On Mon 2015-05-25 03:39:27 -0400, Kasper Dupont wrote: > On 25/05/15 09.51, Damien Miller wrote: >> I don't much like it because it reveals host identity information >> in the clear. > > So does the DNS lookup performed before the TCP connection > is being established. So that can hardly be considered a > secret. I hope we do not introduce a cleartext SNI into the SSH protocol. This leaks far too much sensitive metadata for passive monitors. TLS has cleartext SNI, and it is quite difficult to figure out how to protect it from passive monitors (and i think impossible to protect from active attackers who are willing to cause connection failures to learn the client's intended SNI). We should not add this additional layer of metadata leakage to SSH as well. The argument that the DNS lookup leaks this metadata is a bad argument: if we followed this line of reasoning, then every problem that has multiple contributors could never be solved (A says "but my fixing things is useless if B does nothing", while B says "but my fixing things is useless if A does nothing" -- a classic collective action problem). In practice, there is work done today to protect DNS queries as well (see the DNS Privacy working group in the IETF, the latest versions of libunbound and the getdns API, etc). Let's not introduce a new layer of the same problem. I think the ProxyCommand Kasper ended up describing (checking for v6 connectivity or using a constrained HTTP CONNECT proxy) is a acceptable way to go for people in the particular scenario he's concerned about. Changing everyone else's SSH connections to leak that metadata for the sake of this corner case would be a bad tradeoff. Regards, --dkg _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev