| RFC 8744 | TLS-SNI Encryption Requirements | July 2020 |
| Huitema | Informational | [Page] |
This document describes the general problem of encrypting theServer Name Identification (SNI) TLS parameter. The proposedsolutions hide a hidden service behind a fronting service,only disclosing the SNI of the fronting service to externalobservers. This document lists known attacks againstSNI encryption, discusses the current "HTTP co-tenancy" solution,and presents requirements for future TLS-layer solutions.¶
In practice, it may well be that no solution can meet every requirementand that practical solutions will have to make some compromises.¶
This document is not an Internet Standards Track specification; it is published for informational purposes.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc8744.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
Historically, adversaries have been able to monitor the use of webservices through three primary channels: looking at DNS requests, lookingat IP addresses in packet headers, and looking at the data stream betweenuser and services. These channels are getting progressively closed.A growing fraction ofInternet communication is encrypted, mostly using Transport Layer Security(TLS)[RFC8446].Progressive deployment of solutions like DNS overTLS[RFC7858] and DNS over HTTPS[RFC8484]mitigates the disclosure of DNS information. More andmore services are colocated on multiplexed servers, loosening therelation between IP address and web service. For example, in virtual hostingsolutions, multiple services can be hosted as co-tenants on the same server,and the IP address and port do not uniquely identify a service. In cloud orContent Delivery Network (CDN) solutions, a given platform hosts the servicesor servers of a lot of organizations, and looking up what netblockan IP address belongs to reveals little. However, multiplexed serversrely on the Server Name Information (SNI) TLS extension[RFC6066] to direct connectionsto the appropriate service implementation. This protocol elementis transmitted in cleartext. As the other methods of monitoring getblocked, monitoring focuses on the cleartext SNI. The purposeof SNI encryption is to prevent that and aid privacy.¶
Replacing cleartext SNI transmission by an encrypted variant willimprove the privacy and reliability of TLS connections, but the designof proper SNI encryption solutions is difficult.In the past, there have been multiple attempts at defining SNI encryption.These attempts have generally floundered, because the simple designs failto mitigate several of the attacks listed inSection 3. In the absence ofa TLS-level solution, the most popular approach to SNI privacy for webservices is HTTP-level fronting, which we discuss inSection 4.¶
This document does not present the design of a solution butprovides guidelines for evaluating proposed solutions. (The review ofHTTP-level solutions inSection 4 is notan endorsement of these solutions.)The need for related work on the encryption of the Application-LayerProtocol Negotiation (ALPN) parameters of TLS is discussed inSection 3.7.1.¶
The SNI extension was specified in 2003 in[RFC3546] to facilitate managementof "colocation servers", in which multiple services shared the same IPaddress. A typical example would be multiple websites served by thesame web server. The SNI extension carries the name of a specificserver, enabling the TLS connection to be established with the desiredserver context. The current SNI extension specification can befound in[RFC6066].¶
The SNI specification allowed for different types of server names,though only the "hostname" variant was specified and deployed. In thatvariant, the SNI extension carries the domain name of the targetserver. The SNI extension is carried in cleartext in the TLS "ClientHello"message.¶
The SNI was defined to facilitate management of servers, but thedevelopers of middleboxes found out that they could takeadvantage of the information. Many examples of such usage arereviewed in[RFC8404]. Other examples came outduring discussions of this document. They include:¶
The SNI is probably also included in the general collection of metadataby pervasive surveillance actors[RFC7258],for example, to identify servicesused by surveillance targets.¶
The cleartext transmission of the SNI was not flagged as a problemin the Security Considerations sections of[RFC3546],[RFC4366], or[RFC6066]. These specifications did not anticipate thealternative usage describedinSection 2.1. One reason may be that, whenthese RFCs were written, theSNI information was available through a variety of other means,such as tracking IP addresses, DNS names, or server certificates.¶
Many deployments still allocate different IP addresses to differentservices, so that different services can be identified by their IPaddresses. However, CDNs commonlyserve a large number of services through a comparatively smallnumber of addresses.¶
The SNI carries the domain name of the server, which is also sent aspart of the DNS queries. Most of the SNI usage described inSection 2.1could also be implemented by monitoring DNS traffic or controlling DNSusage. But this is changing with the advent of DNS resolversproviding services like DNS over TLS[RFC7858]or DNS over HTTPS[RFC8484].¶
