IETF Logo Mail Archive

[TLS] Re: Implicit ECH Config for TLS 1.3 – addressing public_name fingerprinting

Nick Sullivan <nicholas.sullivan@gmail.com> Wed, 26 February 2025 22:17 UTC

Return-Path: <nicholas.sullivan@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3301A2522D7 for <tls@mail2.ietf.org>; Wed, 26 Feb 2025 14:17:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietfa.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietfa.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7cC8S45Duy4V for <tls@mail2.ietf.org>; Wed, 26 Feb 2025 14:17:09 -0800 (PST)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7FEC72522B0 for <tls@ietf.org>; Wed, 26 Feb 2025 14:17:09 -0800 (PST)
Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-5e02eba02e8so313076a12.0 for <tls@ietf.org>; Wed, 26 Feb 2025 14:17:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740608228; x=1741213028; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tego2AyhajFX7JcTEfhUhRP8ByedJsNY3aK9iJruTus=; b=jWkvF9hdIKbMe4W+K2faWP738U4435mr5jTeoDzWsM4+S0xxj5EYPKJZmo+VlejCIH xVrg+JbedSOTFNCUcLkivo0cYeUCgyFvBgo3/i8Gri2qJXCOLEBUx77DomnF+Jk2cRj6 wDG7jDD9x/rsyj30wKdBA7R1lzAhsxCPl494LqratGKapBxqWaIurAdz86787Rm5VLQM fMpsrCCIq8HyjnnG5OhG9sI3v1lJOyMh11fAb8Oy1lSBXiV0TtzSNp0gw7iWR6UCLQDu xDlOi2SopEFvzlqmsPpDdrOlUYyapwFEppRR3WDp0fwUJ0eie9juKhnKNLQdgkNt1W5e gJoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740608228; x=1741213028; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tego2AyhajFX7JcTEfhUhRP8ByedJsNY3aK9iJruTus=; b=cAu5av6lxBRg5nvxEdkPWL7Mg31DIbnbXEU5DRYJZMeRfJ3iVLyQF1qaxKhPCqH3aE i9W/zfZWOTu3sOSdI4BDBpYGdgt0ZmrigYpc9j6LeiBXZYd+30rGXoj6VG5+0X/7daP/ FRRsV0p3FwQPuDBj4UMAfixoPPkzJT2VlN822fiGvJs27NDYlT9dznlzQIRM7CZ2Uy7o r3GrTEkytoSEO2LO+hYb+T9VInRwk8f0a0O2S91vLGE8z/BwNsuemT5HdKJYYZxTdAZW g96M2p7Wn1UKcWlTYPfRC9Y2gEnpwVw1IcdkMbRQA6OjSKdcQkZc8Ki8OZ28ehF3mJ2l MZvA==
X-Gm-Message-State: AOJu0YzSOH3x+ldPMi9mVzmi6WzdQMBCsM6U3VCFqEoSHdb+LcLeGqcT suB8zH925bjzNkmKmdx6RyM+VJVsxwmpgn7wkOOzB2wGaN2sB36LCD2pna3G/at3vIKfmtAT9T1 LjpROA10dDWEE7YgThw7VkZ6euySC5g720bu1SD61rPI=
X-Gm-Gg: ASbGncuymoGZDr+q/7aM+19NotODTC5drkpZIlgVdLYWmn+fDEIPWYOWZFqSKeRnXNL TnPGnEWGHCGT2XChxlUuZKpqwDFwT/S+CrjMG+2V36UkyQC1kVJK34Dpb2UlbMfubBCQo6ya50A ALbHflRyHS
X-Google-Smtp-Source: AGHT+IE0MZUn50tOajKJ3ZhT+iWwhIItVaoHO1CgSpamGYHsOaj7unpCHX6bAf5EE52I0njWjTqHs0QeRH/zmwyu7m0=
X-Received: by 2002:a05:6402:2110:b0:5e0:745c:6503 with SMTP id 4fb4d7f45d1cf-5e4a0e2b0eamr7157721a12.31.1740608228052; Wed, 26 Feb 2025 14:17:08 -0800 (PST)
MIME-Version: 1.0
References: <CAOjisRzBNG2KdAZXssnR9Ura9HuAUKxOH+VLCAE5B9MfYyeT2A@mail.gmail.com> <ME0P282MB558709F984758D4FE1F3C794A3C22@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM>
In-Reply-To: <ME0P282MB558709F984758D4FE1F3C794A3C22@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM>
From: Nick Sullivan <nicholas.sullivan@gmail.com>
Date: Thu, 27 Feb 2025 06:16:56 +0800
X-Gm-Features: AQ5f1JqhXoF4dGy16AdHwrBBcUR-oAAqppG3Dow2MF2ONbYnodgP1bux6r60i6U
Message-ID: <CAOjisRxJcFNy3-X3VtEEMUQENrVNjqfUygrm+zRtBTCO=2wdFw@mail.gmail.com>
To: Raghu Saxena <poiasdpoiasd@live.com>
Content-Type: multipart/alternative; boundary="0000000000002056d8062f12ef12"
Message-ID-Hash: TD3MCSWFJBQ5HU62I6NV4RJAEJ4QXE6G
X-Message-ID-Hash: TD3MCSWFJBQ5HU62I6NV4RJAEJ4QXE6G
X-MailFrom: nicholas.sullivan@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Implicit ECH Config for TLS 1.3 – addressing public_name fingerprinting
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4Z4xjrxPCl7kbonDG62CcLk3Uqk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Raghu,

Thank you for your response, my replies are inline.

On Wed, Feb 26, 2025 at 6:40 PM Raghu Saxena <poiasdpoiasd@live.com> wrote:

> Hi Nick,
>
> On 2/26/25 3:14 PM, Nick Sullivan wrote:
> >
> > Hi everyone,
> >
> >
> > I’ve put together a draft, “Implicit ECH Configuration for TLS 1.3”
> > (https://www.ietf.org/archive/id/draft-sullivan-tls-implicit-ech-00.html
> > <https://www.ietf.org/archive/id/draft-sullivan-tls-implicit-ech-00.html>),
>
> > as a potential starting point for improving ECH’s “do not stick out”
> > compliance. Global deployments of ECH have become biased because a
> > single public_name dominates most ECH connections, making it a prime
> > target for fingerprinting (see
> > https://github.com/net4people/bbs/issues/417
> > <https://github.com/net4people/bbs/issues/417>). As discussed on the
> > TLS WG mailing list (see
> > https://mailarchive.ietf.org/arch/msg/tls/4rq4sZzpI9rjYgDLJ2IO-vG9DRw/
> > <https://mailarchive.ietf.org/arch/msg/tls/4rq4sZzpI9rjYgDLJ2IO-vG9DRw/>),
>
> > the outer SNI remains the primary identifier that enables on-path
> > adversaries to identify ECH traffic.
> >
> I think the real problem here is centralization of the internet through
> certain "proxy providers" such as cloudflare, to whom websites are
> giving up their TLS control. If the goal is for cloudflare (or other
> such large operators) to avoid fingerprinting via the public_name, a
> solution could be to publish an ECHConfig with a bogus domain (e.g.
> `fake.example.com`), and expect that OuterSNI against a certain config
> id. They can then rotate to other random domains since they control the
> HTTPS DNS record anyway.
>

The goal here isn't for proxy providers to avoid fingerprinting, it's to
give
clients strategies to improve reachability when a connection fails. The
immediate example that comes to mind is that of a browser connecting
to a website with ECH and a middlebox failing on the connection due to
handling of the outer SNI, and the client implementing a policy to retry
with a different outer SNI to establish the connection.


>
> > ...
> >
> > This approach enables clients to adopt custom strategies for
> > maintaining broad reachability, ensuring that a single public_name
> > does not become a reliable way for external observers to distinguish
> > ECH from ECH GREASE at scale. It is also useful for improving privacy
> > when client-facing servers support only one or a small number of
> > domains, as it enables clients to choose the outer SNI such that it is
> > not merely a direct stand-in for the inner name.
> >
> I think in the context of the censor discussion you linked,
> realistically they can just block ECH (including GREASed ECH), since
> there isn't really mass saturation of ECH (GREASed or not) across most
> TLS clients, so they won't face much blowback, especially since it
> appears they've straight up said ECH is banned technology. In fact if
> I'm not mistaken the GFW already does this. IMO if Russia if OK to block
> the `cloudflare-ech.com` SNI right now (which would effectively block
> all Cloudflare websites from ECH-enabled clients), they're probably not
> afraid to block entire IP ranges in the foreseeable future (or
> fingerprint on the ECH extension + destination IP)
>

As an other reply noted, the ECH extension is very broadly used across
many networks, and blocking it outright would cause significant outages
and issues. IP address filtering is out of scope as a concern for TLS.
Yes, IP addresses can be blocked, but that does not have any bearing
on whether the "do not stick out" property of the TLS wire protocol is
satisfied.


> In general though, I do like the idea of "randomized" Outer-SNI to avoid
> leaking details to passive adversaries (I've written on the mailing list
> about this before a bit as well), however if the goal is nation-state
> level censorship circumvention in the context of popular CDN services,
> I'm not sure this will help too much.


> Regards,
>
> Raghu Saxena
>
>
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.31.3 | Report a Bug | By Email | System Status