Skip to content

Commit 498120a

Browse files
authored
Merge pull request #11 from certtools/main
publish it
2 parents e14794b + 3eb8260 commit 498120a

8 files changed

Lines changed: 63 additions & 48 deletions

File tree

.github/workflows/mkdocs.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# SPDX-FileCopyrightText: 2025 Sebastian Wagner
1+
# SPDX-FileCopyrightText: 2025 Sebastian Wagner, Aaron Kaplan
22
# SPDX-License-Identifier: AGPL-3.0-or-later
33

44
name: "Build and publish documentation"

ai-gen-report/README.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,13 @@
11
# AI generated "reports"
22

33
For these texts, we used different models to operate on the usualy RFC drafts and "analyse" the reports.
4+
45
*NOTE WELL* these AI generated reports are merely an *inspiration* for us so that we think about additional possibilities and get creative.
56
We do not automatically trust these reports.
7+
Nor did we use the texts.
8+
9+
It's rather a cross check if we covered the main ideas.
10+
611

712

813

mkdocs.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,6 @@ nav:
1515
- Complexity: weaknesses/complexity.md
1616
- DNS: weaknesses/dns.md
1717
- WKECH: weaknesses/wkech.md
18-
- Others: weaknesses/others.md
1918
- Clients considerations:
2019
- Browsers: clients/browsers.md
2120
- IoT and Libraries: clients/iot_and_libs.md

report/index.md

Lines changed: 32 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
---
2-
title: Remaining weaknesses in ECH (Encrypted Client Hello)
2+
title: Remaining potential weaknesses in ECH (Encrypted Client Hello)
33
author:
44
- L. Aaron Kaplan
55
- Sebastian Wagner
6-
date: 2025-06-26
6+
date: 2025-06-30
77
keywords:
88
- ECH
99
- Encrypted Client Hello
@@ -27,37 +27,50 @@ In the DEfO project, task 9.1 deals with:
2727
>
2828
> This task will accumulate practical documentation (for deployers) and analyses covering these issues. It is clear ECH reduces metadata leakage, but it is not yet clear how censors might react. This task will audit and review the metadata in a properly functioning ECH interaction and explore remaining avenues for de-anonymisation, filtering, blocking and censorship. This touches relevant protocols required in an ECH setup, such as: DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), OCSP (Online Certificate Status Protocol), certificate revocation list (CRLs), etc. We will also focus on “medium scale” web sites such as found on a University campus, smaller hosters or NREN member organisation – CDNs already see the benefits of ECH and have a clear path to deployment, but it is important to enable smaller, but still significant, scale organizations to enjoy the benefits of ECH. The task will result in one report.
2929
30-
# Overall conclusions and summary of the report
30+
# Methodology
3131

32-
XXX Feedback - the main "success" criteria for ECH might be worth stating, to get deployed and to be an incremental improvement (i.e. it's not a goal that all traffic to a site be ECH protected the day after deployment) - ECH is a thing that'll grow over time (or fail over time)
33-
XXX Feedback - there are no simple solutions available for this problem, so ECH being a complex solution is inherent - RFC8744 provides lots of background for that
34-
XXX Feedback - if you've time to write text: no harm to add a para or 3 about the process you followed
35-
XXX Feedback - I'd recommend setting the scene in the very first paragraph, e.g. saying that this report is deliberately taking an "outside" or "skeptical" view as that's a good process for finding issues.
32+
The authors read the RFCs and -Drafts and brainstormed after each how we might break or downgrade the security/privacy promises. In addition, we gave a presentation on the topic in front of approx. 30 IT security professionals in order to elicit feedback and further ideas on how to attack the protocols.
33+
The result is this report.
3634

37-
While ECH provides privacy improvements over cleartext SNI, the protocol also introduces complexity and new attack vectors primarily centered around DNS manipulation and complex deployment scenarios. The greatest risks arise from the protocol's dependency on DNS infrastructure and as well on the potential for downgrade attacks. Successful ECH deployments require close attention to
35+
# How to read this report
36+
37+
This report intentionally takes a skeptical perspective. Not in order to criticize ECH or the approach but rather to challenge the protocol authors, implementers and deployments to think about certain aspects we mention in the report.
38+
This "skeptical"/outside view helps to ask hard questions and identify potential issues which might have been overlooked.
39+
40+
By releasing this report we aim to improve future versions.
41+
42+
It is clear that - given such widely used code and protocol stacks as with HTTP/HTTPS, changing things is very hard. ECH tries to achieve the maximum possible, given lots of constraints by the protocol landscape, implementors, etc. Hence, ECH has to live with all the legacy issues. It's probably not possible to find a quick, elegant and 100% compatible solution for the problem which ECH is trying to address.
43+
ECH being a complex solution is inherent - RFC8744 provides lots of background for these matters.
44+
45+
Finally, we acknowledge that ECH is an incremental update step and we assume there will be an incremental roll-out of ECH globally. This has multiple implications:
46+
1) every deployment will protect clients a bit more ("herd-immunity" principle)
47+
2) weaknesses in ECH highlighted in the report do not necessarily affect all deployments (there will be variations)
48+
3) ECH will grow over time and add privacy over time. It's not a binary turning privacy on or off situation.
49+
50+
ECH will be measured by its provisioning of privacy after all.
3851

39-
XXX Feedback - mandatory DNSSEC won't fly, ever
52+
With these things being said, the report will skeptically look at ECH.
53+
54+
55+
# Overall conclusions and summary of the report
56+
57+
While ECH provides privacy improvements over cleartext SNI, the protocol also introduces complexity and new attack vectors primarily centered around DNS manipulation and complex deployment scenarios. The greatest risks arise from the protocol's dependency on DNS infrastructure and as well on the potential for downgrade attacks. Successful ECH deployments require close attention to
4058

4159
- operational security,
4260
- comprehensive monitoring,
43-
- and potentially mandatory DNSSEC adoption.
61+
- and a secure DNS (signed zones, detectability of tampering with DNS answers, etc.)
4462

4563
From the clients' perspective, the main question is:
4664

47-
XXX Feedback - resursive selection is a thing, but not so much an ECH thing maybe?
48-
XXX Feedback - client downgreade is a fair point, maybe worth distinguishing client TLS library (somewhat under our control in DEfO) or client app
49-
5065
- which DoH/DoT recursive servers can one use? Are they even reachable from within the country of the client? Or are they blocked, re-directed or manipulated? Untrusted DoH/DoT recursive servers pose a security as well as a privacy problem.
51-
- Can the client detect downgrade attacks and how does it deal with them? The RFC standard is a big vague here (SHOULD vs. MUST) ("...the client SHOULD abandon its attempt to reach the service"[^2])
66+
Depending on the trust the client may place into the recursive DNS server, it might get correct or incorrect answers and hence be able to reach ECH enabled servers or a mere look-alike middle-man server. It's debatable if this is an issue that ECH can address. Probably not. However, we believe it's worth noting.
67+
- Can the client detect downgrade attacks and how does it deal with them? The RFC standard is a big vague here (SHOULD vs. MUST) ("...the client SHOULD abandon its attempt to reach the service"[^2]). We recommend looking at this issue when implementing ECH in TLS libraries.
5268

5369
In addition, the authors of this report see two major concerns with ECH deployments for the internet as a whole:
5470

55-
XXX Feedback - inherits all DNS issues seems overstated - e.g. zone transfer
56-
XXX Feedback - centralisation is fair, not sure risk increases is right though
57-
58-
1. ECH depends on multiple protocols and specifications to work together seamlessly. The protocol's fundamental reliance on DNS creates a large attack surface that inherits all DNS security issues.
71+
1. ECH depends on multiple protocols and specifications to work together seamlessly. The protocol's fundamental reliance on DNS creates a large attack surface that inherits many of DNS's security issues.
5972
In addition to DNS, quite a few other protocols are involved. This creates an even bigger attack surface. The interfaces between protocols are usually interesting targets for attackers. We recommend that the authors of the RFC drafts closely take a look at these edge-case vulnerabilities. The report highlights some of those such as the WKECH interface between DNS zones and CFS/backend servers.
60-
2. ECH leads to more centralization of the internet: the CDNs will profit. More centralization actually leads to more data being in the hands of only one or just a handful of organisations. Therefore, the risk of de-anonymization by combining and correlating different data sets (ECH configs, DNS recursor query logs (such as passive DNS[^3], DNS query traces), Certificate transparency logs (CTLs)[^4]) actually *increases*: any organisation combining these data sets could most probably completely de-anonymize the traffic.
73+
2. ECH leads to more centralization of the internet: the CDNs will profit. More centralization actually leads to more data being in the hands of only one or just a handful of organisations. Therefore, the risk of de-anonymization by combining and correlating different data sets (ECH configs, DNS recursor query logs (such as passive DNS[^3], DNS query traces), Certificate transparency logs (CTLs)[^4]) actually *increases*: any organisation combining these data sets could most probably completely de-anonymize the traffic. The more of these datasets are in the hand of fewer organisations, the higher the risk these datasets can be combined.
6174
3. The complexity of the protocol and the setup costs (in terms of manpower) favor the large players. Smaller players might make mistakes in their setups.
6275
4. Small and medium size organisations often don't host that many services on one IP address anyway. See "The web is still small after more than a decade[^5]", Nguyen Phong Hoang, et. al. Therefore the anonymity data set is usually small. Guessing and inferring which hostname a client connected to is trivial in the case that one IP address only hosts one service with one hostname.
6376
5. Smaller and medium sized organisations won't necessarily profit from protecting the clients' privacy. Exceptions are listed in [incentives](deployment/incentives.md). So why should they bother deploying ECH (and risking downtime)? We have a game-theoretic problem here. Which in turn will only lead to more centralization (see 3.) which will lead to 2.

report/index.md.dist

Lines changed: 0 additions & 17 deletions
This file was deleted.

report/weaknesses/complexity.md

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,15 @@
11
# Overall concerns with complexity
22

3-
This concern is that high complexity is needed for solving the task which ECH tries to address *in the given protocol landscape* (i.e. to keep compatibility with the existing protocol stack).
4-
However, this leads to:
3+
The authors of this report want to emphasize that for solving the particular
4+
problem which ECH tries to solve, we don't currently see an easier solution.
5+
Hence, the ECH protocol achieves its goal. However, this comes at the cost of
6+
added complexity. This complexity might come to haunt us later on.
7+
8+
Higher complexity leads to:
59

6-
* complexity in configuring it properly -> things go wrong easily
7-
* weaknesses between protocol layers: the interface between protocols is often the weak spot
8-
* design omissions: there might be more hidden oversights in the design of the complex interplay between the protocols
10+
* issues and mistakes in configuring it properly -> things go wrong easily
11+
* weaknesses between protocol layers: with many protocols interacting with each other, the interface between protocols is often the weak spot
12+
* potential design omissions: there might be more hidden oversights in the design of the complex interplay between the protocols
913

10-
The authors of the report acknowledge that solving the issue is not an easy task and no easier methods are known.
14+
The authors of this report acknowledge that solving the issue is not an easy task and no easier methods are known.
15+
ECH as a protocol does its job at solving a particular issue. But at the cost of complexity.

report/weaknesses/dns.md

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,16 @@
1-
# Downgrading
1+
# Downgrade attacks
22

3-
XXX Feedback - 7.2: arguable - incremental improvement shouldn't be ignored
3+
If a network operator does not want to allow the typical DoH servers, he/she essentially only has the option to block those. However, since clients will still try to use DNS over classical means then, the attacker has the possibility to promote his/her tampered recursive DNS server.
4+
Essentially this results in a downgrade attack on ECH as well, since DNS is a precondition to establishing a session with an ECH server.
5+
6+
Of course, when the setup is working, the incremental security upgrade that ECH gives (according to what it was intended to do), is not to be dismissed.
7+
8+
# Mandated use of DoH
9+
10+
On the other hand, if we require DoH/DoT, we essentially play into the hands of those who centralize recursive DNS servers. See the arguments on centralization in the introduction.
11+
12+
# DNSSEC is de-facto mandatory
13+
14+
While DNS is complex, adding DNSSEC makes it even more complex.
15+
However, to protect against wrong DNS answers by byzantine recursors, DNSSEC will be de-facto mandatory for a secure ECH protocol.
416

5-
The default fallback to cleartext SNI undermines security goals when ECH is unavailable.
6-
(XXX reference... proof! XXX)

report/weaknesses/others.md

Whitespace-only changes.

0 commit comments

Comments
 (0)