> When the client sends a hello, the firewall says “that looks like a TLS hello”, and then waits for the server’s response. It inspects the certificate and then applies any rules.
This kind of stuff is exactly why TLS 1.3 encrypts everything now.
In TLS 1.3, the server’s certificate is encrypted, which means the firewall can’t do this anymore. ... The firewall will open a second connection and do a TLS 1.2 handshake to retrieve the certificate in plaintext. If the rules allow the connection, the firewall then allow the connection to proceed.
Sounds like a cat & mouse game. How long before we get servers that respond with different certificates based on who"s asking or other cues from the connection, in efforts to bypass the firewall restrictions.
Sure, this already happens today as in practice pre-standard ECH is deployed, so client says "Hi I'm calling some.boring.example [encrypted: Actually clown-porn.example]" and this useless middlebox cannot decrypt the inner message so it retrieves the some.boring.example certificate but the client's encrypted connection reaches clown-porn.example which may have a different certificate.
For many years, long before TLS 1.3 the RFC explains how to do this properly, obviating the problem, but that's very expensive because you need to TLS proxy every single connection, you can impose oversight by - literally - adding an actual oversight layer, which your users can also see you did. The popular middlebox products say they're doing two things, they're cheaper (maybe you buy their $100k product instead of a $100M solution) and they're less "intrusive" (ie you needn't tell your users that you're spying on them)
In reality they're ineffective, which is why the RFC says not to do this - but they can either outright lie or hide this fact in an asterisked disclaimer somewhere, and most of their customers don't care whether it actually works, they want to tick a box.
In the infosec space, I am seeing rumblings of moving to compliant devices where the network tap is at the OS level and/or application level using software agents, AV hooks, or fake virtual network devices.
Technically TLS 1.3 doesn't encrypt the Client Hello, and indeed the first stanza of the Server Hello isn't encrypted either, although it deliberately doesn't say anything you could use as a third party to make decisions and the rest of a TLS 1.3 Server Hello is encrypted.
The in-progress Encrypted Client Hello (was Encrypted Server Name Indication hence esni in the name of the document) fixes that and you probably have software which uses it though the work to tie up all the loose ends up and publish a document might take some time yet.
Because the middlebox vendors are _so_ incompetent not only does TLS 1.3 need to work around their nonsense, thus proving that it was never useful security (an attacker could always have just done what TLS 1.3 does and it would have bypassed this worthless garbage) some of them screwed up badly enough that the anti-downgrade feature trips, to their credit Google refused to ship a permanent workaround for this, the workaround they shipped in Chrome sunset in about a year & required an explicit key setting, so basically "I acknowledge that I have defective middleboxes and must remove or upgrade them soon" by the local administrators.
But yes, it's noticeable that it was much easier to sell some engineers on "Thanks to TLS 1.3 now this stupid middlebox product won't be able to make your service slower" than say, "Thanks to TLS 1.3 now this stupid middlebox product won't report to the government if you read a Wikipedia article which contradicts its dogma".
Encrypted SNI was never about hiding which specific articles in Wikipedia you are looking at. It was about hiding the fact you are looking at Wikipedia at all.
There are valid use cases for TLS middleboxes. Anyone having to secure a networks outbound access to only essential services has run into the “I have to allow all of AWS/GCP/Azure/CloudFlare/…” for some critical tool to work.
Options are:
- Allow all out (nope, not secure)
- Allow all to the cloud providers IP range (still terrible)
- Filter on SNI but don’t inspect the payload (better than no security, and doesn’t require plaintext access).
- Full MITM TLS proxy (performance bottleneck, and now we have plaintext access to all your data, which we really don’t want and didn’t previously require to do the filtering).
- Try convince the third party service to run on a handful of static IPs that aren’t behind a global load balancer with access to the rest of the cloud providers customer domains. (Yeah right)
Unfortunately, Encrypted Client Hello isn't automatic and requires cumbersome DNS configuration, so it's likely not going to gain widespread adoption.
Here's hoping that the next TLS version will automatically encrypt everything. Firewall vendors will not like it, but it's the only way to truly hide everything from middleboxes.
Encrypted client hello can be stripped easily by modern firewalls[0]. I know because my employers network enables this functionality and it forces a downgrade so that it can see what you're trying to access.
"easily" in the sense that in the proxy mode, where the Fortigate gets to make any arbitrary change it wants, it can indeed make this change too.
I guess "Use the American spelling for words" would be a slightly more invasive change than "strip ECH" in this context, but it's not that different. This is a full proxy, your client has (likely because it was configured by corporate IT) agreed that all your communication will run through a proxy, probably somebody will swear they're definitely not logging everything you do† but obviously it could do absolutely anything.
† Actually if you work in trading they might tell you it does log everything, the regulators for these industries want records of everything because they don't trust traders as far as they can throw them, and having met a few traders I know why - they tend to make Boris Johnson look like Forest Gump.
What it does isn't good enough, since it basically leaves itself open to downgrade attacks on purpose. I wish the world would decide on a flag day after which if both endpoints support TLS ECH, the connection will hard-fail instead of retrying without it if a middlebox breaks it.
True, it can help Microsoft SQL Server as well. In SQL Server 2022, they finally added Strict Encryption.
I'm glad to see more databases are removing these strange STARTTLS like features.
And mostly if you are behind CISCO firewall during TLS Server Identity Discovery or some equivalent setup. 3 seconds mentioned in the article were coming mostly from that. From the text itself it's not clear how much gains come from sslnegotiation=direct itself (if we assume no other factors like those present in this case).
There will be (is? under standards development?) a DTLS replacement built on QUIC but today these are orthogonal technologies. QUIC makes you a TCP-but-encrypted while DTLS is more TLS-but-for-UDP
In a world with no legacy technology rusted in place, QUIC would be a new IP protocol, like TCP and UDP, but there's stuff rusted in place which can barely manage UDP and would not understand how there can possibly be a new protocol even though the entire network was designed to allow that, so that's why QUIC is spelled as UDP data.
Readit News
This kind of stuff is exactly why TLS 1.3 encrypts everything now.
QUIC is built on top of TLS 1.3 where client hello encryption is not mandatory, so this is not strictly true.
Sounds like a cat & mouse game. How long before we get servers that respond with different certificates based on who"s asking or other cues from the connection, in efforts to bypass the firewall restrictions.
For many years, long before TLS 1.3 the RFC explains how to do this properly, obviating the problem, but that's very expensive because you need to TLS proxy every single connection, you can impose oversight by - literally - adding an actual oversight layer, which your users can also see you did. The popular middlebox products say they're doing two things, they're cheaper (maybe you buy their $100k product instead of a $100M solution) and they're less "intrusive" (ie you needn't tell your users that you're spying on them)
In reality they're ineffective, which is why the RFC says not to do this - but they can either outright lie or hide this fact in an asterisked disclaimer somewhere, and most of their customers don't care whether it actually works, they want to tick a box.
The in-progress Encrypted Client Hello (was Encrypted Server Name Indication hence esni in the name of the document) fixes that and you probably have software which uses it though the work to tie up all the loose ends up and publish a document might take some time yet.
Because the middlebox vendors are _so_ incompetent not only does TLS 1.3 need to work around their nonsense, thus proving that it was never useful security (an attacker could always have just done what TLS 1.3 does and it would have bypassed this worthless garbage) some of them screwed up badly enough that the anti-downgrade feature trips, to their credit Google refused to ship a permanent workaround for this, the workaround they shipped in Chrome sunset in about a year & required an explicit key setting, so basically "I acknowledge that I have defective middleboxes and must remove or upgrade them soon" by the local administrators.
But yes, it's noticeable that it was much easier to sell some engineers on "Thanks to TLS 1.3 now this stupid middlebox product won't be able to make your service slower" than say, "Thanks to TLS 1.3 now this stupid middlebox product won't report to the government if you read a Wikipedia article which contradicts its dogma".
There are valid use cases for TLS middleboxes. Anyone having to secure a networks outbound access to only essential services has run into the “I have to allow all of AWS/GCP/Azure/CloudFlare/…” for some critical tool to work.
Options are:
- Allow all out (nope, not secure)
- Allow all to the cloud providers IP range (still terrible)
- Filter on SNI but don’t inspect the payload (better than no security, and doesn’t require plaintext access).
- Full MITM TLS proxy (performance bottleneck, and now we have plaintext access to all your data, which we really don’t want and didn’t previously require to do the filtering).
- Try convince the third party service to run on a handful of static IPs that aren’t behind a global load balancer with access to the rest of the cloud providers customer domains. (Yeah right)
See: Hospitals. Payment Networks. IoT networks.
Here's hoping that the next TLS version will automatically encrypt everything. Firewall vendors will not like it, but it's the only way to truly hide everything from middleboxes.
[0] https://community.fortinet.com/t5/FortiGate/Technical-Tip-Ho...
I guess "Use the American spelling for words" would be a slightly more invasive change than "strip ECH" in this context, but it's not that different. This is a full proxy, your client has (likely because it was configured by corporate IT) agreed that all your communication will run through a proxy, probably somebody will swear they're definitely not logging everything you do† but obviously it could do absolutely anything.
† Actually if you work in trading they might tell you it does log everything, the regulators for these industries want records of everything because they don't trust traders as far as they can throw them, and having met a few traders I know why - they tend to make Boris Johnson look like Forest Gump.
Deleted Comment
Deleted Comment
In a world with no legacy technology rusted in place, QUIC would be a new IP protocol, like TCP and UDP, but there's stuff rusted in place which can barely manage UDP and would not understand how there can possibly be a new protocol even though the entire network was designed to allow that, so that's why QUIC is spelled as UDP data.
With IPv6, on most networks, you can use as many addresses as you like, but it's inefficient because each one has to be individually resolved.