Re: [TLS] Possible blocking of Encrypted SNI extension in China

Peter Gutmann <> Wed, 12 August 2020 06:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4A3BB3A10A7 for <>; Tue, 11 Aug 2020 23:52:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gAahvNlDR8xE for <>; Tue, 11 Aug 2020 23:52:04 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 783F13A10A4 for <>; Tue, 11 Aug 2020 23:52:03 -0700 (PDT)
Received: from ( []) (Using TLS) by with ESMTP id au-mta-91-X33gR9blNY6qgQeFWDBtRg-1; Wed, 12 Aug 2020 16:52:00 +1000
X-MC-Unique: X33gR9blNY6qgQeFWDBtRg-1
Received: from PSXP216CA0040.KORP216.PROD.OUTLOOK.COM (2603:1096:300:5::26) by (2603:10c6:220:44::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.19; Wed, 12 Aug 2020 06:51:54 +0000
Received: from (2603:1096:300:5:cafe::f1) by (2603:1096:300:5::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.15 via Frontend Transport; Wed, 12 Aug 2020 06:51:53 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3283.16 via Frontend Transport; Wed, 12 Aug 2020 06:51:51 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 12 Aug 2020 18:51:49 +1200
Received: from ([fe80::99ff:fdcc:ecb:10c7]) by ([fe80::99ff:fdcc:ecb:10c7%14]) with mapi id 15.00.1497.006; Wed, 12 Aug 2020 18:51:49 +1200
From: Peter Gutmann <>
To: David Fifield <>, "" <>
Thread-Topic: [TLS] Possible blocking of Encrypted SNI extension in China
Thread-Index: AQHWZo5K+iu3hjU4UEa0XHCZQtwYy6kfpOkAgA+KOACAAZBRDP//9AqAgAGtqQz//z7aAIAA1Exf//85pgAAGbGd0///O3IAgAAJ4ICAAM/+FP//TpcAgADrl4CAAVHImA==
Date: Wed, 12 Aug 2020 06:51:48 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: d9db4fbf-3e96-432d-c06b-08d83e8c316e
X-MS-TrafficTypeDiagnostic: ME2PR01MB4900:
X-Microsoft-Antispam-PRVS: <>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: CB3lpsctxBTqzHaPRYarGajq2RuMdQxUR+Hqn5X469uRsg6aIPoGgaN/jBwDbLJVWElnGKfXW82JiAEWDSJf5v86IF7ehhc3oEeHZRIyLT/kV3RaTBj+oVxU4IW3XwtoYj109AXXUavv+a0EN1EILwa6mTKOAedtcvWvP7uIpC0KpWCYMVgm6njItVd93/RKo5gUGsverRGOwsrfoQ5LVVmGVvdLKPS5XMXCTE6YKtT+pnZGq8VYwDWrRggxTlWaUoc98xudexT5UWX5Z52NfIa7fZtll8pXcQCwjDaw8YkE1uIz97s0v4UwdPkwIgvZR9l+O4XoQKn25JOWbH73m2bTak3WuGd4wJHDVwr3xqQeyKlftQtudEIGWOAujO01IwS202QwTdTrMf4gKpIzHw==
X-Forefront-Antispam-Report: CIP:; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM;;; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(346002)(396003)(136003)(376002)(46966005)(5660300002)(2906002)(7636003)(86362001)(110136005)(786003)(316002)(70586007)(47076004)(356005)(82310400002)(8676002)(82740400003)(70206006)(336012)(2616005)(186003)(8936002)(478600001)(36906005)(4744005)(26005); DIR:OUT; SFP:1101;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2020 06:51:51.4792 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d9db4fbf-3e96-432d-c06b-08d83e8c316e
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[]; Helo=[]
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME2PR01MB4900
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] Possible blocking of Encrypted SNI extension in China
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 12 Aug 2020 06:52:06 -0000

David Fifield <> writes:

>Peter is surely referring to the influential "The Parrot is Dead" paper from

Yep, that was it, thanks (at least one person catalogues their reading by the
looks of it :-).  Thanks for the ref to the followup, can't remember seeing
that, but doesn't that just reinforce the Parrot paper?

The "Grounding Censorship Circumvention in Empiricism" paper is an important
one too, you need to look at what the attackers are doing otherwise you'll end
up throwing a ton of crypto at something that makes no difference.  In
particular in reference to a question someone else asked about ECH and TLS
1.3, since it's not defending against anything the censors are doing I can't
see what its presence or absence would do.  Something like ECH seems like
classic inside-out design, "here is our cool piece of crypto trickery, and
whatever it happens to defend against is the threat".