The subjectAltName extension of type dNSName of the server certificate(or in its absence, the common name component) exposesthe same name as the SNI. In TLS versions 1.0[RFC2246], 1.1[RFC4346],and 1.2[RFC5246], servers send certificates in cleartext,ensuring that there would be limited benefits in hiding the SNI. However,in TLS 1.3[RFC8446], server certificates areencrypted in transit.Note that encryption alone is insufficient to protect server certificates;seeSection 3.1 for details.¶
The decoupling of IP addresses and server names, deployment of DNS privacy, and protection of server certificate transmissions all contribute to user privacy in the face of an RFC 7258-style adversary[RFC7258]. Encrypting the SNI complements this push for privacy and makes it harder to censor or otherwise provide differential treatment to specific Internet services.¶
Deploying SNI encryption helps thwart most of the unanticipated SNI usages,including censorship and pervasive surveillance, but it alsowill break or reduce the efficacy of the operational practices andtechniques implemented in middleboxes, as described inSection 2.1. Most ofthese functions can, however, be realized by other means. For example, some DNS serviceproviders offer customers the provision to "opt in" to filtering servicesfor parental control and phishing protection. Per-stream QoS could be provided bya combination of packet marking and end-to-end agreements. AsSNI encryption becomes common, we can expect more deployment of such "end-to-end"solutions.¶
At the time of this writing, enterprises have the option of installing afirewall performing SNI filtering toprevent connections to certain websites. With SNI encryption, this becomes ineffective.Obviously, managers could block usage of SNI encryption in enterprise computers, butthis wide-scale blocking would diminish the privacy protection of traffic leaving theenterprise, which may not be desirable.Enterprise managers could rely instead on filtering software and managementsoftware deployed on the enterprise's computers.¶
Over the past years, there have been multiple proposals to add an SNI encryptionoption in TLS. A review of the TLS mailing list archives shows thatmany of these proposals appeared promising but were rejectedafter security reviews identified plausible attacks. In this section,we collect a list of these known attacks.¶
The simplest SNI encryption designs replace the cleartext SNI in the initial TLS exchange withan encrypted value, using a key known to the multiplexed server. Regardless of theencryption used, these designs can be broken by a simple cut-and-paste attack, which worksas follows:¶
One of the goals of SNI encryption is to prevent adversaries from knowing whichhidden service the client is using. Successful cut-and-paste attacks break that goal byallowing adversaries to discover that service.¶
It is easy to think of simple schemes in which the SNI is encrypted or hashed using ashared secret. This symmetric key must be known by the multiplexed server and byevery user of the protected services. Such schemes are thus very fragile, since thecompromise of a single user would compromise the entire set of users and protectedservices.¶
Encrypting the SNI may create extra load for the multiplexed server. Adversaries may mountdenial-of-service (DoS) attacks by generating random encrypted SNI values and forcing themultiplexed server to spend resources in useless decryption attempts.¶
It may be argued that this is not an important avenue for DoS attacks,as regular TLS connectionattempts also require the server to perform a number of cryptographic operations. However,in many cases, the SNI decryption will have to be performed by a front-end componentwith limited resources, while the TLS operations are performed by the component dedicatedto their respective services. SNI-based DoS attacks could target the front-end component.¶
In some designs, handshakes using SNI encryption can be easily differentiated from"regular" handshakes. For example, some designs require specific extensions inthe ClientHello packets or specific values of the cleartext SNI parameter.If adversaries can easily detect the use of SNI encryption,they could block it, or they could flag the users of SNI encryption forspecial treatment.¶
In the future, it might be possible to assume that a large fraction of TLS handshakesuse SNI encryption. If that were the case, the detection of SNI encryption wouldbe a lesser concern. However, we have to assume that, in the near future, onlya small fraction of TLS connections will use SNI encryption.¶
This requirement to not stick out may be difficult to meet in practice, as noted inSection 5.¶
TLS 1.3[RFC8446] is designed to provide forward secrecy, so that (for example) keys used in past sessions will not be compromised even if the private key of the server is compromised. The general concerns about forward secrecy apply to SNI encryption as well. For example, some proposed designs rely on a public key of the multiplexed server to define the SNI encryption key. If the corresponding private key should be compromised, the adversaries would be able to process archival records of past connections and retrieve the protected SNI used in these connections. These designs fail to maintain forward secrecy of SNI encryption.¶
We can design solutions in which a frontingservice acts as a relay to reach the protected service. Some of thosesolutions involve just one TLS handshake between the client and the fronting service.The master secret is verified by verifying a certificate provided bythe fronting service but not by the protected service.These solutions expose the client to a MITM attack bythe fronting service. Even if the clienthas some reasonable trust in this service, the possibility of aMITM attack is troubling.¶
There are other classes of solutions in which the master secret is verified byverifying a certificate provided by the protected service. These solutions offermore protection against a MITM attack by the fronting service.Thedownside is that the client will not verify the identity of the fronting service,which enables fronting server spoofing attacks, such as the "honeypot" attackdiscussed below. Overall, end-to-end TLS to the protected service is preferable,but it is important to also provide a way to authenticate the fronting service.¶
The fronting service could be pressured by adversaries.By design, it could be forced to deny access tothe protected service or to divulge which client accessed it. Butif a MITM attack is possible, the adversaries would also be able to pressurethe fronting service into intercepting or spoofing the communications betweenclient and protected service.¶
Adversaries could also mount an attack by spoofing the fronting service. Aspoofed fronting service could act as a "honeypot" for users ofhidden services. At a minimum, the fake server could record the IPaddresses of these users. If the SNI encryption solution places toomuch trust on the fronting server, the fake server could alsoserve fake content of its own choosing, including various forms ofmalware.¶
There are two main channels by which adversaries can conduct thisattack. Adversaries can simply try to mislead users into believingthat the honeypot is a valid fronting server, especially if thatinformation is carried by word of mouth or in unprotected DNSrecords. Adversaries can also attempt to hijack the traffic to theregular fronting server, using, for example, spoofed DNS responsesor spoofed IP-level routing, combined with a spoofed certificate.¶
The SNI encryption requirement does not stop with HTTP over TLS.Multiple otherapplications currently use TLS, including, for example, SMTP[RFC3207],DNS[RFC7858], IMAP[RFC8314],and the Extensible Messaging and Presence Protocol (XMPP)[RFC7590]. These applications, too,will benefit from SNI encryption.HTTP-only methods, like those described inSection 4.1,would not apply there. In fact, even for the HTTPS case, the HTTPS tunnelingservice described inSection 4.1 iscompatible with HTTP 1.0 and HTTP 1.1but interacts awkwardly with the multiple streams feature of HTTP/2[RFC7540].This points to the need for an application-agnostic solution, which would beimplemented fully in the TLS layer.¶
The Application-Layer Protocol Negotiation (ALPN) parameters of TLS allow implementations to negotiate the application-layer protocol used on a given connection. TLS provides the ALPN values in cleartext during the initial handshake. While exposing the ALPN does not create the same privacy issues as exposing the SNI, there is still a risk. For example, some networks may attempt to block applications that they do not understand or that they wish users would not use.¶
In a sense, ALPN filtering could be very similar to the filteringof specific port numbers exposed in some networks. This filtering by portshas given rise to evasion tactics in which various protocols are tunneledover HTTP in order to use open ports 80 or 443. Filtering by ALPN wouldprobably beget the same responses, in which the applications just moveover HTTP and only the HTTP ALPN values are used.Applications would notneed to do that if the ALPN were hidden in the same way as the SNI.¶
In addition to hiding the SNI, it is thus desirable to also hide the ALPN. Of course, this implies engineering trade-offs. Using the same technique for hiding the ALPN and encrypting the SNI may result in excess complexity. It might be preferable to encrypt these independently.¶
The TLS handshake is also used over other transports, such as UDPwith both DTLS[DTLS-1.3] andQUIC[QUIC]. The requirement toencrypt the SNI applies just as well for these transports as for TLS overTCP.¶
This points to a requirement for SNI encryption mechanisms to alsobe applicable to non-TCP transports such as DTLS or QUIC.¶
In the absence of TLS-level SNI encryption, many sites rely on an "HTTP co-tenancy" solution, often referred to as "domain fronting"[DOMFRONT]. The TLS connection is established with the fronting server, and HTTP requests are then sent over that connection to the hidden service.For example, the TLS SNI could be set to "fronting.example.com" (the fronting server), and HTTP requests sent over that connection could be directed to "hidden.example.com" (accessing the hidden service). This solution works well inpractice when the fronting server and the hidden serverare "co-tenants" of the same multiplexed server.¶
The HTTP domain fronting solution can be deployed without modification to the TLS protocol and does not require using any specific version of TLS. There are, however, a few issues regarding discovery, client implementations, trust, and applicability:¶
The discovery issue is common to most SNI encryption solutions.The browser issue was solved in[DOMFRONT] byimplementing domain fronting as a pluggable transport for the Tor browser. Themulti-protocol issue can be mitigated by implementing otherapplications over HTTP, for example, DNS over HTTPS[RFC8484]. The trust issue, however, requiresspecific developments.¶
The HTTP domain fronting solution places a lot of trust in the fronting server. This required trust can be reduced by tunneling HTTPS in HTTPS, which effectively treats the fronting server as an HTTP proxy. In this solution, the client establishes a TLS connection to the fronting server and then issues an HTTP connect request to the hidden server. This will establish an end-to-end HTTPS-over-TLS connection between the client and the hidden server, mitigating the issues described inSection 3.6.¶
The HTTPS-in-HTTPS solution requires double encryption of every packet. Italso requires that the fronting server decrypt and relay messages to thehidden server. Both of these requirements make the implementation onerous.¶
Clients would see their privacy compromised if they contacted the wrongfronting server to access the hidden service, since this wrong servercould disclose their access to adversaries. This requires a controlledway to indicate which fronting server is acceptable by the hidden service.¶
This problem is similar to the "word of mouth" variantof the "fronting serverspoofing" attack described inSection 3.6. The spoofingwould be performed by distributing fake advice, such as "to reachhidden.example.com, use fake.example.com as a frontingserver", when "fake.example.com" is under the control of anadversary.¶
In practice, this attack is well mitigated when the hidden service is accessed through a specialized application. The name of the fronting server can then be programmed in the code of the application. But the attack is harder to mitigate when the hidden service has to be accessed through general-purpose web browsers.¶
There are several proposed solutions to this problem, such as creatinga special form of certificate to codify the relation between the fronting andhidden server or obtaining the relation between the hidden and fronting servicethrough the DNS, possibly using DNSSEC, to avoid spoofing.The experimentdescribed in[DOMFRONT] solved the issue byintegrating with the Lantern Internet circumvention tool.¶
We can observe that CDNs have a similar requirement.They need to convince the client that "www.example.com" can be accessedthrough the seemingly unrelated "cdn-node-xyz.example.net". Most CDNs havedeployed DNS-based solutions to this problem. However, the CDN oftenholds the authoritative certificate of the origin. There is, simultaneously,verification of a relationship between the origin and the CDN (through thecertificate) and a risk that the CDN can spoof thecontent from the origin.¶
The ORIGIN frame defined for HTTP/2[RFC8336] can be used to flag content provided by the hidden server. Secondary certificate authentication[HTTP2-SEC-CERTS] can be used to manage authentication of hidden server content or to perform client authentication before accessing hidden content.¶
This document lists a number of attacks against SNI encryption in Sections3 and4.2 and presents a list of requirements to mitigate these attacks. Current HTTP-based solutionsdescribed inSection 4 only meet some ofthese requirements. In practice, it may well be that no solution can meetevery requirement and that practical solutions will have to make somecompromises.¶
In particular, the requirement to not stick out, presented inSection 3.4, may have to be lifted,especially for proposed solutions that could quickly reach large-scaledeployments.¶
Replacing cleartext SNI transmission by an encrypted variant will break or reduce the efficacy of the operational practices and techniquesimplemented in middleboxes, as described inSection 2.1. As explained inSection 2.3, alternative solutions will have to be developed.¶
This document has no IANA actions.¶
A large part of this document originated in discussion of SNI encryptionon the TLS WG mailing list, including comments after the tunnelingapproach was first proposed in a message to that list:<https://mailarchive.ietf.org/arch/msg/tls/tXvdcqnogZgqmdfCugrV8M90Ftw>.¶
Thanks toEric Rescorla for his multiple suggestions, reviews, and editsto the successive draft versions of this document.¶
Thanks toDaniel Kahn Gillmor for a pretty detailed review of the initial draft of this document. Thanks toBernard Aboba,Mike Bishop,Alissa Cooper,Roman Danyliw,Stephen Farrell,Warren Kumari,Mirja Kuelewind,Barry Leiba,Martin Rex,Adam Roach,Meral Shirazipour,Martin Thomson,Eric Vyncke, and employees of the UK National Cyber Security Centre for their reviews. Thanks toChris Wood,Ben Kaduk, andSean Turner for helping move this document toward publication.¶