Re: [TLS] Possible blocking of Encrypted SNI extension in China

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 12 August 2020 06:52 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A3BB3A10A7 for <tls@ietfa.amsl.com>; Tue, 11 Aug 2020 23:52:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gAahvNlDR8xE for <tls@ietfa.amsl.com>; Tue, 11 Aug 2020 23:52:04 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 783F13A10A4 for <tls@ietf.org>; Tue, 11 Aug 2020 23:52:03 -0700 (PDT)
Received: from AUS01-ME1-obe.outbound.protection.outlook.com (mail-me1aus01lp2057.outbound.protection.outlook.com [104.47.116.57]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-91-X33gR9blNY6qgQeFWDBtRg-1; Wed, 12 Aug 2020 16:52:00 +1000
X-MC-Unique: X33gR9blNY6qgQeFWDBtRg-1
Received: from PSXP216CA0040.KORP216.PROD.OUTLOOK.COM (2603:1096:300:5::26) by ME2PR01MB4900.ausprd01.prod.outlook.com (2603:10c6:220:44::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.19; Wed, 12 Aug 2020 06:51:54 +0000
Received: from PU1APC01FT020.eop-APC01.prod.protection.outlook.com (2603:1096:300:5:cafe::f1) by PSXP216CA0040.outlook.office365.com (2603:1096:300:5::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.15 via Frontend Transport; Wed, 12 Aug 2020 06:51:53 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.208) smtp.mailfrom=cs.auckland.ac.nz; bamsoftware.com; dkim=none (message not signed) header.d=none;bamsoftware.com; dmarc=none action=none header.from=cs.auckland.ac.nz;
Received: from uxcn13-tdc-c.UoA.auckland.ac.nz (130.216.95.208) by PU1APC01FT020.mail.protection.outlook.com (10.152.252.217) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3283.16 via Frontend Transport; Wed, 12 Aug 2020 06:51:51 +0000
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-tdc-c.UoA.auckland.ac.nz (10.6.3.4) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 12 Aug 2020 18:51:49 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::99ff:fdcc:ecb:10c7]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::99ff:fdcc:ecb:10c7%14]) with mapi id 15.00.1497.006; Wed, 12 Aug 2020 18:51:49 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: David Fifield <david@bamsoftware.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Possible blocking of Encrypted SNI extension in China
Thread-Index: AQHWZo5K+iu3hjU4UEa0XHCZQtwYy6kfpOkAgA+KOACAAZBRDP//9AqAgAGtqQz//z7aAIAA1Exf//85pgAAGbGd0///O3IAgAAJ4ICAAM/+FP//TpcAgADrl4CAAVHImA==
Date: Wed, 12 Aug 2020 06:51:48 +0000
Message-ID: <1597215113998.32406@cs.auckland.ac.nz>
References: <67d52e25-71ed-4584-b2c3-6a71a6bdd346@www.fastmail.com> <1597119980162.55300@cs.auckland.ac.nz> <b32110f8-c9ba-e8db-f136-7cc60eba54e4@huitema.net> <1597123970590.77611@cs.auckland.ac.nz> <CAChr6SzzuyB7sxXJQ4gNJwa3iaQcC5jGPE3-sgfY_EkB7DoykA@mail.gmail.com> <1597125488037.97447@cs.auckland.ac.nz> <CAChr6SxLAJyweEDHL48-hT3X=d5E6jNrWZheOt+fSydpS=HhQw@mail.gmail.com> <c7e033d9-aa39-1293-2233-4ebb8d1502dc@huitema.net> <1597130085200.4129@cs.auckland.ac.nz> <CAChr6SypqD+J0LjJWxOQNQhXAvR7R4oLZQCKq_0PPbs+xjiSwg@mail.gmail.com>, <20200811224203.qysncdptgiwfrvlu@bamsoftware.com>
In-Reply-To: <20200811224203.qysncdptgiwfrvlu@bamsoftware.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: d9db4fbf-3e96-432d-c06b-08d83e8c316e
X-MS-TrafficTypeDiagnostic: ME2PR01MB4900:
X-Microsoft-Antispam-PRVS: <ME2PR01MB49005D0D6B9AF491651DA739EE420@ME2PR01MB4900.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: CB3lpsctxBTqzHaPRYarGajq2RuMdQxUR+Hqn5X469uRsg6aIPoGgaN/jBwDbLJVWElnGKfXW82JiAEWDSJf5v86IF7ehhc3oEeHZRIyLT/kV3RaTBj+oVxU4IW3XwtoYj109AXXUavv+a0EN1EILwa6mTKOAedtcvWvP7uIpC0KpWCYMVgm6njItVd93/RKo5gUGsverRGOwsrfoQ5LVVmGVvdLKPS5XMXCTE6YKtT+pnZGq8VYwDWrRggxTlWaUoc98xudexT5UWX5Z52NfIa7fZtll8pXcQCwjDaw8YkE1uIz97s0v4UwdPkwIgvZR9l+O4XoQKn25JOWbH73m2bTak3WuGd4wJHDVwr3xqQeyKlftQtudEIGWOAujO01IwS202QwTdTrMf4gKpIzHw==
X-Forefront-Antispam-Report: CIP:130.216.95.208; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-tdc-c.UoA.auckland.ac.nz; PTR:natgate1-1.auckland.ac.nz; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(346002)(396003)(136003)(376002)(46966005)(5660300002)(2906002)(7636003)(86362001)(110136005)(786003)(316002)(70586007)(47076004)(356005)(82310400002)(8676002)(82740400003)(70206006)(336012)(2616005)(186003)(8936002)(478600001)(36906005)(4744005)(26005); DIR:OUT; SFP:1101;
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2020 06:51:51.4792 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d9db4fbf-3e96-432d-c06b-08d83e8c316e
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.208]; Helo=[uxcn13-tdc-c.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: PU1APC01FT020.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME2PR01MB4900
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6kIhPY5s0YdfxlTmMXcpzmDh0Uc>
Subject: Re: [TLS] Possible blocking of Encrypted SNI extension in China
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 06:52:06 -0000

David Fifield <david@bamsoftware.com> writes:

>Peter is surely referring to the influential "The Parrot is Dead" paper from
>2013

Yep, that was it, thanks (at least one person catalogues their reading by the
looks of it :-).  Thanks for the ref to the followup, can't remember seeing
that, but doesn't that just reinforce the Parrot paper?

The "Grounding Censorship Circumvention in Empiricism" paper is an important
one too, you need to look at what the attackers are doing otherwise you'll end
up throwing a ton of crypto at something that makes no difference.  In
particular in reference to a question someone else asked about ECH and TLS
1.3, since it's not defending against anything the censors are doing I can't
see what its presence or absence would do.  Something like ECH seems like
classic inside-out design, "here is our cool piece of crypto trickery, and
whatever it happens to defend against is the threat".

Peter.