Re: [TLS] Possible blocking of Encrypted SNI extension in China
Rob Sayre <sayrer@gmail.com> Tue, 11 August 2020 23:24 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 467CA3A0E7A for <tls@ietfa.amsl.com>; Tue, 11 Aug 2020 16:24:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-VytPa31eZE for <tls@ietfa.amsl.com>; Tue, 11 Aug 2020 16:24:28 -0700 (PDT)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDA693A0E0F for <tls@ietf.org>; Tue, 11 Aug 2020 16:24:27 -0700 (PDT)
Received: by mail-il1-x12f.google.com with SMTP id k4so69130ilr.12 for <tls@ietf.org>; Tue, 11 Aug 2020 16:24:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=tOnEomeSJ90Dh7Yfyh1vQyKOorf5AnjsD1DkUTRl/bM=; b=hr2Wb6yPa+4jQDfVWw3sfr1Nav6+H/MkEvGeRiypylHoW6eRi54EGtq/jVmHBPHseC 93LW+gml0VThgdvM9gDWaQ2nM8g06k0HCYrbB2iMZyDbsLvLTlY0C/y4oze3sLDWM/LR AqUDHDPJPi0nYKwM0WfZcfYyd0BOHgrr9XfL7/C6oLaLHH8BM46PBEUM9obW6/WgmLDI bRNwnB0WIQ1QdSoJVS8L1Vbo/+V2kQQ+/CnaJoHcuq3p7usZ3tqjy1jThdq4Z2MyUeRm HzekUjKHOjmAltiuxuxyOvi0RDVfA28ZCF0ZSOwm+0Eyx+WWGX1z5g2oFP6VUToD9hmC LSkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=tOnEomeSJ90Dh7Yfyh1vQyKOorf5AnjsD1DkUTRl/bM=; b=EJpe+VXbPABC8mJhMbY8ok9wKyx639aFRzhCTTxIO8yyhijQmy/7fp01pHFL3vLFr2 wUTN2mXspAk7lDnXtv38vw44cC+l3ZN4WL9ABVqNGJiMeh0am05PK38VlJ0t/kF6BVIj bGo3bmFVqedt/o6KAyVwUkbEiufwS6YbU6WZmDo7iJ8rAPr1wbYnDCOzFotRdyo77XR3 +gpe6UuZ72WJrjHYnnoO2CHI3HHhIRvQL+u51qnFHtLH5IxA4MunG1SRWsPCj0rhXJnz u19YsfR3xTf43hppp7iOvaB5cEb8HhntLhMElKZX7yZs6dfxRtlmhjNNmMRGDvf3oq34 czxw==
X-Gm-Message-State: AOAM531k8QibD7fQQtw6krNfOQAtQGvR5o2yTOFZc0KM2gcF4mp40rTC eD37V/k5JzJXlckGR6xYse8ZZy6RebYaIZy0jmbzCyC/w0w=
X-Google-Smtp-Source: ABdhPJyw3k6Lm2PEEBVDTVqIobqS7X8U+kTOV5M5XWEk2mmPR2WAKNkVmvMZKNrC2PMIehylFGlbzA66T3dpRRXreSw=
X-Received: by 2002:a92:d1d0:: with SMTP id u16mr25731177ilg.49.1597188266833; Tue, 11 Aug 2020 16:24:26 -0700 (PDT)
MIME-Version: 1.0
References: <67d52e25-71ed-4584-b2c3-6a71a6bdd346@www.fastmail.com> <1597119980162.55300@cs.auckland.ac.nz> <b32110f8-c9ba-e8db-f136-7cc60eba54e4@huitema.net> <1597123970590.77611@cs.auckland.ac.nz> <CAChr6SzzuyB7sxXJQ4gNJwa3iaQcC5jGPE3-sgfY_EkB7DoykA@mail.gmail.com> <1597125488037.97447@cs.auckland.ac.nz> <CAChr6SxLAJyweEDHL48-hT3X=d5E6jNrWZheOt+fSydpS=HhQw@mail.gmail.com> <c7e033d9-aa39-1293-2233-4ebb8d1502dc@huitema.net> <1597130085200.4129@cs.auckland.ac.nz> <CAChr6SypqD+J0LjJWxOQNQhXAvR7R4oLZQCKq_0PPbs+xjiSwg@mail.gmail.com> <20200811224203.qysncdptgiwfrvlu@bamsoftware.com>
In-Reply-To: <20200811224203.qysncdptgiwfrvlu@bamsoftware.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 11 Aug 2020 16:24:15 -0700
Message-ID: <CAChr6SxQEfVua9GA4o+P0kSrE6_hJOE5sJsg7ugnukOHQdv2pw@mail.gmail.com>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000048bc2a05aca25f4c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MnWMjpuUGFA6CYgmrEggM8CKp60>
Subject: Re: [TLS] Possible blocking of Encrypted SNI extension in China
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 23:24:37 -0000
On Tue, Aug 11, 2020 at 3:42 PM David Fifield <david@bamsoftware.com> wrote: > With that said about website fingerprinting, on the topic of inference > using packet sizes, timing, and other metadata, I have been impressed > with this series of articles on inference against TLS and HTTPS, which I > think avoid common missteps: > "Enhanced telemetry for encrypted threat analytics" > http://gen.lib.rus.ec/scimag/?q=10.1109%2FICNP.2016.7785325 Thanks for the links. This 2016 paper is interesting. Understandably, it doesn't mention a bunch of newer developments. Its conclusion ends with: "We identified features of a flow that can be easily collected, analyzed, and stored such as the sequence of packet lengths and times, the byte distribution, and the TLS handshake metadata. We showed how these data features can be combined with intuitive machine learning models to accurately classify malicious, encrypted network flows." It seems to me that a lot of these papers studied more predictable packet sizes than they might get under ECH, and would have less cleartext metadata available under ECH. Additionally, many of these papers probably used TLS 1.2 or earlier. thanks, Rob
- [TLS] Possible blocking of Encrypted SNI extensio… onoketa
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Possible blocking of Encrypted SNI exte… Dmitry Belyavsky
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christopher Wood
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Salz, Rich
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Nick Sullivan
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Carrick Bartle
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield