce (draft-ietf-tls-esni-00 through -06), not the ECH
   extensions encrypted_client_hello 0xff02, ech_nonce 0xff03,
   outer_extension 0xff04 (draft-ietf-tls-esni-07).
 * The encrypted_server_name extension has to be syntactically correct;
   the detector is not just looking for the byte patter ff cc.
 * Once an ESNI-containing ClientHello is detected, the firewall drops
   packets in the client→server direction for 120 or 180 seconds.
 * The detector runs on all TCP ports, not just 443.

This short payload is sufficient to trigger blocking:
160303003b013703035b72616e646f6d72616e646f6d72616e646f6d7261
6e646f6d72616e646f6d5d00010effce000a53754772
Python code to generate this payload is appended to this message.

Most of the functions of the Great Firewall work bidirectionally, and
the ESNI detection and blocking are no exception. Sending an
ESNI-containing ClientHello from *outside* of China to a server
*inside* results in temporary blocking, just the same as sending one
from the inside to the outside. This makes it easy to experiment with,
even if you don't control a host in China.

To experience ESNI blocking for yourself, choose a responsive TCP port
in China (doesn't have to be port 443), for example
www.tsinghua.edu.cn:80. Begin a TCP ping to the port, for example using
one of these commands:
hping3 -S www.tsinghua.edu.cn -p 80
nping -4 -c 0 --tcp-connect www.tsinghua.edu.cn -p 80
Then send the trigger payload:
printf 
'\x16\x03\x03\x00\x3b\x01\x00\x00\x37\x03\x03[randomrandomrandomrandomrandom]\x00\x00\x00\x01\x00\x00\x0e\xff\xce\x00\nSuGr\x00\x00\x00\x00\x00\x00'
 | nc -4 -v www.tsinghua.edu.cn 80
The TCP pings will stop receiving replies for 120 or 180 seconds, then
will start back up again.



#!/usr/bin/env python3

# Generates a small TLS ClientHello that trigger's the GFW's ESNI detector.
# Writes output to the file minimal.bin.

import struct

from scapy.all import *
load_layer("tls")
from scapy.layers.tls.all import *

# https://tools.ietf.org/html/rfc8446#section-3.4
def var(ceiling, data):
if ceiling < 256:
fmt = ">B"
elif ceiling < 65536:
fmt = ">H"
else:
raise ValueError(ceiling)
return struct.pack(fmt, len(data)) + data

# https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-01#section-5
def encrypted_server_name(suite, group, key_exchange, record_digest, 
encrypted_sni):
return struct.pack(">HH", suite, group) \
+ var(65535, key_exchange) \
+ var(65535, record_digest) \
+ var(65535, encrypted_sni)

clienthello = TLS(
msg = TLSClientHello(
gmt_unix_time = 0x5b72616e, # "[ran"
random_bytes = b"domrandomrandomrandomrandom]",
ciphers = [],
ext = [
# The GFW detector requires a syntactically valid
# server_name_extension, but the actual values it contains may be
# nonsense. Here we use a CipherSuite of 0x5375 ("Su"), a NamedGroup
# of 0x4772 ("Gr"), and zero-length key_exchange, record_digest, and
# encrypted_sni.
TLS_Ext_Unknown(type=0xffce, val=encrypted_server_name(0x5375, 
0x4772, b"", b"", b"")),
],
)
)

TLS(bytes(clienthello)).show()
print(bytes(clienthello))

FILENAME = "minimal.bin"
open(FILENAME, "wb").write(bytes(clienthello))
print("output written to {}".format(FILENAME))

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Fwd: New Version Notification for draft-belyavskiy-fakesni-00.txt

[David Fifield]

On Wed, Feb 20, 2019 at 03:48:18PM -0800, Christian Huitema wrote:
> Out of all the requirements listed in the encryption requirements draft, the
> requirement to "not stand out" is probably the hardest to comply with. The
> current ESNI draft works but usage of ESNI can still be detected. As Dmitri
> points out, there are locales where standing out will enable censorship. So,
> what to do? Well, if we want to not stand out yet carry some information,
> that's pretty much the definition of a hidden channel.
> 
> Would it be possible to engineer a hidden channel in the TLS 1.3 Hello? I bet
> that's quite doable. I am sure that fields like "opaque Random[32]" or "opaque
> legacy_session_id<0..32>" could be used creatively, and there are other fields
> in common extensions that could also be of service. Of course, "could be done"
> does not mean that the IETF will want to standardize it.

