Re: [TLS] Possible blocking of Encrypted SNI extension in China
Rob Sayre <sayrer@gmail.com> Wed, 12 August 2020 07:03 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 156FA3A0C9F
for <tls@ietfa.amsl.com>; Wed, 12 Aug 2020 00:03:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id HoiyeG73m45K for <tls@ietfa.amsl.com>;
Wed, 12 Aug 2020 00:03:53 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com
[IPv6:2607:f8b0:4864:20::d35])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id C26F63A0C74
for <tls@ietf.org>; Wed, 12 Aug 2020 00:03:53 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id a5so1405571ioa.13
for <tls@ietf.org>; Wed, 12 Aug 2020 00:03:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=p1fBDKukOgAv7hhC0IUCtx+tyOzNRmzL1ezC7IZW304=;
b=Gklwq/a0x1qhfiVwCsvxxHWU9ExqOqMOlW/TFneb6PX/5/HiASyomzdwzmLdILjlv2
lYXqkPAgGJE/dl2Kj3me8Y/AW5+TsWOtxYfC0FaOr+EiM3FML/qLYYMARzsaTp+UJVg5
/5TVoh57f3z8J2cRT1FRagPoee/rIxa+nbfHEqay7WWgYlxDOxwZ1CKugBQbosk7oRMw
/GEEWisPtssy60nFBKC1SsOYo3PBY9ORvQY6x/IdvmkXGV8aVBjz5OkrCxQoTZfQd0rV
LPQUz+TKu40+vPy4NzRqKVeuIGKwAysD8CDJxxOlzuRXXZ+1Fi0DFWjQuouEFkvZ/Afx
Q0qQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=p1fBDKukOgAv7hhC0IUCtx+tyOzNRmzL1ezC7IZW304=;
b=JXQ2J5ytc4rE7Ty6zGYxPz5UqoMElFM3r84VFtC/2MWnF0+3AjlAV75V94cmoMUgdm
7SrOkkGcrD2g3cF09fNWmuNMQe8Zvilgj/EPI7OWBwnFqulvHrjrr5+oAspeFr1RFDSU
ylhvThihSiaQEokh/qtn1FVzoEuFBJf5zEExVT7BVD47AeBDaAhdXN6drmMJELKhhVr7
SoKz0vkXRSPq/vuPYRjwM+NqCnPh7YeycMO/TL0JPmZhGJF7bCCC7C5iBKn1GbAxOU5/
GVoY40i/XG+UQzHs9/GFo0NRu3fW55tpNN6AXTtxi6dAd3hZV41AC3hHhtPEkM8wWyYh
OqLA==
X-Gm-Message-State: AOAM531CvJ7oahJT55iHJ9enSaPOhOyN2RZv/hWk5dx39Wv9RLEc4mrS
4bwrPJEklE+cJvxgMD1T8Kp8CVL4JgyOACHJMvMT+gal02Y=
X-Google-Smtp-Source: ABdhPJykEM+gJHRzZdU8QzR2Cb+kDsVgEUDjkoEfj2cMObkKxWc9dyR0DwjeApRL5RagAexiVWpswBX3bw6J2Kx8TwQ=
X-Received: by 2002:a05:6638:25d3:: with SMTP id
u19mr29640341jat.103.1597215833107;
Wed, 12 Aug 2020 00:03:53 -0700 (PDT)
MIME-Version: 1.0
References: <67d52e25-71ed-4584-b2c3-6a71a6bdd346@www.fastmail.com>
<1597119980162.55300@cs.auckland.ac.nz>
<b32110f8-c9ba-e8db-f136-7cc60eba54e4@huitema.net>
<1597123970590.77611@cs.auckland.ac.nz>
<CAChr6SzzuyB7sxXJQ4gNJwa3iaQcC5jGPE3-sgfY_EkB7DoykA@mail.gmail.com>
<1597125488037.97447@cs.auckland.ac.nz>
<CAChr6SxLAJyweEDHL48-hT3X=d5E6jNrWZheOt+fSydpS=HhQw@mail.gmail.com>
<c7e033d9-aa39-1293-2233-4ebb8d1502dc@huitema.net>
<1597130085200.4129@cs.auckland.ac.nz>
<CAChr6SypqD+J0LjJWxOQNQhXAvR7R4oLZQCKq_0PPbs+xjiSwg@mail.gmail.com>
<20200811224203.qysncdptgiwfrvlu@bamsoftware.com>
<1597215113998.32406@cs.auckland.ac.nz>
In-Reply-To: <1597215113998.32406@cs.auckland.ac.nz>
From: Rob Sayre <sayrer@gmail.com>
Date: Wed, 12 Aug 2020 00:03:41 -0700
Message-ID: <CAChr6SwNyeNQihrhFFra4G3D_EMYYyveh0vDmKXA_N07=fzCug@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: David Fifield <david@bamsoftware.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005cb2db05aca8ca93"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PcvR0ct4F9r_w3l87M4jLFLor9M>
Subject: Re: [TLS] Possible blocking of Encrypted SNI extension in China
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
<mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
<mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 07:03:55 -0000
On Tue, Aug 11, 2020 at 11:52 PM Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > ... in reference to a question someone else asked about ECH and TLS > 1.3, since it's not defending against anything the censors are doing I > can't > see what its presence or absence would do. Something like ECH seems like > classic inside-out design, "here is our cool piece of crypto trickery, and > whatever it happens to defend against is the threat". > Censors do use the unencrypted SNI. See: https://tools.ietf.org/id/draft-irtf-pearg-censorship-03.html#sni That doesn't mean an encrypted ClientHello will solve all of the problems we've discussed, of course. That said, most of the linked papers I've read could be possibly-overfit ML models that study older TLS versions without ECH. Their underlying point could be correct, but the data is old, and usually not public or reproducible. thanks, Rob
- [TLS] Possible blocking of Encrypted SNI extensio… onoketa
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Possible blocking of Encrypted SNI exte… Dmitry Belyavsky
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christopher Wood
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Salz, Rich
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Nick Sullivan
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Carrick Bartle
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield