Ben Schwartz wrote: > Martin Rex <[email protected]> wrote: > >>Ben Schwartz wrote: >>> >>> Like a lot of people here, I'm very interested in ways to reduce the >>> leakage of users' destinations in the ClientHello's cleartext SNI. It >>> seems like the past and current proposals to fix the leak are pretty >>> difficult, involving a lot of careful cryptography and changes to clients >>> and servers. >> >> It is formally provable that there is no solution to the problem >> that you're describing. > > Perhaps I'm not trying to solve the problem that you're thinking of? > > Here's an example: > Wordpress.com uses HTTPS, with a wildcard certificate (*.wordpress.com) for > all its hosted blogs, which have domains of the form > myblogname.wordpress.com. A passive adversary watching traffic to > Wordpress.com can currently determine which blog each client IP address is > accessing by observing the IP source address and the TLS SNI in the > ClientHello message. > > With this proposal, if Wordpress were to set an SNI DNS record on each > subdomain, with empty RDATA, compliant clients would omit SNI when > contacting the Wordpress server. Connections would still work fine, but > the passive adversary would no longer know which client is accessing which > blog. > > Is there something wrong with this example that I am missing?
You don't understand the purpose of SNI and how the (already weak) rfc2818 section 3.1 server endpoint identification and CABrowser Forum public CA Domain validation has been designed to work. Wordpress.com isn't using SNI at all, so the ultimate solution would be for the client to entirely omit SNI from ClientHello. wordpress itself could achieve just the same by using URLs of the kind blogs.wordpress.com/blogname with a cert issued to blogs.wordpress.com rather than blogname.wordpress.com with a cert issued to *.wordpress.com You might want eventually want to check with the logging functionality of Adblockers (such as uBlock) or browser plugins like "Collusion", to how many different servers & domains a typical server (including *.wordpress.com) publishes (HTTP-Referer) where the user just went. The decision to register a distinct & seperate name in DNS is an explicit and obvious desire to **PUBLISH** this information. If you do not want to publish information, DO NOT REGISTER it in the DNS, so that it will and it will never appear in SNI, in DNS lookups, or in DV-validation request for obtaining a TLS server cert from a public CA. Btw. your adversary will see the cleartext DNS lookup prior to the TLS handshake, and tell accesses to multiple different blogs apart by looking at the size of the responses. -Martin _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
