[TLS] Re: ECH Proxy Mode

Raghu Saxena <poiasdpoiasd@live.com> Wed, 04 September 2024 03:28 UTC

Return-Path: <poiasdpoiasd@live.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A345C180B7F for <tls@ietfa.amsl.com>; Tue, 3 Sep 2024 20:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=live.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JY82Th_7kOhu for <tls@ietfa.amsl.com>; Tue, 3 Sep 2024 20:28:47 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01olkn2075.outbound.protection.outlook.com [40.92.62.75]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 075C0C14CE22 for <tls@ietf.org>; Tue, 3 Sep 2024 20:28:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=uuf/vMi/YinGA0xLxitKmOwohtRm7iR4+HJXgE0eucHk+ZIhTdxmwlceNBC07Jr8g9mJW+yjhdkr8F1YWdauhV/Y+x8JUtqMUaKEuXgI6jTLcXc+KrwQK/QgD/fRJXzxSAjuJAKPxiWfCGdluXc+l6/Czj/LrfJqbY+MUPte+asHcGeAT3bdlatb0x/f6ko/1TFHg68dJdhZALYxC9B3VFIfjF0L0shkgxvpUGx7PaqXUnZyjL/Zyh/SaaFwKe9x1r/0V+X2rmZq+UqQJPv2f1seFl2UC3kv872PkbEZCPB0cZ21azBdqNDgY7crSYz7v4eWrX7BzB3Sc4pHgFrYtw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qUGXmOcJEVrVYE0UadYJOBduroZlB62qNK6UZLIDTak=; b=G8JPx3KBQs4pnWHs6RsAQ3L6DqqhQZzL+eTAO1IOCQrudSp7yLsmVHpCalXDjVb1xmK8DFAA5HHBev89M3pu2l7wafPvt5Q4g0hIyuXMLSj2kSsAhZyCk4eopyA+y2n8SEvExDAyObR1ClPjZ6O1ihZcwvrjzZ1H3uMxXdpx6QuDtOkHv1fAHxqajpyJGV8uwMRv0kHlKcduJJLipR5A4KobaXpAPeD5yR421zVqDB8czzoxx1eVDVtS6BN1WmgUTotJEZNv5fJ6emtTTUuYGK1koUVMGp9X3VhO/MLS3RIjXQs9jEzKxr351SBlAZMbnOxc6IrwYQsoIb+3hNlByA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qUGXmOcJEVrVYE0UadYJOBduroZlB62qNK6UZLIDTak=; b=qIwtPqemMKppFlAtmGKznRzB9wy3cgKHNiApjKhJ7rTOMnEugLaB7BgL6/C1yySF4jCaie97N7IiOIEM94DLAQAPrbqaRWJd0v8K0X2cmARxiv842HddXfL7QzHuK+9UcBrn7N5k5ybqzc0cNXizwo50qM9I132aNKNuzkS2/nvNeTWY0X3/z+soBtG01pNjRccBh5QdR5Lw1O+2v98MVEGinpdvlTGWYDOmSD9FiXIKRQw/FW32ZOUcMG6WbR5jWKgTSXOq0HaYmTkj8s73KoU59WUqikGMH/LzYanctj3R1r18WE7+jvev2A2VxnOg70lAVlFpzpRnuDquTIy0FA==
Received: from ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:246::5) by SYYP282MB1007.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:70::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.27; Wed, 4 Sep 2024 03:28:43 +0000
Received: from ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM ([fe80::5a2d:ed43:6b7a:6178]) by ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM ([fe80::5a2d:ed43:6b7a:6178%4]) with mapi id 15.20.7918.024; Wed, 4 Sep 2024 03:28:43 +0000
Message-ID: <ME0P282MB5587AFB9A303CE7FABEAF008A39C2@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM>
Date: Wed, 04 Sep 2024 11:28:29 +0800
User-Agent: Mozilla Thunderbird
To: tls@ietf.org
References: <03D6DC16-2AFE-41E8-8404-F456D67582EB@taoshu.in>
Content-Language: en-US
From: Raghu Saxena <poiasdpoiasd@live.com>
In-Reply-To: <03D6DC16-2AFE-41E8-8404-F456D67582EB@taoshu.in>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------c2JMEtd2ZNOUMULLOhBW2ao0"
X-TMN: [Oo/omLCmn4afdVkPXe5kiglllnhxTb1f]
X-ClientProxiedBy: SG2PR06CA0236.apcprd06.prod.outlook.com (2603:1096:4:ac::20) To ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:246::5)
X-Microsoft-Original-Message-ID: <6d9027b1-b55c-4c15-a7dc-e0ee8430137f@live.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: ME0P282MB5587:EE_|SYYP282MB1007:EE_
X-MS-Office365-Filtering-Correlation-Id: cf8f2f5e-2d4d-4c92-427e-08dccc91ad9b
X-Microsoft-Antispam: BCL:0;ARA:14566002|5072599009|19110799003|8060799006|15080799006|461199028|6092099012|56899033|3412199025|440099028;
X-Microsoft-Antispam-Message-Info: MbUy1viVxH6SrTL/a80KGbNNHIy1LKpZ8JeUjzRzvmVrgmw5Softl0KhhOY1So7t7nHgxY8LGVTEdUYW/RdfR2OmqudIySQOm1mtZHgdtxGfJgsMP3bnl5zkuGWrfcbk7/trDLxrDaNU24BxeHa0j8Rzk4VOfRRYpHfzB3uV5v7Vp77S4ErvcXJBdMA+DquhDTLc75tuADAZANfJYV/ZIRYrEGHRRWPn8U3b1ZpAQ1OuLOUf57CPZ0/81zftlRwkYiAMYhWW9VG/6TWwAdi165wiN6jtAcXRwrDQim4Ai9aXCX9CTktibYYRsprK1YJFO+M05ys5PXY65uLmNYPzb6/lgT4nKE4zlflHeDxRpY8JAxsyZeauD2MnwiCE9Hv8j5TLOu8qTRj4UbXaOFQR512h/S5GdGnt/oF63au6wFcdBy05DO6KzFR7D4T5ZTJdKoP1+EZXY1F1NYIK7HgPEfvXuuM4bwBN0DBYdgcDI8eANm2ZvR0qzUKPVg+otdfI5Op3uLm5YaNxKnkqpoYExn4l7U2agM6NAy97zC3rBwY9iH0wuQjhopB28QVHyln3+tryNIAUMWOBwRe+MHZT+eiti6A9dVAw9uPu2tsQ9AtZqzN6kog9cfAF3j3F0rDb3XOJJrW64kMuTSTNsJbKoUCy4U3Lgqb1CwDPAqiuOZjBwlFi7f0Gc64xVG4Nukt4F9AH6GJ1qRwF5YcUCUf0OZnErj1dFomn/Ym1E1XFY0aQcPV8UI6QDqNnDA5XGQ0Rr2NxzSQkuwu8jQcs5O6i/0z5YgKcoL9pHLSJIOCUlSQ=
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: ymA1gdO8oQTeeFjHPalwU9b/XDoKAf0NhBld3U3onqoxrfz+e5wYTRFhZfG4tvDa93BLAz5fL6mPAubvqvi1hMQfve35ou3VTRTEn6nCGaoho8eAxR4NHa2w8hMCS6m+119Gxz4QHvrzODx5JyldcbqeJsnMEJamz7DEm82pi6JSjsh7f4xCYq8zx84/7YPD1JiL24bTp39DxxlOIfKgEwXkXBPxAeN6EcDPJUjBW4o0lqL2Wk5vwLDS0vjRhdaOvAfNOfryir0+b08epGos0ke3Mu9b7qj0bj3+yXGxakrB+FMxcQGr0JO2SrFKB1rVzSpj+pzIRoYUCW7p3uERTF4+jH5zuVjpOuRC4uhvBQxPYjmHs7/IxXgdIDgYNULdNNDkYbzxhIZ0Rq6EYzkhX2gRGCjCO9h18xSdjxnszEXSOO6TqrWu5gx5Huo69Vz+YxXhOaYDWs/B4ZtZxnD6KcJPsjmFLKwNGh2AaLtxzS5RgINbhPJ8e47F3gdzbSy13JTmm2hsu30s69rnqmObZdzgaCy9xtlKAjfgsUrFrW2/m3yYG2WttWjadqV6KuzVCG3M/X3Rl41HURxS6f7de+32+Mw7WtDOAV5wMi+CXmzeKMBb/ga+EGrqPHlldef7duCx3VM2QYZAvtQ1qouxYtkXUYFlx8qvkigeGEuK/ccRSN8gtD9iO2zfxNHBTbwRRKrY1sfV58THyKbkw4ZbLV4p1Sp3aZL+iT6P/2EGZINY2regRAnLJIif59/JJcj40iSEYJs+yNykn6l0rGCKMNZn7HR0pIi+t6rTuC/N9xzDhVMoYPnjUnq93inkHjCW1MA6xT/E0Z3KT8nRk9IpLXFSmGtTOPPNZ4zB1gSFqNtyxjh59SMcFXzzwOrp9wZZQ3YfS0Y+O+bLTGwV1d4c3HbdrAKUypPHstUY4jZOCuowPc38lC+mEQXAz/hr5gNb5hCHFUC4+KKICu9BHtwVdKQlIJD1W3RexL+UZm2LCxTumbVKYr181G0tgsTlMBIxdBi6bAjXhvo5oVvNYvKD2x9fryD7I2zIV/W5Xn/FgJHlYhrh2UUbcrB0h757Ytm3uYpEeaMI3xHkB3TXd4YGIem/9EneoJu+LsCvr37w7MmsYC/2t2u34TdYEJT9VN5RI/kNh4HzRWEeiawLkaBBoZhonNGJX0WLrabDIWE/oy7FO/97WXQ7M/u8EDfiv7B3IfPbH4P14x6HSgoyP56T5FlxoXHB8Gw2oowGMFTOgKs=
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-722bc.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id: cf8f2f5e-2d4d-4c92-427e-08dccc91ad9b
X-MS-Exchange-CrossTenant-AuthSource: ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Sep 2024 03:28:43.7616 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYYP282MB1007
Message-ID-Hash: 5RYHPXOSVDKPOJUU4ED3HUN4G4UA6JUB
X-Message-ID-Hash: 5RYHPXOSVDKPOJUU4ED3HUN4G4UA6JUB
X-MailFrom: poiasdpoiasd@live.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: ECH Proxy Mode
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FkgFo4r1d5YvmRpOHTcV1VRj3ps>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi,

