Re: [TLS] Possible blocking of Encrypted SNI extension in China

Peter Gutmann <> Tue, 11 August 2020 05:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 00C843A0C64 for <>; Mon, 10 Aug 2020 22:33:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id h2sRs0A20xGA for <>; Mon, 10 Aug 2020 22:33:02 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9331F3A0C0E for <>; Mon, 10 Aug 2020 22:33:01 -0700 (PDT)
Received: from ( []) (Using TLS) by with ESMTP id au-mta-33-Zbal40UWNnyykrIC9bTpCA-1; Tue, 11 Aug 2020 15:32:57 +1000
X-MC-Unique: Zbal40UWNnyykrIC9bTpCA-1
Received: from (2603:1096:4:8f::18) by (2603:10c6:201:2::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.18; Tue, 11 Aug 2020 05:32:51 +0000
Received: from (2603:1096:4:8f:cafe::63) by (2603:1096:4:8f::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.18 via Frontend Transport; Tue, 11 Aug 2020 05:32:50 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3261.16 via Frontend Transport; Tue, 11 Aug 2020 05:32:49 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 11 Aug 2020 17:32:47 +1200
Received: from ([fe80::99ff:fdcc:ecb:10c7]) by ([fe80::99ff:fdcc:ecb:10c7%14]) with mapi id 15.00.1497.006; Tue, 11 Aug 2020 17:32:47 +1200
From: Peter Gutmann <>
To: Christian Huitema <>, Christopher Wood <>, "" <>
Thread-Topic: [TLS] Possible blocking of Encrypted SNI extension in China
Thread-Index: AQHWZo5K+iu3hjU4UEa0XHCZQtwYy6kfpOkAgA+KOACAAZBRDP//9AqAgAGtqQz//z7aAIAA1Exf
Date: Tue, 11 Aug 2020 05:32:46 +0000
Message-ID: <>
References: <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 3e6b1328-338e-4d1c-be96-08d83db7fc44
X-MS-TrafficTypeDiagnostic: MEAPR01MB2343:
X-Microsoft-Antispam-PRVS: <>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: +tJ3VhQthVc7NfgtzyVFZt54alkb1dhlolna8EVpel3smvYjK2Y6+6Q6O4+r4jh61jRtfA53Kb9m3nhqsHwPleNVu8tr5nm5fjjGgdi//fQEPJ9ZH5Pr1Q4wPDpe/yxsrmhZBv61QlHkdyQzOV8coPaO3vOJ1ZCbUMGPd6m7EwvycBLDFASd62voTrSrnExCgRRZ2OKKtp89qjRZckBdUV5P8VXibk8A6rxzQwLiAqjKeIwlXb6iDO64ythtl2XtckbFoam63xO3XKMgDTvoys01WuORRAy3tkokjEjNyhi57D1j3QlT9NQxh7+u7WRofjHN71Jo8hQq/fFihs9POZblGX+KoJzoxL9zh2vwQ61iTGqYZhW9pmnzwVLdRALPwcDtlYueIfKmys2qw8bteQ==
X-Forefront-Antispam-Report: CIP:; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM;;; CAT:NONE; SFTY:; SFS:(4636009)(396003)(39860400002)(376002)(136003)(346002)(46966005)(70586007)(8936002)(36906005)(70206006)(5660300002)(786003)(66574015)(4744005)(2616005)(110136005)(26005)(316002)(83380400001)(336012)(8676002)(186003)(7636003)(356005)(47076004)(86362001)(2906002)(82310400002)(82740400003)(478600001); DIR:OUT; SFP:1101;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Aug 2020 05:32:49.0789 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3e6b1328-338e-4d1c-be96-08d83db7fc44
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[]; Helo=[]
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEAPR01MB2343
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] Possible blocking of Encrypted SNI extension in China
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Aug 2020 05:33:04 -0000

Christian Huitema <> writes:

>Fingerprinting is a real issue but from the reports, this is not what is
>happening here.

Sure, I was just pointing out that they're using the brute-force approach now
but presumably at some point will stop blocking when they've implemented a way
to bypass it.  My guess is that since the GFW uses blocklisting (of known
sites/pages) all they'll need to do is fingerprint the sites they want to
block and take it from there.  Stuff like the ConceptDoppler work
("ConceptDoppler: A Weather Tracker for Internet Censorship" out of UC Davis -
that was one paper I do remember :-) showed that they don't try and block
everything but just enough to let you know it's happening and they're watching
you, which the fingerprinting approach is fine for.