Closed pkelsey closed 9 months ago
I don't think (2-4) need to be quite so complicated. If you're assuming that the client-facing server <-> split mode channel is both unencrypted and visible to the attacker, they can just use the fact that every unmodified bit of ciphertext will identify the connection.
I think, for purposes of split mode, we have to assume that the attacker cannot observe traffic between the client-facing and backend server, either due to visibility (in the shared mode cases, this "traffic" doesn't even go over the network) or due to them having their own encrypted channel. Although the latter is still a little fuzzy due to timing, depending on how much traffic goes into the client-facing server.
On 06/08/2021 19:55, David Benjamin wrote:
I don't think (2-4) need to be quite so complicated. If you're assuming that the client-facing server <-> split mode channel is both unencrypted and visible to the attacker, they can just use the fact that every unmodified bit of ciphertext will identify the connection.
I think, for purposes of split mode, we have to assume that the attacker cannot observe traffic between the client-facing and backend server, either due to visibility (in the shared mode cases, this "traffic" doesn't even go over the network) or due to them having their own encrypted channel. Although the latter is still a little fuzzy due to timing, depending on how much traffic goes into the client-facing server.
I agree. I forget if we already note the basic vulnerability or not (we should I guess) but HOWTO secure client-facing to backend traffic is properly work for another day I think. It does need a pile of work but better that we get started on client to client-facing server experiments first.
S.
I don't think (2-4) need to be quite so complicated. If you're assuming that the client-facing server <-> split mode channel is both unencrypted and visible to the attacker, they can just use the fact that every unmodified bit of ciphertext will identify the connection.
I think, for purposes of split mode, we have to assume that the attacker cannot observe traffic between the client-facing and backend server, either due to visibility (in the shared mode cases, this "traffic" doesn't even go over the network) or due to them having their own encrypted channel. Although the latter is still a little fuzzy due to timing, depending on how much traffic goes into the client-facing server.
The assumption currently is that the backend channel in split mode is both unencrypted and visible to the attacker, as that's how the document currently reads, and it was expressed to me in #509 that the security model includes the attacker being located there. (2-4) are the product of going down a rabbit hole of obtaining purely deterministic results. I agree that correlation via sampling not-overly-many bytes of ciphertext at the same semantic position in the exchanges seen on both sides would probably be considered by most interested parties to be deterministic-enough.
I do think it would be helpful to update the document to note that it currently assumes the attacker has no visibility to the client-facing server <-> backend server traffic in split mode.
Regarding your comment above about dependence of security properties in split mode on traffic load at the client-facing server, for the benefit of those evaluating whether they can rely on ECH in their circumstances, I think the document should be clear as to whether there are scenarios where the assurance of privacy depends on being part of a big enough school of fish.
The assumption currently is that the backend channel in split mode is both unencrypted and visible to the attacker, as that's how the document currently reads, and it was expressed to me in #509 that the security model includes the attacker being located there.
Sorry, to clarify, the assumption is that the attacker is present on that link, but cannot read data on that link, perhaps because it's encrypted. How that boundary is maintained is a deployment consideration specific to split mode. (As @davidben points out, split doesn't really work at all if the attacker has plaintext access to this link.)
I do think it would be helpful to update the document to note that it currently assumes the attacker has no visibility to the client-facing server <-> backend server traffic in split mode.
This would be fine, but it is different from saying the attacker is not present there. Any deployment of split mode can't just assume the attacker isn't there. Rather, it should assume the attacker is there, and make sure the client-facing<>backend communication is protected accordingly. (I hope that clarifies my mental model.)
Sorry, to clarify, the assumption is that the attacker is present on that link, but cannot read data on that link, perhaps because it's encrypted. How that boundary is maintained is a deployment consideration specific to split mode. (As @davidben points out, split doesn't really work at all if the attacker has plaintext access to this link.)
I do think it would be helpful to update the document to note that it currently assumes the attacker has no visibility to the client-facing server <-> backend server traffic in split mode.
This would be fine, but it is different from saying the attacker is not present there. Any deployment of split mode can't just assume the attacker isn't there. Rather, it should assume the attacker is there, and make sure the client-facing<>backend communication is protected accordingly. (I hope that clarifies my mental model.)
Appreciate the clarification on the thinking here. I agree there is an important difference between not-present and no-visibility, and I'm not advocating for an assumption that the attacker is not on the backend link - #509 was language to highlight the state of the model as currently written.
Appreciate the clarification on the thinking here. I agree there is an important difference between not-present and no-visibility, and I'm not advocating for an assumption that the attacker is not on the backend link - #509 was language to highlight the state of the model as currently written.
Understood! We could reopen #509 and rephrase it slightly to highlight this difference, and then perhaps say that it can be realized either (1) with encryption, assuming the attacker is everywhere, or (2) by changing network topology such that the attacker is really only present on the client<>client-facing path, as noted by @ekr.
@pkelsey, what do you think? Would you be willing to refactor that PR to match?
@chris-wood I'd be happy to reopen #509 with new tweaks to the language, but I don't think it's yet clear what those tweaks should be. If we pursue (1), it seems something more would need to be said than simply that the link between the client facing server and the backend server achieves "no-visibilty" via encryption, at the very least to head off interpretation of "via encryption" to mean direct forwarding of the ciphertexts. Is (2) really on the table? I'm not sure what the context of the reference to "as noted by @ekr" as I'm not aware of where that note was made, so I'd need some help filling in the blank if there was more to it.
Aside from figuring out the above, I think at this point there is one clear residue of this discussion, which is that client facing servers operating in split mode should be required to drop all RFC 8446 middlebox compatibility change_cipher_spec messages received from the client in order to deprive active attackers of this easy-access connection labeling tool. Such messages should have no reason to exist on the link between a client facing server and a backend server. I haven't yet attempted a full survey of extant implementations, but it does appear OpenSSL, in a TLS 1.3 handshake, will ignore up to 32 of them appearing consecutively between handshake records, which looks like quite a bit of leeway for exploitation.
Can you please elaborate on this CCS-based attack? Are you envisioning that the communication channel between frontend and backend would somehow be protected but still reveal the record type?
I don't think the record type necessarily has to be revealed on the backend link for this to be a concern, as this is a tool for an active attacker to adjust the size of data forwarded between frontend and backend in a connection-specific way that otherwise has no effect on the evolution of the targeted connection(s).
(Originating at #509)
There appears to be nothing in the document concerning an attacker with a presence on both side of the client-facing server in split mode defeating ECH privacy by correlating connections across the client-facing server.
Consider an attacker present on both sides of a client-facing server whose goal is to uncover which backend server(s) specific ECH-using clients are accessing. By virtue of its position in the network, this attacker:
Attacks: