←back to thread

Getting ready to issue IP address certificates

(community.letsencrypt.org)
314 points Bogdanp | 1 comments | 25 Jun 25 16:21 UTC | HN request time: 0.277s | source
Show context
mocko ◴[25 Jun 25 17:16 UTC] No.44379696[source]
I can see how this would work on a technical level but what's the intended use case?
replies(13): >>44379710 #>>44379735 #>>44379778 #>>44379786 #>>44379885 #>>44379946 #>>44380155 #>>44380377 #>>44380579 #>>44380856 #>>44381151 #>>44381389 #>>44386646 #
infogulch ◴[25 Jun 25 18:23 UTC] No.44380377[source]
Just ESNI/ECH is a big deal.

I recall one of the main arguments against Encrypted server name indication (ESNI) is that it would only be effective for the giant https proxy services like Cloudflare, that the idea of IP certs was floated as a solution but dismissed as a pipe dream. With IP address certificates, now every server can participate in ESNI, not just the giants. If it becomes common enough for clients to assume that all web servers have an IP cert and attempt to use ESNI on every connection, it could be a boon for privacy across the internet.

replies(2): >>44380676 #>>44380748 #
Hizonner ◴[25 Jun 25 18:58 UTC] No.44380748[source]
So is this the flow?

1. Want to connect to https://www.secret.com.

2. Resolve using DNS, get 1.2.3.4

3. Connect to 1.2.3.4, validate cert

4. Send ESNI, get separate cert for www.secret.com, validate that

... and the threat you're mitigating is presumably that you don't want to disclose the name "www.secret.com" unless you're convinced you're talking to the legitimate 1.2.3.4, so that some adversary can't spoof the IP traffic to and from 1.2.3.4, and thereby learn who's making connections to www.secret.com. Is that correct?

But the DNS resolution step is still unprotected. So, two broad cases:

1. Your adversary can subvert DNS. In this case IP certificates add no value, because they can just point you to 5.6.7.8, and you'll happily disclose "www.secret.com" to them. And you have no other path to communicate any information about what keys to trust.

2. Your adversary cannot subvert DNS. But if you can rely on DNS, then you can use it as a channel for key information; you include a key to encrypt the ESNI for "www.secret.com" in a DNS record. Even if the adversary can spoof the actual IP traffic to and from 1.2.3.4, it won't do any good because it won't have the private key corresponding to that ESNI key in the DNS. And those keys are already standardized.

So what adversary is stopped by IP certificates who isn't already stopped by the ESNI key records in the DNS?

replies(3): >>44381211 #>>44381247 #>>44382298 #
1. nine_k ◴[25 Jun 25 22:17 UTC] No.44382298[source]
The point is in not showing the watching adversary any DNS names at all. You do DoH, you do the IP cert, you enter TLS before naming any names. The www.secret.com is never visible in plaintext.

Only helpful if the IP itself is not incriminating or revealing, that is, it's an IP from a large pool like Cloudflare, GCP, AWS, etc.

To my mind, it's much more interesting to verify that an address like 1.1.1.1 or 8.8.8.8 is what it purports to be, but running UDP DNS over TLS is still likely not practical, and DoH already exists, so I don't see how helpful is it here.