Re: [TLS] Possible blocking of Encrypted SNI extension in China

Peter Gutmann <> Tue, 11 August 2020 04:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 93DC43A0B3B for <>; Mon, 10 Aug 2020 21:26:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rkbF1mDG3R0k for <>; Mon, 10 Aug 2020 21:26:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E29353A0B37 for <>; Mon, 10 Aug 2020 21:26:31 -0700 (PDT)
Received: from ( []) (Using TLS) by with ESMTP id au-mta-50-wCyClqwBPk-JNa70DGrzRg-1; Tue, 11 Aug 2020 14:26:28 +1000
X-MC-Unique: wCyClqwBPk-JNa70DGrzRg-1
Received: from (2603:1096:201:20::31) by (2603:10c6:10:2d::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.22; Tue, 11 Aug 2020 04:26:27 +0000
Received: from (2603:1096:201:20:cafe::3c) by (2603:1096:201:20::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.16 via Frontend Transport; Tue, 11 Aug 2020 04:26:26 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3261.16 via Frontend Transport; Tue, 11 Aug 2020 04:26:25 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 11 Aug 2020 16:26:17 +1200
Received: from ([fe80::99ff:fdcc:ecb:10c7]) by ([fe80::99ff:fdcc:ecb:10c7%14]) with mapi id 15.00.1497.006; Tue, 11 Aug 2020 16:26:17 +1200
From: Peter Gutmann <>
To: Christopher Wood <>, "" <>
Thread-Topic: [TLS] Possible blocking of Encrypted SNI extension in China
Thread-Index: AQHWZo5K+iu3hjU4UEa0XHCZQtwYy6kfpOkAgA+KOACAAZBRDP//9AqAgAGtqQw=
Date: Tue, 11 Aug 2020 04:26:16 +0000
Message-ID: <>
References: <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: bf8b5643-b5ad-4d10-034c-08d83daeb5c9
X-MS-TrafficTypeDiagnostic: SYBPR01MB3212:
X-Microsoft-Antispam-PRVS: <>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ia8ynyEnYgZXAhN+m31QdAzBnbgaBMHNa1Lz/f6FEatQcLN7/3tyLHQVvtpkq9x+FMdoImosHZrqAUINmHf40VANFi3M0pQhS6wUJP6oHTsJN05ABhrKzF8RJ2NdS1IPx8REGMS/NljxbnXkghJ3YUuo5FEx3rpaX/x2GeCKK71OBMiKjmPfico7HCyDg69FLcYFwaR+1XSH5oib3vYGKnmS9JsI16AT+M5uAS4HtdMzz2eqP7VFhW1DmwQcb2FkFzpMCLJODTxHuhSjXCpzS+vsxtO40fBChrk5J1viuxKk0jttXNrkgwBlCpMC2BP9qfFjJ43d2iES2FWREN+CDQsZXgPsOvNwoIBtudcOdUe3e1CAk+TRQBBxiTZpqvD5i4nwj+p48hoM8LrPVQaLVQ==
X-Forefront-Antispam-Report: CIP:; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM;;; CAT:NONE; SFTY:; SFS:(4636009)(376002)(39860400002)(396003)(346002)(136003)(46966005)(478600001)(8676002)(8936002)(786003)(2906002)(110136005)(316002)(36906005)(82310400002)(82740400003)(47076004)(26005)(186003)(2616005)(336012)(5660300002)(4744005)(7636003)(83380400001)(70586007)(86362001)(356005)(70206006); DIR:OUT; SFP:1101;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Aug 2020 04:26:25.3070 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: bf8b5643-b5ad-4d10-034c-08d83daeb5c9
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[]; Helo=[]
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB3212
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] Possible blocking of Encrypted SNI extension in China
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Aug 2020 04:26:34 -0000

Christopher Wood <> writes:

>For the benefit of the list, would you mind sharing these references?

I handwaved this one because I don't catalogue these things and didn't want to
try and re-locate every preprint, paper, and report that's drifted across my
desk in the last 6-12 months to try and find the relevant stuff... a recent
one that I remember because it was published just a few days ago at Usenix
Security after existing as an arXiv preprint for over a year, that's not ESNI
but eDNS so almost the same thing, was "Padding Ain't Enough: Assessing the
Privacy Guarantees of Encrypted DNS" which reports, and references other
papers which report, an 80-90% success rate in de-anonymising encrypted DNS.
The ESNI de-anonymisation is the standard web-site fingerprinting that's been
used in the past to e.g. find people's incomes based on their encrypted
traffic to tax filing sites.  In other words it doesn't care whether ESNI is
used or not since it doesn't use it.