<?xmlversion="1.0" encoding="UTF-8"?>version='1.0' encoding='utf-8'?> <!DOCTYPE rfc SYSTEM'rfc2629.dtd' []>"rfc2629-xhtml.ent"> <rfc number="8744" consensus="true" xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" category="info"docName="draft-ietf-tls-sni-encryption-09"> <?rfc toc="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?> <?rfc private=""?> <?rfc topblock="yes"?> <?rfc comments="no"?>docName="draft-ietf-tls-sni-encryption-09" obsoletes="" updates="" submissionType="IETF" xml:lang="en" tocInclude="true" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 2.37.3 --> <front> <title abbrev="TLS-SNI Encryption Requirements">Issues and Requirements forSNIServer Name Identification (SNI) Encryption in TLS</title> <seriesInfo name="RFC" value="8744"/> <author initials="C." surname="Huitema" fullname="Christian Huitema"> <organization>Private Octopus Inc.</organization> <address> <postal><street></street><street/> <city>Friday Harbor</city><code>WA 98250</code> <country>U.S.A</country> <region></region><region>WA</region> <code>98250</code> <country>United States of America</country> </postal><phone></phone><phone/> <email>huitema@huitema.net</email><uri></uri> </address> </author> <author initials="E." surname="Rescorla" fullname="Eric Rescorla"> <organization>RTFM, Inc.</organization> <address> <postal> <street></street> <city></city> <code></code> <country>U.S.A</country> <region></region> </postal> <phone></phone> <email>ekr@rtfm.com</email> <uri></uri><uri/> </address> </author> <dateyear="2019" month="October" day="28"/>month="July" year="2020"/> <area>Network</area><workgroup></workgroup><workgroup/> <abstract> <t>Thisdraftdocument describes the general problem of encrypting the Server Name Identification (SNI) TLS parameter. The proposed solutions hide aHidden Servicehidden service behind a fronting service, only disclosing the SNI of the fronting service to external observers.The draftThis document lists known attacks against SNI encryption, discusses the current"co-tenancy fronting""HTTP co-tenancy" solution, and presents requirements for futureTLS layerTLS-layer solutions. </t> <t>In practice, it may well be that no solution can meet everyrequirement,requirement and that practical solutions will have to make some compromises. </t> </abstract> </front> <middle> <section anchor="introduction"title="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>Historically, adversaries have been able to monitor the use of web services through three primary channels: looking at DNS requests, looking at IP addresses in packet headers, and looking at the data stream between user and services. These channels are getting progressively closed. A growing fraction of Internet communication is encrypted, mostly using Transport Layer Security (TLS) <xreftarget="RFC5246"/>.target="RFC8446" format="default"/>. Progressive deployment of solutions like DNSinover TLS <xreftarget="RFC7858"/>target="RFC7858" format="default"/> and DNS over HTTPS <xreftarget="RFC8484"/>target="RFC8484" format="default"/> mitigates the disclosure of DNS information. More and more services are colocated on multiplexed servers, loosening the relation between IP address and web service. For example, in virtual hosting solutions, multiple services can be hosted as co-tenants on the same server, and the IP address and port do not uniquely identify a service. In cloud or Content DeliveryNetworks (CDNs)Network (CDN) solutions, a given platform hosts the services or serversserversof a lot oforganization,organizations, and looking uptowhat netblock an IP address belongs to reveals little. However, multiplexed servers rely on theServiceServer Name Information (SNI) TLS extension <xreftarget="RFC6066"/>target="RFC6066" format="default"/> to direct connections to the appropriate service implementation. This protocol element is transmitted inclear text.cleartext. As the other methods of monitoring get blocked, monitoring focuses on theclear textcleartext SNI. The purpose of SNI encryption is to prevent that and aid privacy. </t> <t>Replacingclear textcleartext SNI transmission by an encrypted variant will improve the privacy and reliability of TLS connections, but the design of proper SNI encryption solutions is difficult. In the past, there have been multiple attempts at defining SNI encryption. These attempts have generally floundered, because the simple designs fail to mitigate several of the attacks listed in <xreftarget="snisecreq"/>.target="snisecreq" format="default"/>. In the absence of a TLS-level solution, the most popular approach to SNI privacy for web services is HTTP-level fronting, which we discuss in <xreftarget="httpfronting"/>.target="httpfronting" format="default"/>. </t> <t>This document does not present the design of asolution,solution but provides guidelines for evaluating proposed solutions. (The review of HTTP-level solutions in <xreftarget="httpfronting"/>target="httpfronting" format="default"/> is not an endorsement of these solutions.) The need for related work on the encryption of theApplication LayerApplication-Layer Protocol Negotiation (ALPN) parameters of TLS is discussed in <xreftarget="hiding-alpn"/>.target="hiding-alpn" format="default"/>. </t> </section> <section anchor="history-of-the-tls-sni-extension"title="Historynumbered="true" toc="default"> <name>History of the TLS SNIextension">Extension</name> <t>The SNI extension was specified in 2003 in <xreftarget="RFC3546"/>target="RFC3546" format="default"/> to facilitate management of"colocation servers","colocation servers", in which multiple services shared the same IP address. A typical example would be multipleweb siteswebsites served by the same web server. The SNI extension carries the name of a specific server, enabling the TLS connection to be established with the desired server context. The current SNI extension specification can be found in <xreftarget="RFC6066"/>.target="RFC6066" format="default"/>. </t> <t>The SNI specification allowed for different types of server names, though only the"hostname""hostname" variant was specified and deployed. In that variant, the SNI extension carries the domain name of the target server. The SNI extension is carried inclear textcleartext in the TLS"ClientHello""ClientHello" message. </t> <section anchor="snileak"title="Unanticipated usagenumbered="true" toc="default"> <name>Unanticipated Usage of SNIinformation">Information</name> <t>The SNI was defined to facilitate management of servers, but the developers of middleboxes found out that they could take advantage of the information. Many examples of such usage are reviewed in <xreftarget="RFC8404"/>.target="RFC8404" format="default"/>. Other examples came out during discussions of thisdraft.document. They include: </t><t> <list style="symbols"> <t>Filtering<ul spacing="normal"> <li>Filtering orcensorship ofcensoring specific services for a variety ofreasons.</t> <t>Contentreasons</li> <li>Content filtering by network operators orISPISPs blocking specificweb sites in order to implement,websites, for example, to implement parentalcontrols,controls or to prevent access to phishing or other fraudulentweb sites.</t> <t>ISPwebsites</li> <li>ISP assigning different QoS profiles to targetservices,</t> <t>Firewallsservices</li> <li>Firewalls within enterprise networks blockingweb siteswebsites not deemed appropriate forwork, or</t> <t>Firewallswork</li> <li>Firewalls within enterprise networks exempting specificweb siteswebsites fromMan-In-The-Middleman-in-the-middle (MITM) inspection, such as healthcare or financial sites for which inspection would intrude on the privacy ofemployees.</t> </list> </t>employees</li> </ul> <t>The SNI is probably also included in the general collection of metadata by pervasive surveillance actors <xreftarget="RFC7258"/>,target="RFC7258" format="default"/>, forexampleexample, to identify services used by surveillance targets. </t> </section> <section anchor="sniwhyencryptnow"title="SNI encryption timeliness">numbered="true" toc="default"> <name>SNI Encryption Timeliness</name> <t>Theclear-textcleartext transmission of the SNI was not flagged as a problem in thesecurity considerationSecurity Considerations sections of <xreftarget="RFC3546"/>,target="RFC3546" format="default"/>, <xreftarget="RFC4366"/>,target="RFC4366" format="default"/>, or <xreftarget="RFC6066"/>.target="RFC6066" format="default"/>. These specifications did not anticipate the alternative usage described in <xreftarget="snileak"/>.target="snileak" format="default"/>. One reason may be that, when these RFCs were written, the SNI information was available through a variety of other means, such as tracking IP addresses, DNS names, or server certificates. </t> <t>Many deployments still allocate different IP addresses to different services, so that different services can be identified by their IP addresses. However, CDNs commonly serve a large number of services through a comparatively small number of addresses. </t> <t>The SNI carries the domain name of the server, which is also sent as part of the DNS queries. Most of the SNI usage described in <xreftarget="snileak"/>target="snileak" format="default"/> could also be implemented by monitoring DNS traffic or controlling DNS usage. But this is changing with the advent of DNS resolvers providing services like DNS over TLS <xreftarget="RFC7858"/>target="RFC7858" format="default"/> or DNS over HTTPS <xreftarget="RFC8484"/>.target="RFC8484" format="default"/>. </t> <t>The subjectAltName extension of type dNSName of the servercertificate, orcertificate (or in itsabsenceabsence, the common namecomponent, exposecomponent) exposes the same name as the SNI. In TLS versions 1.0 <xreftarget="RFC2246"/>,target="RFC2246" format="default"/>, 1.1 <xreftarget="RFC4346"/>,target="RFC4346" format="default"/>, and 1.2 <xreftarget="RFC5246"/>,target="RFC5246" format="default"/>, servers send certificates inclear text,cleartext, ensuring that there would be limited benefits in hiding the SNI. However, in TLS 1.3 <xreftarget="RFC8446"/>,target="RFC8446" format="default"/>, server certificates are encrypted in transit. Note that encryption alone is insufficient to protect server certificates; see <xreftarget="replayattack"/>target="cutandpasteattack" format="default"/> for details. </t> <t>The decoupling of IP addresses and server names, deployment of DNS privacy, and protection of server certificate transmissions all contribute to user privacy in the face of an RFC 7258-style adversary <xreftarget="RFC7258"/>-style adversary.target="RFC7258" format="default"/>. Encrypting the SNI complements this push for privacy andmakemakes it harder to censor or otherwise provide differential treatment to specificinternetInternet services. </t> </section> <section anchor="end-to-end"title="End-to-end alternatives">numbered="true" toc="default"> <name>End-to-End Alternatives</name> <t>Deploying SNI encryption helps thwart most of the unanticipated SNIusagesusages, including censorship and pervasive surveillance, but it also will break or reduce the efficacy of the operational practices and techniques implemented inmiddle-boxesmiddleboxes, as described in <xreftarget="snileak"/>.target="snileak" format="default"/>. Most of these functions can, however, be realized by other means. For example, some DNS service providers offer customers the provision to"opt in""opt in" to filtering services for parental control and phishing protection. Per-stream QoS could be provided by a combination of packet marking and end-to-end agreements. As SNI encryption becomes common, we can expect more deployment of such"end-to-end""end-to-end" solutions. </t> <t>At the time of this writing, enterprises have the option of installing a firewall performing SNI filtering to prevent connections to certain websites. With SNIencryptionencryption, this becomes ineffective. Obviously, managers could block usage of SNI encryption in enterprise computers, but this wide-scale blocking would diminish the privacy protection of traffic leaving the enterprise, which may not be desirable. Enterprise managers could rely instead on filtering software and management software deployed on the enterprise's computers. </t> </section> </section> <section anchor="snisecreq"title="Securitynumbered="true" toc="default"> <name>Security and Privacy Requirements for SNIEncryption">Encryption</name> <t>Over the past years, there have been multiple proposals to add an SNI encryption option in TLS. A review of the TLS mailing list archives shows that many of these proposals appeared promising but were rejected after security reviews identified plausible attacks. In this section, we collect a list of these known attacks. </t> <sectionanchor="replayattack" title="Mitigate Replay Attacks">anchor="cutandpasteattack" numbered="true" toc="default"> <name>Mitigate Cut-and-Paste Attacks</name> <t>The simplest SNI encryption designs replace the cleartext SNI in the initial TLS exchangethe clear text SNIwith an encrypted value, using a key known to the multiplexed server. Regardless of the encryption used, these designs can be broken by a simplereplaycut-and-paste attack, which works as follows: </t><t>1- The<ol spacing="normal" type="1"> <li>The user starts a TLS connection to the multiplexed server, including an encrypted SNIvalue. </t> <t>2- Thevalue.</li> <li>The adversary observes the exchange and copies the encrypted SNIparameter. </t> <t>3- Theparameter.</li> <li>The adversary starts its own connection to the multiplexed server, including in its connection parameters the encrypted SNI copied from the observedexchange. </t> <t>4- Theexchange.</li> <li>The multiplexed server establishes the connection to the protected service, which sends its certificate, thus revealing the identity of theservice. </t>service.</li> </ol> <t>One of the goals of SNI encryption is to prevent adversaries from knowing whichHidden Servicehidden service the client is using. Successfulreplaycut-and-paste attacks break that goal by allowing adversaries to discover thatservice. </t>service.</t> </section> <section anchor="sharedsecrets"title="Avoidnumbered="true" toc="default"> <name>Avoid Widely SharedSecrets">Secrets</name> <t>It is easy to think of simple schemes in which the SNI is encrypted or hashed using a shared secret. This symmetric key must be known by the multiplexedserver,server and by every user of the protected services. Such schemes are thus very fragile, since the compromise of a single user would compromise the entire set of users and protected services. </t> </section> <section anchor="serveroverload"title="Prevent SNI-based Denial of Service Attacks">numbered="true" toc="default"> <name>Prevent SNI-Based Denial-of-Service Attacks</name> <t>Encrypting the SNI may create extra load for the multiplexed server. Adversaries may mountdenial of servicedenial-of-service (DoS) attacks by generating random encrypted SNI values and forcing the multiplexed server to spend resources in useless decryption attempts. </t> <t>It may be argued that this is not an importantDenial of Service Attacks (DoS) avenue,avenue for DoS attacks, as regular TLS connection attempts also require the server to perform a number of cryptographic operations. However, in many cases, the SNI decryption will have to be performed by a front-end component with limited resources, while the TLS operations are performed by the component dedicated to their respective services. SNI-based DoS attacks could target the front-end component. </t> </section> <section anchor="snireqdontstickout"title="Do not stick out">numbered="true" toc="default"> <name>Do Not Stick Out</name> <t>In some designs, handshakes using SNI encryption can be easily differentiated from"regular""regular" handshakes. For example, some designs require specific extensions in theClient Hello packets,ClientHello packets or specific values of theclear textcleartext SNI parameter. If adversaries can easily detect the use of SNI encryption, they could block it, or they could flag the users of SNI encryption for special treatment. </t> <t>In the future, it might be possible to assume that a large fraction of TLS handshakes use SNI encryption. If that were the case, the detection of SNI encryption would be a lesser concern. However, we have to assumethatthat, in the near future, only a small fraction of TLS connections will use SNI encryption. </t> <t>This requirement to not stick out may be difficult to meet in practice, as noted in <xref target="secusec" format="default"/>. </t> </section> <section anchor="forward-secrecy"title="Forward Secrecy"> <t>Thenumbered="true" toc="default"> <name>Maintain Forward Secrecy</name> <t>TLS 1.3 <xref target="RFC8446"/> is designed to provide forward secrecy, so that (for example) keys used in past sessions will not be compromised even if the private key of the server is compromised. The general concerns about forward secrecy apply to SNI encryptionjustaswell as to regular TLS sessions.well. For example, some proposed designs rely on a public key of the multiplexed server to define the SNI encryption key. If the corresponding private key should be compromised, the adversaries would be able to process archival records of pastconnections,connections and retrieve the protected SNI used in these connections. These designsfailedfail to maintain forward secrecy of SNI encryption. </t> </section> <section anchor="nocontextsharing"title="Multi-Partynumbered="true" toc="default"> <name>Enable Multi-party SecurityContexts">Contexts</name> <t>We can design solutions in which a fronting service acts as a relay to reach the protected service. Some of those solutions involve just one TLS handshake between the client and the fronting service. The master secret is verified by verifying a certificate provided by the frontingservice,service but not by the protected service. These solutions expose the client to aMan-In-The-MiddleMITM attack by the fronting service. Even if the client has some reasonable trust in this service, the possibility of a MITM attack is troubling. </t> <t>There are other classes of solutions in which the master secret is verified by verifying a certificate provided by the protected service. These solutions offer more protection against a MITM attack by the fronting service. The downside is that the client will not verify the identity of the fronting service, which enables fronting server spoofingattacksattacks, such as the"honeypot""honeypot" attack discussed below. Overall, end-to-end TLS to the protected service is preferable, but it is important to also provide a way to authenticate the fronting service. </t> <t>The fronting service could be pressured by adversaries. By design, it could be forced to deny access to the protectedservice,service or to divulge which client accessed it. But if a MITM attack is possible, the adversaries would also be able to pressure the fronting service into intercepting or spoofing the communications between client and protected service. </t> <t>Adversaries could also mount an attack by spoofing the fronting service. A spoofed fronting service could act as a"honeypot""honeypot" for users of hidden services. At a minimum, the fake server could record the IP addresses of these users. If the SNI encryption solution places too much trust on the fronting server, the fake server could also serve fake content of its own choosing, including various forms of malware. </t> <t>There are two main channels by which adversaries can conduct this attack. Adversaries can simply try to mislead users into believing that the honeypot is a valid fronting server, especially if that information is carried by word of mouth or in unprotected DNS records. Adversaries can also attempt to hijack the traffic to the regular fronting server, using, for example, spoofed DNS responses or spoofedIP levelIP-level routing, combined with a spoofed certificate. </t> </section> <section anchor="multi-protocol"title="Supporting multiple protocols">numbered="true" toc="default"> <name>Support Multiple Protocols</name> <t>The SNI encryption requirement does not stop with HTTP over TLS. Multiple other applications currently use TLS, including, for example, SMTP <xreftarget="RFC5246"/>,target="RFC3207" format="default"/>, DNS <xreftarget="RFC7858"/>,target="RFC7858" format="default"/>, IMAP <xreftarget="RFC8314"/>,target="RFC8314" format="default"/>, and the Extensible Messaging andXMPPPresence Protocol (XMPP) <xreftarget="RFC7590"/>.target="RFC7590" format="default"/>. These applications, too, will benefit from SNI encryption. HTTP-onlymethodsmethods, like those described in <xreftarget="httpfrontingtunnels"/>target="httpfrontingtunnels" format="default"/>, would not apply there. In fact, even for the HTTPS case, the HTTPS tunneling service described in <xreftarget="httpfrontingtunnels"/>target="httpfrontingtunnels" format="default"/> is compatible with HTTP 1.0 and HTTP1.1,1.1 but interacts awkwardly with the multiple streams feature of HTTP/2 <xreftarget="RFC7540"/>.target="RFC7540" format="default"/>. This points to the need for an application-agnostic solution, which would be implemented fully in the TLS layer. </t> <section anchor="hiding-alpn"title="Hidingnumbered="true" toc="default"> <name>Hiding theApplication LayerApplication-Layer ProtocolNegotiation">Negotiation</name> <t>TheApplication LayerApplication-Layer Protocol Negotiation (ALPN) parameters of TLS allow implementations to negotiate theapplication layerapplication-layer protocol used on a given connection. TLS provides the ALPN values inclear textcleartext during the initial handshake. While exposing the ALPN does not create the same privacy issues as exposing the SNI, there is still a risk. For example, some networks may attempt to block applications that they do notunderstand,understand or that they wish users would not use. </t> <t>In a sense, ALPN filtering could be very similar to the filtering of specific port numbers exposed in some networks. This filtering by ports has given rise to evasion tactics in which various protocols are tunneled over HTTP in order to use open ports 80 or 443. Filtering by ALPN would probably beget the same responses, in which the applications just move overHTTP,HTTP and only the HTTP ALPN values are used. Applications would not need to do that if the ALPN were hidden in the same way as the SNI. </t> <t>In addition to hiding the SNI, it is thus desirable to also hide the ALPN. Of course, this implies engineering trade-offs. Using the same technique for hiding the ALPN and encrypting the SNI may result in excess complexity. It might be preferable to encrypt these independently. </t> </section> <section anchor="support-other-transports-than-tcp"title="Support other transportsnumbered="true" toc="default"> <name>Supporting Other Transports thanTCP">TCP</name> <t>The TLS handshake is also used over othertransportstransports, such as UDP with both DTLS <xreftarget="I-D.ietf-tls-dtls13"/>target="I-D.ietf-tls-dtls13" format="default"/> and QUIC <xreftarget="I-D.ietf-quic-tls"/>.target="I-D.ietf-quic-tls" format="default"/>. The requirement to encrypt the SNI applies just as well for these transports as for TLS over TCP. </t> <t>This points to a requirement for SNIEncryptionencryption mechanisms to also be applicable to non-TCP transports such as DTLS or QUIC. </t> </section> </section> </section> <section anchor="httpfronting"title="HTTP Co-Tenancy Fronting">numbered="true" toc="default"> <name>HTTP Co-tenancy Fronting</name> <t>In the absence of TLS-level SNI encryption, many sites rely on an"HTTP Co-Tenancy""HTTP co-tenancy" solution, oftenreferedreferred to asDomain Fronting"domain fronting" <xreftarget="domfront"/>.target="DOMFRONT" format="default"/>. The TLS connection is established with the fronting server, and HTTP requests are then sent over that connection to the hidden service. For example, the TLS SNI could be set to"fronting.example.com", the"fronting.example.com" (the frontingserver,server), and HTTP requests sent over that connection could be directed to"hidden.example.com", accessing"hidden.example.com" (accessing the hiddenservice.service). This solution works well in practice when the fronting server and the hidden server are"co-tenants""co-tenants" of the same multiplexed server. </t> <t>The HTTP domain fronting solution can be deployed without modification to the TLSprotocol,protocol and does not require using any specific version of TLS. There are, however, a few issues regarding discovery, client implementations, trust, and applicability: </t><t> <list style="symbols"> <t>The<ul spacing="normal"> <li>The client has to discover that the hidden service can be accessed through the frontingserver.</t> <t>Theserver.</li> <li>The client's browser has to be directed to access the hidden service through the frontingservice.</t> <t>Sinceservice.</li> <li>Since the TLS connection is established with the fronting service, the client has no cryptographic proof that the content does, in fact, come from the hidden service.TheThus, the solution doesthusnot mitigate the context sharing issues described in <xreftarget="nocontextsharing"/>.</t> <t>Sincetarget="nocontextsharing" format="default"/>. Note that this is already the case for co-tenanted sites.</li> <li>Since this is an HTTP-level solution, it does not protect non-HTTPprotocolsprotocols, as discussed in <xreftarget="multi-protocol"/>.</t> </list> </t>target="multi-protocol" format="default"/>.</li> </ul> <t>The discovery issue is common to most SNI encryption solutions. The browser issue was solved in <xreftarget="domfront"/>target="DOMFRONT" format="default"/> by implementing domain fronting as a pluggable transport for the Tor browser. The multi-protocol issue can be mitigated byusing implementation ofimplementing other applications over HTTP,such asforexampleexample, DNS over HTTPS <xreftarget="RFC8484"/>.target="RFC8484" format="default"/>. The trust issue, however, requires specific developments. </t> <section anchor="httpfrontingtunnels"title="HTTPS Tunnels">numbered="true" toc="default"> <name>HTTPS Tunnels</name> <t>The HTTPFrontingdomain fronting solution places a lot of trust in theFronting Server.fronting server. This required trust can be reduced bytunnellingtunneling HTTPS in HTTPS, which effectively treats theFronting Serverfronting server as an HTTPProxy.proxy. In this solution, the client establishes a TLS connection to theFronting Server,fronting server and then issues an HTTPConnectconnect request to theHidden Server.hidden server. This will establish an end-to-endHTTPS over TLSHTTPS-over-TLS connection between the client and theHidden Server,hidden server, mitigating the issues described in <xreftarget="nocontextsharing"/>.target="nocontextsharing" format="default"/>. </t> <t>TheHTTPS in HTTPSHTTPS-in-HTTPS solution requires double encryption of every packet. It also requires that the fronting server decrypt and relay messages to the hidden server. Both of these requirements make the implementation onerous. </t> </section> <section anchor="delegationtokens"title="Delegation Control">numbered="true" toc="default"> <name>Delegation Control</name> <t>Clients would see their privacy compromised if they contacted the wrong fronting server to access the hidden service, since this wrong server could disclose their access to adversaries. This requires a controlled way to indicate which fronting server is acceptable by the hidden service. </t> <t>This problem isbothsimilarand different fromto the "word of mouth" variant of the"fronting"fronting serverspoofing"spoofing" attack described in <xreftarget="nocontextsharing"/>. Here, thetarget="nocontextsharing" format="default"/>. The spoofing would be performed by distributing fake advice, such as"to"to reach hidden.example.com, use fake.example.com as a frontingserver",server", when"fake.example.com""fake.example.com" is under the control of an adversary. </t> <t>In practice, this attack is well mitigated when the hidden service is accessed through a specialized application. The name of the fronting server can then be programmed in the code of the application. But the attack is harder to mitigate when the hidden service has to be accessed throughgeneral purposegeneral-purpose web browsers. </t> <t>There are several proposed solutions to this problem, such as creating a special form of certificate to codify the relation between the fronting and hiddenserver,server or obtaining the relation between the hidden and fronting service through the DNS, possibly usingDNSSECDNSSEC, to avoid spoofing. The experiment described in <xreftarget="domfront"/>target="DOMFRONT" format="default"/> solved the issue by integrating with the Lantern Internet circumventioncircumventiontool. </t> <t>We can observe that CDNs have a similar requirement. They need to convince the client that"www.example.com""www.example.com" can be accessed through the seemingly unrelated"cdn-node-xyz.example.net"."cdn-node-xyz.example.net". Most CDNs have deployed DNS-based solutions to this problem. However, the CDN often holds the authoritative certificate of the origin. Thereis simultaneouslyis, simultaneously, verification of a relationship between the origin and theCDN, throughCDN (through thecertificate,certificate) and a risk that the CDN can spoof the content from the origin. </t> </section> <section anchor="related-work"title="Related work">numbered="true" toc="default"> <name>Related Work</name> <t>The ORIGIN frame defined for HTTP/2 <xreftarget="RFC8336"/>target="RFC8336" format="default"/> can be used to flag content provided by the hidden server. Secondary certificate authentication <xreftarget="I-D.ietf-httpbis-http2-secondary-certs"/>target="I-D.ietf-httpbis-http2-secondary-certs" format="default"/> can be used to manage authentication of hidden servercontent,content or to perform client authentication before accessing hidden content. </t> </section> </section> <section anchor="secusec"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>This document lists a number of attacks against SNI encryption in Sections <xreftarget="snisecreq"/>target="snisecreq" format="counter"></xref> andalso in<xreftarget="delegationtokens"/>,target="delegationtokens" format="counter"></xref> and presents a list of requirements to mitigate these attacks. Current HTTP-based solutions described in <xreftarget="httpfronting"/>target="httpfronting" format="default"/> only meet some of these requirements. In practice, it may well be that no solution can meet everyrequirement,requirement and that practical solutions will have to make some compromises. </t> <t>In particular, the requirement to not stickoutout, presented in <xreftarget="snireqdontstickout"/>target="snireqdontstickout" format="default"/>, may have to be lifted, especially for proposed solutions that could quickly reachlarge scalelarge-scale deployments. </t> <t>Replacingclear textcleartext SNI transmission by an encrypted variant will break or reduce the efficacy of the operational practices and techniques implemented inmiddle-boxesmiddleboxes, as described in <xreftarget="snileak"/>.target="snileak" format="default"/>. As explained in <xreftarget="end-to-end"/>,target="end-to-end" format="default"/>, alternative solutions will have to be developed. </t> </section> <section anchor="iana-considerations"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <t>Thisdraft does not require anydocument has no IANAaction.actions. </t> </section> </middle> <back> <displayreference target="I-D.ietf-httpbis-http2-secondary-certs" to="HTTP2-SEC-CERTS"/> <displayreference target="I-D.ietf-quic-tls" to="QUIC"/> <displayreference target="I-D.ietf-tls-dtls13" to="DTLS-1.3"/> <references> <name>Informative References</name> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-httpbis-http2-secondary-certs.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-quic-tls.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-tls-dtls13.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2246.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3207.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3546.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4346.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4366.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5246.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6066.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7258.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7540.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7590.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7858.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8314.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8336.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8404.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8484.xml"/> <reference anchor="DOMFRONT" target="https://www.bamsoftware.com/papers/fronting/"> <front> <title>Blocking-resistant communication through domain fronting</title> <seriesInfo name="DOI" value="10.1515/popets-2015-0009"/> <author initials="D." surname="Fifield" fullname="David Fifield"> <organization/> </author> <author initials="C." surname="Lan" fullname="Chang Lan"> <organization/> </author> <author initials="R." surname="Hynes" fullname="Rod Hynes"> <organization/> </author> <author initials="P." surname="Wegmann" fullname="Percy Wegmann"> <organization/> </author> <author initials="V." surname="Paxson" fullname="Vern Paxson"> <organization/> </author> <date year="2015"/> </front> </reference> </references> <section anchor="acknowledgements"title="Acknowledgements">numbered="false" toc="default"> <name>Acknowledgements</name> <t>A large part of thisdraft originatesdocument originated in discussion of SNI encryption on the TLS WG mailing list, including comments after the tunneling approach was first proposed in a message to that list: <ereftarget="https://mailarchive.ietf.org/arch/msg/tls/tXvdcqnogZgqmdfCugrV8M90Ftw"/>.target="https://mailarchive.ietf.org/arch/msg/tls/tXvdcqnogZgqmdfCugrV8M90Ftw" brackets="angle"/>. </t> <t>Thanks toDanielEric Rescorla for his multiple suggestions, reviews, and edits to the successive draft versions of this document. </t> <t>Thanks to <contact fullname="Daniel KahnGillmorGillmor"/> for a pretty detailed review of the initialdraft.draft of this document. Thanks toBernard Aboba, Mike Bishop, Alissa Cooper, Roman Danyliw, Stephen Farrell, Warren Kumari, Mirja Kuelewind Barry Leiba, Martin Rex, Adam Roach, Meral Shirazipour, Martin Thomson, Eric Vyncke,<contact fullname="Bernard Aboba"/>, <contact fullname="Mike Bishop"/>, <contact fullname="Alissa Cooper"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Stephen Farrell"/>, <contact fullname="Warren Kumari"/>, <contact fullname="Mirja Kuelewind"/>, <contact fullname="Barry Leiba"/>, <contact fullname="Martin Rex"/>, <contact fullname="Adam Roach"/>, <contact fullname="Meral Shirazipour"/>, <contact fullname="Martin Thomson"/>, <contact fullname="Eric Vyncke"/>, and employees of the UK National Cyber Security Centre for their reviews. Thanks toChris Wood, Ben Kaduk and Sean Turner<contact fullname="Chris Wood"/>, <contact fullname="Ben Kaduk"/>, and <contact fullname="Sean Turner"/> for helpingpublishmove thisdocument.document toward publication. </t> </section></middle> <back> <references title="Informative References"> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-httpbis-http2-secondary-certs.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-quic-tls.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-tls-dtls13.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2246.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3546.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4346.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4366.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5246.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6066.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7258.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7540.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7590.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7858.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8314.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8336.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8404.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8484.xml"?> <reference anchor='domfront' target='https://www.bamsoftware.com/papers/fronting/'> <front> <title>Blocking-resistant communication through domain fronting</title> <author initials='D.' surname='Fifield' fullname='David Fifield'> <organization/> </author> <author initials='C.' surname='Lan' fullname='Chang Lan'> <organization/> </author> <author initials='R.' surname='Hynes' fullname='Rod Hynes'> <organization/> </author> <author initials='P.' surname='Wegmann' fullname='Percy Wegmann'> <organization/> </author> <author initials='V.' surname='Paxson' fullname='Vern Paxson'> <organization/> </author> <date year='2015'/> </front> <seriesInfo name="DOI" value="10.1515/popets-2015-0009"/> </reference> </references></back> </rfc>