From 55e52cbc6b297a3c0fbec03c06057d35f16b8521 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Schwartz" Date: Wed, 8 Mar 2023 12:26:06 -0500 Subject: [PATCH] Move to TLS WG and explain the mixed-ECH downgrade attack --- draft-sbn-dnsop-svcb-ech.md => draft-sbn-tls-svcb-ech.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) rename draft-sbn-dnsop-svcb-ech.md => draft-sbn-tls-svcb-ech.md (92%) diff --git a/draft-sbn-dnsop-svcb-ech.md b/draft-sbn-tls-svcb-ech.md similarity index 92% rename from draft-sbn-dnsop-svcb-ech.md rename to draft-sbn-tls-svcb-ech.md index 65f4496..b1cedb3 100644 --- a/draft-sbn-dnsop-svcb-ech.md +++ b/draft-sbn-tls-svcb-ech.md @@ -1,13 +1,13 @@ --- title: Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings abbrev: ECH in SVCB -docname: draft-sbn-dnsop-svcb-ech-latest +docname: draft-sbn-tls-svcb-ech-latest date: {DATE} category: std ipr: trust200902 -area: General -workgroup: DNSOP Working Group +area: Security +workgroup: TLS Working Group keyword: Internet-Draft stand_alone: yes @@ -80,8 +80,7 @@ If all HTTPS records for an alt-authority contain "ech" SvcParams, the client MU ## Security Considerations -A SVCB RRSet containing some RRs with "ech" and some without is vulnerable to a downgrade attack. This configuration is NOT RECOMMENDED. Zone owners who do use such a mixed configuration SHOULD mark the RRs with "ech" as more preferred (i.e. lower SvcPriority value) than those without, in order to maximize the likelihood that ECH will be used in the -absence of an active adversary. +A SVCB RRSet containing some RRs with "ech" and some without is vulnerable to a downgrade attack: a network intermediary can block connections to the endpoints that support ECH, causing the client to fall back to a non-ECH endpoint. This configuration is NOT RECOMMENDED. Zone owners who do use such a mixed configuration SHOULD mark the RRs with "ech" as more preferred (i.e. lower SvcPriority value) than those without, in order to maximize the likelihood that ECH will be used in the absence of an active adversary. Use of ECH yields an anonymity set of cardinality equal to the number of ECH-enabled server domains supported by a given client-facing server. Thus, even with an encrypted ClientHello, an attacker who can enumerate the set of ECH-enabled domains supported by a client-facing server can guess the correct SNI with probability at least 1/K, where K is the size of this ECH-enabled server anonymity set. This probability may be increased via traffic analysis or other mechanisms.