Re: [TLS] Possible blocking of Encrypted SNI extension in China

Christian Huitema <huitema@huitema.net> Tue, 11 August 2020 06:49 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 959593A0CF1 for <tls@ietfa.amsl.com>; Mon, 10 Aug 2020 23:49:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.847
X-Spam-Level:
X-Spam-Status: No, score=-2.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.949, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RslB5_MW4EpZ for <tls@ietfa.amsl.com>; Mon, 10 Aug 2020 23:49:48 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C8933A0C34 for <tls@ietf.org>; Mon, 10 Aug 2020 23:49:47 -0700 (PDT)
Received: from xse13.mail2web.com ([66.113.196.13] helo=xse.mail2web.com) by mx37.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1k5O6F-00042I-JX for tls@ietf.org; Tue, 11 Aug 2020 08:49:36 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4BQk2n5Tbdz22fj for <tls@ietf.org>; Mon, 10 Aug 2020 23:49:21 -0700 (PDT)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1k5O65-0002me-Kt for tls@ietf.org; Mon, 10 Aug 2020 23:49:21 -0700
Received: (qmail 25547 invoked from network); 11 Aug 2020 06:49:21 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.43.61]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tls@ietf.org>; 11 Aug 2020 06:49:21 -0000
To: Rob Sayre <sayrer@gmail.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Christopher Wood <caw@heapingbits.net>, "TLS@ietf.org" <tls@ietf.org>
References: <uGJxvVQRPcgn2GZKsKuuVN4SyTe7EOiV3iEK3Cq3Izo0ZstAh1LxEzMKrDZ_0VTrLqeYXQb4k1Qy5uJmEy04zNgngoHBONhVZnvddYYybt8=@iyouport.org> <71e4d18d-9ad8-fd72-729c-db5a0cf7593b@huitema.net> <20200809153526.vf5zlongieoswb22@bamsoftware.com> <1597030308337.61220@cs.auckland.ac.nz> <67d52e25-71ed-4584-b2c3-6a71a6bdd346@www.fastmail.com> <1597119980162.55300@cs.auckland.ac.nz> <b32110f8-c9ba-e8db-f136-7cc60eba54e4@huitema.net> <1597123970590.77611@cs.auckland.ac.nz> <CAChr6SzzuyB7sxXJQ4gNJwa3iaQcC5jGPE3-sgfY_EkB7DoykA@mail.gmail.com> <1597125488037.97447@cs.auckland.ac.nz> <CAChr6SxLAJyweEDHL48-hT3X=d5E6jNrWZheOt+fSydpS=HhQw@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Message-ID: <c7e033d9-aa39-1293-2233-4ebb8d1502dc@huitema.net>
Date: Mon, 10 Aug 2020 23:49:23 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <CAChr6SxLAJyweEDHL48-hT3X=d5E6jNrWZheOt+fSydpS=HhQw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------5D3E9209D202C3D2FF40BCB4"
Content-Language: en-US
X-Originating-IP: 66.113.196.13
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.13/32
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.13/32@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0X2OOYwfFINEXkW0Te3GMuqpSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDoOWO0i/H75teRGzF9TgV+efH zJ6mVE7ewsipSVIfs4ZY8wJ4wElPG1dK46g5OKn7gyWFxOA5dILPypvKxNVhWQwOVcNrdpWfEYrY fLBY3+cBN5HyO9svXODFfKDo2spNmdySlZou9qHIGOZDEEo7O2nS6C1mWTD2n8BB0gTSSfDtw+Ut ziY+nbU7qa50sEXj8hEv6ylbrSataIASdByf+qyWDcKgIew/Pqmv8CiR0A+Ffy7fEg460Hn2xYnW avStyzAiWbbj13U46jbWFIz21cHX/YzWyFk7762whX3QQ+5uhkPm88V7ziklAaTl19sU919xeAvO xjeQEcL5lNmXdLn4jABaJqtNDIuGYj2WGeveXgFMyx0sD4hRS2uyMFprER9E+btGG8Xk1uugE/FU 4J9TrjYo22Tif+7yfJXbGyN6EipRzMVZ5LqwTx7Vvn9SP+LiFhV9TEgXGI3XmDfDnO2X76nqcCdg D2squdONfBVX+Q7VeOCtH6kQ2ZC0CwtyfqOTvSKAaXKiaqU/E3eJVpMYrBrwZ2u/m6RwwYWsUeTe g3lI4XznYGUgBDiKE5VGTJD1rH7L4CCh2rwF43k4311677oPXF7r5zsW33ZNliqu/F+TvajtUMQJ LjM2jlFDBLboNblxAkv88QN/My/4aatHwqxHcc0jM6JSkZmwDpc1NSqupEMCN5i7sPJSoB6gXPWl FdaGOH191uXjgjQN/bk/tOvsMDZmQNfeGxdXg4HkJjuWXGxG0bVs8rf8VaGK83g9ueTJOU6a76yp yxjdeg8YhWenlMfuvb1mNY5/IPiuedK/Z3MvnAyDmuOaA5CGZRWsGw8ac2InzcAP/gmxwNpms+rB 6wJM+NNhN3aT35NSU/fjw6KbqLw80r1gDO3m6U0LjBzYuQztdAThgtWSU3qCINKqlAdh+ePAcEwD s/8=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VDvENyzx3mw4480mp3bh7yG47Uw>
Subject: Re: [TLS] Possible blocking of Encrypted SNI extension in China
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 06:49:50 -0000

On 8/10/2020 11:14 PM, Rob Sayre wrote:
> On Mon, Aug 10, 2020 at 10:58 PM Peter Gutmann
> <pgut001@cs.auckland.ac.nz <mailto:pgut001@cs.auckland.ac.nz>> wrote:
>
>     Rob Sayre <sayrer@gmail.com <mailto:sayrer@gmail.com>> writes:
>
>     >Do you think this fingerprinting will work with the newer ECH
>     design, if the
>     >client can add arbitrary content to the encrypted payload?
>
>     ECH doesn't have any effect on web site fingerprinting so unless I've
>     misunderstood your question the answer would be "N/A".
>
>
> Assuming the definition here:
> https://tools.ietf.org/html/draft-wood-pearg-website-fingerprinting-00
>
> it does seem like ECH would make this more difficult, at least for
> pages in a large anonymity set. (agree that it won't matter much for
> Twitter, Google, et al)


Defeating fingerprinting is really hard. It has been tried in the past,
as in "make me look like Skype" or "make me look like wikipedia". The
idea is to build a target model, then inject enough noise and padding in
your traffic to match the target model. But that way easier to say than
to do!

-- Christian Huitema