On 9/3/24 10:52 PM, 涛叔 wrote:
> This idea was derived from my attempt to implement encrypted TLS SNI Proxy. The SNI
> does not only expose privacy information, many ISP use it to block certain web site.
> Even though the current draft of ECH works to protect the ClientHello, it can only
> protect the sites that deployed the ECH.
>
> If we can adjust the current design and let the client-facing generate and response
> the accept_confirmation signal, we can make ECH everywhere without upgrading any of
> current TLS backend server. Which means the client-facing can work as an encrypted
> TLS SNI Proxy.

I'm trying to understand what exactly your use-case here is. Wouldn't a 
naive HTTPS Proxy w/ CONNECT be sufficient?

E.g. if we have the proxy domain `https://myproxy.com` , and the website 
we want to connect to is `https://supersecret.com`, then assuming a 
classic HTTPS Proxy running on `myproxy.com`, the Client would make a 
TLS handshake to `myproxy.com` and reveal the Proxy SNI, however once 
the TLS handshake with the proxy is complete, the `CONNECT` to 
`supersecret.com` will be inside the TLS tunnel, so it will be private.

I think this would be sufficient, since even in the split-example with 
ECH you mention, the `public_name` of the first client-facing server 
will be visible anyway.

Regards,

Raghu Saxena