Oblivious DoH, OPAQUE passwords, Encrypted Client Hello: Cloudflare's protocol proposals to protect privacy
'Adopting these may have legal and policy implications'
Web infrastructure company Cloudflare is pushing for the adoption of new internet protocols it says will enable a "privacy-respecting internet."
These include an updated secure DNS service that hides the identity of the client, a password protocol that means a password is never transmitted to the server, and an encrypted "client hello" that does not leak server names.
Most internet traffic is encrypted today but this is not enough to protect privacy or prevent unwanted profiling and ad targeting. Cloudflare CTO John Graham-Cumming has posted about new protocols that do a better job, but also pose "an enormous challenge for companies that have built a business on aggregating citizens' information in order to target advertising."
Will it get adoption from the likes of Google and Mozilla, with updates to Chrome/Chromium and Firefox? "Today what we're announcing is not with the browser vendors but with the launch partners who actually provide the proxying service," Graham-Cumming told us. "I think they are going to update anyway. I think this is naturally where things are going to go. I expect the operating systems to do it as well."
What are the protocols? The first is another look at DNS, which maps server names humans can remember, like theregister.com, to numeric internet addresses, such as 18.104.22.168, used by computers to connect to each other. Plain-text DNS queries leak people's privacy by providing a record of a user's internet navigation to people watching the network path. This has received attention in the last year or two, in the form of DNS-over-HTTPS (DoH), which encrypts this traffic, but with the flaw that the DNS provider still has a record of your lookups. "While encrypted DNS is great, it matters a great deal who you encrypt your DNS to (since in the end, someone is going to have plaintext)," said Bert Hubert, founder of PowerDNS, back in February this year.
New study: DNS spoofing doubles in six years ... albeit from the point of naff allREAD MORE
Engineers from Cloudflare, Apple, and Fastly have specified a solution through an enhanced version called Oblivious DoH (ODoH), for which Cloudflare has now declared support for, in association with three partners, PCCW Global, Surf, and Equinix. The essence of ODoH is that it introduces a network proxy between the client and the DoH server. The proxy has no visibility into the DNS query, which can only be read by the DoH server. The server has no knowledge of the client's IP address. The query is private, provided the proxy and server do not collude. Performance, according to Cloudflare, is hardly affected. There are open-source clients in Rust and Go.
The second new piece is Encrypted Client Hello (ECH). The issue here is that the initial handshake in TLS (Transport Layer Security) 1.3 is not encrypted, revealing the destination. A fix already exists via an extension called Encrypted SNI (ESNI), but according to Cloudflare research engineer Christopher Patton: "While ESNI took a significant step forward, it falls short of our goal of achieving full handshake encryption. Apart from being incomplete – it only protects SNI – it is vulnerable to a handful of sophisticated attacks, which, while hard to pull off, point to theoretical weaknesses in the protocol's design that need to be addressed."
These weaknesses are mentioned in the Internet Engineering Task Force's draft proposal for ECH. ECH, said Patton, "is a work in progress". The goal of ECH, he said, "is to ensure that TLS connections made to different origin servers behind the same ECH service provider are indistinguishable from one another." If successful, it will then enable new features for TLS "without compromising privacy". Cloudflare, naturally, sees itself as a likely ECH provider. This only makes full sense alongside DoH, and in the context of a CDN (content distribution network), behind which the destination sites are hidden. No wonder Cloudflare is enthusiastic.
Peek, poke, now PAKE
Third up is OPAQUE password, the name being, it seems, some sort of pun on Oblivious Pseudo-Random Function (OPRF) combined with Password Authenticated Key Exchange (PAKE). Best practice today is that servers store not passwords but one-way-encrypted password hashes, further protected by per-user random values called a salt. A weakness, as Cloudflare software engineer Tatiana Bradley described, is that, even though authentication ideally happens over an encrypted connection, this "requires users to send plaintext passwords to servers during login, because servers must see these passwords to match against registered passwords on file."
The OPAQUE solution [PDF] avoids that transfer of the client's password by having the server and client jointly calculate a salted hash to compare using an intermediary second salt. This ensures the server cannot learn the user's password during authentication, and the user doesn't learn the server's secret salt. An in-depth analysis of how this works can be found here.
Bradley is the author of a proof-of-concept implementation for OPAQUE on the web to "show the feasibility of... completely removing plaintext passwords from the wire, even encrypted."
The user experience is no more complex than with a password today. Bradley also stated that there are several obstacles to moving beyond proof of concept, including browser support, reliance on emerging standards, and the fact that servers will need to re-register all their users. She said there can be no automatic update from salted password hashes.
I think passwords are here for a long time because they're easy for people to work with. We need to do what we can to secure them
Why improve passwords when they can be eliminated altogether? "It would be great if we had a different solution," Graham-Cumming told us. "We've done a bunch of work around WebAuthn, which allows you to use [hardware] keys. We actually support that. But I think passwords are here for a long time because they're easy for people to work with. We need to do what we can to secure them."
Will these new protocols ever reach wide use? "Sweeping technical changes to the internet will inevitably also impact the technical community. Adopting these new protocols may have legal and policy implications," said Cloudflare head of research Nick Sullivan.
Could the introduction of new protocols break enterprise networks? "For anyone running a corporate network, they have control over the software that's running on someone's machine, a standard configuration for the machine the end user is using," Graham-Cumming told us. "So I don't think this changes what they're doing; they can set things up as they want... a lot of that concern has been overblown because enterprises have control of their endpoints."
Why not use a VPN if you want privacy protection? VPN, said Graham-Cumming, is about remaining anonymous from the target you are connecting to, which is a different problem. "Your bank needs to know who you are," he said. Although a VPN also protects privacy, "it's better that we have a widely adopted standard that makes this possible for everyone," he said.
Although three protocols are in Cloudflare's announcements, only ODoH is available now. ECH will be "in production and you can test against it," Graham-Cumming said, and "as the browsers catch up you will be able to use it." OPAQUE is furthest out.
It is the business and political implications, and that not everyone agrees on the merits of privacy on the internet, rather than technical issues, that will likely be the biggest obstacles to adoption of the "always secure, always private" internet Graham-Cumming proposes. ®