There's prior research on embedding covert signaling into TLS as a means
of preventing blocking by middleboxes. The work I'm familiar with is in
the field of decoy routing or refraction networking. There's a list of
papers at https://refraction.network/ and there's a good survey in
Section 2 of https://censorbib.nymity.ch/#Manfredi2018a.

Telex (https://censorbib.nymity.ch/#Wustrow2011a) is a good
representative example. Omitting some details: A router has a private
key r. On a new connection, the client generates a temporary private
key s. The client sets the Random field in its Client Hello to
g^s || H(g^(rs)) for some hash function H. The server, knowing r, can
distinguish this value from random, but other observers cannot. (There
are additional tricks to make g^s uniformly distributed.)

Lately the research has been less about the specific means of covert
signaling, and more about improving security and deployability, for
instance by working of asymmetric routes, or requiring only injection
and not flow blocking. There's been an ISP-scale deployment of one of
the designs, called TapDance: https://censorbib.nymity.ch/#Frolov2017a.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Fwd: New Version Notification for draft-belyavskiy-fakesni-00.txt

[David Fifield]

On Tue, Feb 19, 2019 at 11:04:06PM +0300, Dmitry Belyavsky wrote:
> Please take a look at an initial submission of the draft.
> The draft describes a Fake SNI mechanism intended to cheat DPI systems in
> a case 
> when a DPI system blocks the connection if ESNI is present.
> 
> -- Forwarded message -
> From: 
> Date: Tue, Feb 19, 2019 at 10:43 PM
> Subject: New Version Notification for draft-belyavskiy-fakesni-00.txt
> To: Dmitry Belyavskiy 
> 
> Abstract:
>    The document provides a specification of the Fake Server Name
>    Indication.  Being implemented, the Fake SNI specification provides a
>    way to work around the monitoring solutions without providing any
>    additional information to external observers.

I initially viewed this proposal negatively, but after thinking about it
more during Dmitry's talk today 
(https://datatracker.ietf.org/meeting/104/materials/slides-104-tls-slides-ietf104-tls-fake-sni-00),
I think there are ways in which it can make sense.

The reason I initially viewed it negatively was that it seemed to be a
naive attempt at addressing the "proxy distribution" problem--where you
have to somehow share secret information with your genuine users but not
let it fall into the hands of an adversary, with the challenge that you
don't have a secure way to distinguish genuine users from an adversary.
The draft acknowledges the challenge but, I think, treats it too
lightly, as for me it is the core consideration: "DPI solutions are able
to obtain the DNS _fakesni records as legitimate clients do." It's the
same problem you would face if you were to establish mirror sites to
mitigate blocking: how do you inform your users of the mirror sites'
URLs without also informing the adversary you're protecting against?
Another way way to think about it is: you have a large set of secret
tokens, and you want it so that *anyone* can discover one token, but
*no one* can discover all the tokens.

There's a fair amount of research on secure proxy distribution, but they
all work by imposing limits on the adversary, by leveraging trust
relationships among genuine users, tying discovery to real-world
resources, or some other method. Here is a selection of research:
https://censorbib.nymity.ch/#Nasr2019a
https://censorbib.nymity.ch/#Douglas2016a
https://censorbib.nymity.ch/#Wang2013a
https://censorbib.nymity.ch/#McCoy2011a
The Fake SNI draft's DNS discovery doesn't impose any significant
limits, so if there is only one or a few fake SNIs, I think the idea
won't work against an adversary that can afford to do continuous
polling, even if the set of fake SNIs is rotated frequently.

But if you ensure that each fake SNI value is distributed once and only
once, then I think the idea has some merit. Then, it doesn't help an
adversary to do its own polling, because any SNIs it discovers will
never be used by a legitimate client. It doesn't help if it blocks SNI
values that clients have been seen to use, because those values will not
be used again.

This all assumes trustworthy DNS, so an adversary can't see the SNI
you're about to use before you use it. And it also assumes some level of
colocation, or else there is nothing to prevent an intermediary from
blocking the IP address regardless of SNI. (The same observations apply
to ESNI as well as Fake SNI.)

However, even with one-time-use fake SNI values, the design still has a
problem with replay. The generic attack is described at
https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-04#section-3.1.
The adversary observes a client using an SNI value, then makes its own
connection to the same server using the same SNI value. Now the
adversary knows what particular colocated service on the server the
client is accessing, and even if it cannot block the server entirely
(because of colocation), it can terminate that client's specific
connection. Perhaps the server can check for and reject reused fake SNI
values--but then it also needs to be the case that all (or at least
many) of the users of the server's colocated services use Fake SNI, not
just the ones who are trying to access the services the adversary would
like to block, or else you violate the "Do not stick out" criterion.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] ESNI robustness and GREASE PRs - client tracking concerns?

[David Fifield]

On Tue, Dec 18, 2018 at 12:45:22AM -0600, David Benjamin wrote:
> Thanks for the comment! The PR did try to touch on this, but perhaps I did a
> poor job of wording it:
> https://github.com/tlswg/draft-ietf-tls-esni/pull/124/files#diff-4d2dc9df336bea8e17f5eb4ed7cb1107R511
> 
> The intent is you use the retry keys just for that one retry. Subsequent
> connection attempts revert to the DNS-provided ones. Then the server could
> correlate the initial connection and the immediately-following retry, but that
> initial "connection" was discarded. It's like saying the server can correlate
> the client's ClientHello and Finished. An earlier iteration even placed the
> retry on the same connection, which makes the analog clearer. (Doing it in the
> same connection is rather a mess, so we bounce to a new one.)
> 
> Another possibility might be to require clients treat these like session
> identifiers w.r.t. scoping and lifetime, reducing to something existing, but
> that is more complex, so the simple solution seemed a better starting point.
> 
> Does that address the concern, or have I missed something?

Oh thanks -- I completely missed that.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] ESNI robustness and GREASE PRs - client tracking concerns?

[David Fifield]

On Mon, Dec 17, 2018 at 05:17:37PM -0600, David Benjamin wrote:
> We[*] wrote up some proposed changes for draft-ietf-tls-esni that we'd like 
> the
> group's thoughts on. The goal is to make ESNI more robust and eliminate a 
> bunch
> of deployment risks. The PRs are linked below:
> 
> https://github.com/tlswg/draft-ietf-tls-esni/pull/124

Under this design, the ESNIKeys structure in DNS gains a public_name
field, which is the name against which the client is supposed to verify
handshake, in the event that the server cannot descript the ESNI and
returns a esni_retry_request response. The esni_retry_request structure
contains alternative ESNIKeys for the client to use in its next
connection attempt.

I started to think: what if the alternative ESNIKeys were a standard TLS
extension on their own? The server could tell the client, on each
connection, what ESNIKeys to use for its next connection. The client
would not have to consult the DNS for ESNIKeys for any connection but
the first, as long as the connections were frequent enough that the
ESNIKeys didn't expire.

But then I reflected: this would enable precise tracking of clients. The
server could give different keys to every client--effectively a
cookie--and thereby link past and future connections.

I think similar tracking concerns apply to the public_name design. A TLS
server could publish one global ESNIKeys in DNS. This one, because it is
used by all clients, would not help tracking (within the anonymity set
of ESNI-using clients). But the server could, whenever it receives an
encrypted_server_name extension encrypted with the global ESNIKeys,
pretend that it is unable to decrypt and reply with esni_retry_request
and a unique "cookie" ESNIKeys, which that client, and no other, would
use for future connections.

A unique ESNIKeys per client may not be feasible, if the server has to
do trial decryption using the private component of all the ESNIKeys
cookies it has handed out. There may be a more clever way to do it than
trial description. But anyway a server could define some budget, say,
256 trial decryptions per connection, and instead of a unique ESNIKeys
per client, choose one randomly from a pool of 256. Clients would then
be partitioned into 256 buckets for the lifetime of the ESNIKeys--which
other tracking technique could of course refine further.

I suppose something like this is possible even in the current draft as
written, if the TLS server and DNS server collude. The DNS server could
give different ESNIKeys to different clients, enabling not only the
linking of a DNS request and TLS connection, but the linking of several
TLS connections together.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] ESNI padding the Certificate message

[David Fifield]

On Thu, Dec 13, 2018 at 11:02:54AM -0500, Viktor Dukhovni wrote:
> On Thu, Dec 13, 2018 at 07:51:17AM -0800, Eric Rescorla wrote:
> 
> > Random padding does poorly with repeated trials. So, for instance,
> > if I get to observe a large number of requests from the same client
> > to the same server, you can gradually infer the length of the cert
> > chain.
> 
> Yes, I was aware of this.  But one might also note that may services
> are not behind a CDN, and that data traffic patterns after the
> handshake can also fingerprint the target service.
> 
> Session resumption helps to reduce the number of full handshakes
> that leak some information about the certificate size.
> 
> Users who really want (better) protection against traffic analysis
> should use Tor.  TLS traffic analysis protection from ESNI et. al.
> is IMHO best-effort protection for casual use.
>
> If a user visits just one site (and no others) at a particular CDN,
> absent traffic flow obfuscation ala Tor, the user's TLS traffic
> will eventually stand out from the noise.

Tor does not really offer protection against traffic analysis, apart
from hiding the source and destination IP addresses. In fact a lot of
website fingerprinting research uses Tor as a carrier, *because* it
preserves features of the underlying flow. See for example Table 1 at
https://petsymposium.org/2018/files/papers/issue4/popets-2018-0039.pdf#page=3
Tor pads most of its cells to 514 bytes (https://spec.torproject.org/tor-spec 
§0.2 §3),
and fairly recently (Tor 0.3.1.7, 2017-09-18) it sends padding cells
during quiet periods in order to collapse long-term netflow records
(https://spec.torproject.org/padding-spec §2), but neither of these are
designed to defend against website fingerprinting attacks; on the
contrary, they introduce fingerprints that make it easier to detect the
use of Tor inside a tunnel.

Don't miss an important use case. Tor and ESNI are not mutually
exclusive. A user may want to use ESNI in order to *reach* Tor (or any
other service offering additional security properties). ESNI is not just
for HTTPS web pages; it's for any TLS service (or service that can be
tunnelled in TLS). But any such service is useless if an intermediary
can block the server hosting it. This is where ESNI can be of help.

I wouldn't put repeated trials to infer a randomized value, and analysis
of encrypted application-layer traffic characteristics, in the same
class of difficulty, and reason that if the latter is possible, there's
no reason to defend against the former. I think part of the reason that
Tor does not (yet) do traffic flow obfuscation is that it hasn't been
necessary. The networks that block Tor don't do it on that basis. That's
not to say it's not something to think about, just that empirically it
hasn't proven as pressing as other considerations. Things like Cisco ETA
(https://www.theregister.co.uk/2017/06/22/ciscos_encrypted_traffic_fingerprinting_turned_into_product/,
https://github.com/cisco/joy#relation-to-cisco-eta, 
https://arxiv.org/abs/1607.01639)
show the commercial world at least reaching for such capabilities, but
my understanding is that it's still far short of an operational
"identify this HTTPS site" feature.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] ESNIKeys over complex

[David Fifield]

On Sat, Dec 08, 2018 at 06:38:30PM +0200, Ilari Liusvaara wrote:
> While thinking about the previous, I ran into some issues with the
> split mode. Firstly, if the fronting server does not encrypt the
> client_hello when transmitting it to backend server, passive attack
> can match incoming connections with backend servers. This reduces
> anonymity set to a single backend server (a lot smaller set).
> 
> And secondly, even if server encrypts the client_hello, but does not
> use a tunnel to backend, if server does not have client hello replay
> filtering (and such filtering is hard on typical fronting servers),
> replay attacks and some very simple traffic analysis can discover the
> backend server (again reducing the anonymity set by a lot).
> 
> This means that the fronting server should have an encrypted tunnel
> with the backend server (and there is likely double encryption).

I see--you're thinking of an observer who can see "both sides" of a
connection: the link between the Client and the Client-Facing Server,
and the link between the Client-Facing Server and the Backend Server.
I agree: such an observer could, through timing analysis, deanonymize
client connections (i.e., tell which Backend Server the Client is
accessing, as if it were accessing directly and not through the
Client-Facing Server). I suppose to really defend against a global
observer, you would need some kind of mixnet.

It looks like a little bug in the draft. I've checked just now and I
don't see that it says exactly *where* the observer is. I had assumed
that the observer only sees the Client–Server link (in Shared Mode) or
the link between Client and Client-Facing Server (in Split Mode).

I don't understand your point about replay and encrypting the Client
Hello. An observer doesn't need to see the contents of the Client Hello
to identify a Backend Server--the destination IP address is enough. I
don't see what specific attack you have in mind using replay, but it
seems to me that even an encrypted tunnel is insufficient. Unless the
encrypted tunnel additionally obfuscates packet sizes and timing, an
observer can correlate e.g. burst sizes and match incoming flows to
outgoing flows, in the manner of website fingerprinting.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] WGLC for draft-ietf-tls-sni-encryption

[David Fifield]

On Wed, Oct 17, 2018 at 07:25:38PM -0700, Eric Rescorla wrote:
> >> As it is, there are a number of servers which desperately require
> >> the presence of TLS extension SNI, or will fail TLS handshakes either
> >> by choking and dropping connections (Microsoft IIS 8.5+) or by
> >> very unhelpful alerts (several others), and also HTTP/2.0 requires
> >> unconditional cleartext presence of TLS extension SNI.  Any kind of
> >> heuristics-based approach for clients to guess whether or not to
> >> send TLS extension SNI is flawed from the start.  If a network
> >> middlebox can make a client present a cleartext TLS extension SNI
> >> by refusing connections without cleartext TLS extension SNI,
> >> the entire effort becomes pretty useless.
> >
> > Yes, clients must not fall back to cleartext SNI in this case.
> 
> Please give a clear deterministic algorithm how a client can
> tell apart a server that requires cleartext SNI from a server
> that does not want cleartext SNI.
> 
> 
> This isn't really the relevant question, as there are many servers
> now which do not require SNI.
> 
> The relevant question is how a client can be made aware that
> a server does support ESNI and can have high confidence that
> it will accept it. Such an algorithm is provided in:
> https://tools.ietf.org/html/draft-ietf-tls-esni-01#section-4
> 
> Note that as explained in detail, it is not necessary that all clients
> send ESNI to that server.


Right -- it's not a matter of a server requiring or not requiring ESNI.
The way I understand it, a server that supports ESNI merely affords
clients an opportunity to better protect themselves -- it is still the
client's responsibility to resist downgrades, and to somehow discover
(through DNS or otherwise) that the server supports ESNI in the first
place. I imagine that most servers that support ESNI will continue to
simultaneously support plaintext SNI connections.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls