On Thu, Dec 13, 2018 at 7:28 AM Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> > On Dec 13, 2018, at 8:10 AM, Stephen Farrell <stephen.farr...@cs.tcd.ie> > wrote: > > > > Was just adding code for this and I noticed that the draft says > > a server: "SHOULD pad the Certificate message, via padding at > > the record layer, such that its length equals the size of the > > largest possible Certificate (message) covered by the same ESNI > > key." > > "Largest possible" is not always a knowable target. One often does > not know anything about the sizes of the other potential certificate > chains in advance of serving such a chain. You already need some of this information in order to specify the largest possible SNI (so you can pad to it), so I don't think this is prohibitive. Far more sensible would > be to add random padding whose size is commensurate with the size of > the certificate message. > > I would generate a random nibble, and count the first $k$ > non-zero bits. Then $1 + k$ times add independently > random([0, N/2]) bytes of padding to an $N$ byte message, > giving an additional $~N$ bytes on average, but occasionally > up to $2.5N$ additional bytes. > Random padding does poorly with repeated trials. So, for instance, if I get to observe a large number of requests from the same client to the same server, you can gradually infer the length of the cert chain. -Ekr > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls