[TLS] Re: Implicit ECH Config for TLS 1.3 – addressing public_name fingerprinting
Raghu Saxena <poiasdpoiasd@live.com> Wed, 26 February 2025 10:38 UTC
Return-Path: <poiasdpoiasd@live.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 02F391B7099 for <tls@mail2.ietf.org>; Wed, 26 Feb 2025 02:38:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietfa.org (amavisd-new); dkim=pass (2048-bit key) header.d=live.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietfa.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5aIZqm7R6zHZ for <tls@mail2.ietf.org>; Wed, 26 Feb 2025 02:38:46 -0800 (PST)
Received: from SY2PR01CU004.outbound.protection.outlook.com (mail-australiaeastazolkn19011033.outbound.protection.outlook.com [52.103.72.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 6740E1B708E for <tls@ietf.org>; Wed, 26 Feb 2025 02:38:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=UwZOsqGTNm1Fe1M5TQyQ4sEPWm2tTWWn/VQoXLWwgq4sJxH9gbHRSevkIkupdTzekJHNX8ty14okTliCoGmyYBpL+MSaStFFIYoQWEJiCXLmJ6DAhiuYotOVJ7TPYCNOtG3HmdwPCLyC2Z2xdBBsGqQ+31kZdLCq5pXNc9bQB3BuVHmbGbcZFAvNU9YvK+CbOYhbCzsMgm6v8teWP8P/aEFdqyYQdpNGSlMmSbEZXT4WTEePzPhbvl4VzTKV7tqb3FeMoudgHzj27+NVpRaxjH0vedJ4gaO3A4OP8PbezZnntOUc5cgwkQ7zI4raQtLLoboeJsELvLPkPZQ998AFjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Xof0ilJhi12UFBqGyChha99oTQusgWhY3KWq1/w1plc=; b=TsPeaR5cLETwP/kIgouF7x6SPi8GTM2ViUSJglvMgY2KHyDDQVvaxO9itDzz0BnBQepH2/IBgxZY/pEQiIRcABP92ToD9FxJtH+C/hDlzNk+OKcArod4wy6gPEmrDU+1o7F3zPpO8wMXkel69Du32Qt7/cmWoPITOixk9dHLwEcJN/X+Ld6Ie4hY2FmBD3IMe4htwyt/PGuBpEe98K/xys/UB7AvLF+HkMPtdTZUHNlCKqsYAqc88coovwApuyVlh9QIgmqWleieUh059sIpFdD7x6xJt1j13CVCy7quR9MSgSkFHuwgJeOOahqkvPu5mpPqdKxADiqk8UuFZHT54g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Xof0ilJhi12UFBqGyChha99oTQusgWhY3KWq1/w1plc=; b=fE3RlpOwKxWmtHl/tiFsz8zl7wTUcw0R0RXiKK6yTEGtRQs0oyl6UpjCc6d3eLI2DKqdF6IaV2AX9Gb8wY5q2E6WK2SUyc3KZZ0mj4rbTq4pYA0HqwhgyJlkWxnXpjvfWQgAp3ArJ9tgxsNvHZVJ94cUGueHUa8p1pdvc4YU/EDbUlExulsOh1N2QM2MugcobiWplZlPi3fhq1NR8oNdTDbusav1WmS/Qm011Nr5FsVejvJeLT7fmK/fD2Q0XDmjTkeLn6tOnCJ59TK598axQsNrMuo2GV1SGPU8PAnyNBpNdnEBiZe2PribPa6gqOFyM9YIe3+oQOkrfZwvXLUqjw==
Received: from ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:246::5) by SY8P282MB4817.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:25e::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8466.21; Wed, 26 Feb 2025 10:38:43 +0000
Received: from ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM ([fe80::5a2d:ed43:6b7a:6178]) by ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM ([fe80::5a2d:ed43:6b7a:6178%6]) with mapi id 15.20.8489.018; Wed, 26 Feb 2025 10:38:43 +0000
Message-ID: <ME0P282MB558709F984758D4FE1F3C794A3C22@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM>
Date: Wed, 26 Feb 2025 18:38:33 +0800
User-Agent: Mozilla Thunderbird
To: tls@ietf.org
References: <CAOjisRzBNG2KdAZXssnR9Ura9HuAUKxOH+VLCAE5B9MfYyeT2A@mail.gmail.com>
Content-Language: en-US
From: Raghu Saxena <poiasdpoiasd@live.com>
In-Reply-To: <CAOjisRzBNG2KdAZXssnR9Ura9HuAUKxOH+VLCAE5B9MfYyeT2A@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------iajBWznhkSRbf8Z5O3Fu4HAW"
X-ClientProxiedBy: SI2P153CA0034.APCP153.PROD.OUTLOOK.COM (2603:1096:4:190::17) To ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:246::5)
X-Microsoft-Original-Message-ID: <6666fae2-a9ee-4746-9c5c-07575572f5fb@live.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: ME0P282MB5587:EE_|SY8P282MB4817:EE_
X-MS-Office365-Filtering-Correlation-Id: e7eb7d24-afbd-4c5e-8a88-08dd5651bd8a
X-Microsoft-Antispam: BCL:0;ARA:14566002|7092599003|15080799006|6092099012|8060799006|461199028|12121999004|5072599009|19110799003|13031999003|56899033|3412199025|13041999003|440099028|20055399003;
X-Microsoft-Antispam-Message-Info: voKwbA2msFjT4Q40LmKdVVXPlzHVUZhS/rkiMmgb51fESix/iOurbz7T5ppyDRHofCkpf94+dDVDjVowyQErX5pzP74Th33s3yd5xC2GQPG27wW/udHNgV0eryFqQMw+DxN5o7EipYKGm4nuKMOD7H9Goz3Nms3N0SxskUSjPxVKoXFLq1VUs7gUpXPjb+kIs8Nv0Qg5MtCk89S0n8DOOz4gtz5nUiGzNmkjHMbFXlKgdYa5qG1F2fbsRi2BRfn25YrfmN+tbrcW8ymPLOHVUrlxOFmMYXato3cMOGvaIRjDTG0i8z9uDj1SL7GMDRygxZ/kgrSJe+6grPUcxep1nGc6U8mj0Rm+aklMEdPFb9NfJNGDFE5tC++P7BzBlJwpU4BEZAKcljy9vYTbN4G6cZtUZQaa05kLke1t7Wr4YCPj4UrK5aMGuNMq5m1DB/ogk0j42c9YNuexBE3cy8EwX2Mpkpa4FWwDeEwpOYIuy5LVdirYwW1riPFqGU5HQwT0TCMXJkZHCM50fREI6UYs03vj7BMlDomXYqWEdNuIseh9Mxr2AAFtd3cFFVPLEfay/JpbmrVi7LAmE96ccKSoovBo8q6fwxYH4JUwz72ADo/oNDAxQEY+IILnOabg/00nPPHMnW6tu/M6Aa7qwWj5fOZ2DgcdJTg4UtGSlAxEh31lSyj5ICRmWCZ9XV5dV2yT4a+tbxVVJfPUc2Np+qvrkP3jB+46sZcitftd7+sLAqobM8FTajCHLyWhzV3o3PmNKZmJ7ZBoDuk75STN5zal65xD3FNBUDloGeqBsKsckgd5LuR8rD2qqH+fkKvYs+EX1uMaYv9muOySj/tQJ0KYoiSU+iBWuRSg469BKYUy6/pSG+Xod5R+8nOhYkt5dvXFKG7xVYQz48kLuImhsUvcXyeQ0UKoceNnROCeqF6gEhRRskEX3jnVdY6la6LC0ZdPUST8AyT8O2K4zsxValQTsQPnfPWyirhu7p130fmr8RJ4efR7jo7Mvi26V6ziDmdaZ2n/Cok2JpcF1Pzbi27+3dGPbRVcytVAOGE5a2gYExe/r+dQ5s9r69x4Qh6ukf8K9x9Occv74csgbx2+88m/rimUT2REc8MZ7Aq1SPvsT6/PqRe14GeU/NIxLSoI4rWo/v0CFzZQi0TQ6cVW+GeQevxItuNpvy83sIcKzZ9Pvbar+ZlcmXsiQqIqsH95FnhgZkcaKksP8Vuny2eMLVnxl4/ZQ55vCtp9JQ24fyPl6792oDkTkm4v4E1uyq6i+p76
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: PnjAMuToMEuXCxxTca2mVjSRIpkAbZWpwbDA+oZAaGvNXMZAZsj8LXMY3v/hP3iWhupwHBmGgdky2fOA1FUPcdYhUWg5kvvTBvCTRgeZkimSP2YIvOx3YgkSh7Nkn5Hp2bj5uHpvJFgnedqn1K2wp7hDLIJu2hqVPoMZ9at5C1OXXavwywu0u76ho7k0jQaMTHAOpBQtc8g4rz7YUOUGO9njZKxlu3AoRjMcoLna+O5/UBKXssWCuuzG0aKSCe6zArCk3OaNqx/d/LUQ/R781JilbA0OHnpcd/d61aNxTcw4nJp3kBw7pd4hSAFTxQE1mxVD71NQvbbNYg0tdweE12QfNeCE46hoRomaPguiHa+TiCCjrbqFxtdmbH740n6Pcc6VpPNwmMVyNFI6uNl2Bru0x4KWXQPKDjRbXi7xff93bzMHjDUjC9UDADrMkGpe7nKGlWBYDs0kOQqwoBywL8SOdVyYRa9VfLX1ZHvPCzswnLdGHQvi4uKzfmhjXQoeKGjQ2Vf06jI+QsUv0DgrNBBkYOr8pLQ2LUrxyC3hE8o6BynM5QHKUhkIkT+a7nVkZUZVcfZ18afRJxQlfLPlShm7Eh2UzQeghGXFaZ/jtvi7QKQ22HxsxMlZOiLXcfbpVMl/XBGFHXiaNN6rGtrNAiNhcBoY6+2l9HxUAfmp76vaWNmQldP05XHLXik8cU42pHtlt34DsALx6HtNTtaBVVWP9ZDEet8e0HjX18Ivi/7JSTTbWvpcz2ILGdzztE+cmwZrIfmiIq0kTRpUwPgVc5Sq+R5fW9TA2Tm6zypItthcyjVkWP8kW9k8iFXoRajH/zxVS4UIf8FTu/i2SX/YHGNArO6XuwhPYTpQ14XikPXUsLSgpo+E+qwA7AnnSs0KX8wNKpW+g+ovAlE3ZhN2wFI52xHAAB1uPmMZWhBeHS05UEmjfolhlcvlcLELNGzEWVZ5G6aUn3ZbPIxl2xhNToP/wwWWvLHf+UVWS5Z2A0Ze9CjU0iBdBn+qym0uz/wQBcZGBFRHCXoQoZQtKfD5qNxyaCFR/XzwCLr1l1QE93pDjY81s1N5vZnEw0KQet+GNc9MX9PZM9me6+clEMEy52nZvWFIsdhng2wquKzU6uLT40nQCOedCHx9hyCTWG6EM3M9B1kkC+9kru7PXR4TK9my4HtKjW/cGi860tc8YJw3f1nhtIBrLijx3Fb/Ip0ZdHcmhtgMxsnurIFtXh3JfOIzbTMgX7jemhXxdFcbXYc=
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-722bc.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id: e7eb7d24-afbd-4c5e-8a88-08dd5651bd8a
X-MS-Exchange-CrossTenant-AuthSource: ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Feb 2025 10:38:43.2668 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY8P282MB4817
Message-ID-Hash: ZZJAKVYVSBXAGE5OLWQ4I4LFIFLERPJG
X-Message-ID-Hash: ZZJAKVYVSBXAGE5OLWQ4I4LFIFLERPJG
X-MailFrom: poiasdpoiasd@live.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Implicit ECH Config for TLS 1.3 – addressing public_name fingerprinting
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fJSL9UT0oUH0eQm_74k7Xn8PF3M>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi Nick, On 2/26/25 3:14 PM, Nick Sullivan wrote: > > Hi everyone, > > > I’ve put together a draft, “Implicit ECH Configuration for TLS 1.3” > (https://www.ietf.org/archive/id/draft-sullivan-tls-implicit-ech-00.html > <https://www.ietf.org/archive/id/draft-sullivan-tls-implicit-ech-00.html>), > as a potential starting point for improving ECH’s “do not stick out” > compliance. Global deployments of ECH have become biased because a > single public_name dominates most ECH connections, making it a prime > target for fingerprinting (see > https://github.com/net4people/bbs/issues/417 > <https://github.com/net4people/bbs/issues/417>). As discussed on the > TLS WG mailing list (see > https://mailarchive.ietf.org/arch/msg/tls/4rq4sZzpI9rjYgDLJ2IO-vG9DRw/ > <https://mailarchive.ietf.org/arch/msg/tls/4rq4sZzpI9rjYgDLJ2IO-vG9DRw/>), > the outer SNI remains the primary identifier that enables on-path > adversaries to identify ECH traffic. > I think the real problem here is centralization of the internet through certain "proxy providers" such as cloudflare, to whom websites are giving up their TLS control. If the goal is for cloudflare (or other such large operators) to avoid fingerprinting via the public_name, a solution could be to publish an ECHConfig with a bogus domain (e.g. `fake.example.com`), and expect that OuterSNI against a certain config id. They can then rotate to other random domains since they control the HTTPS DNS record anyway. > ... > > This approach enables clients to adopt custom strategies for > maintaining broad reachability, ensuring that a single public_name > does not become a reliable way for external observers to distinguish > ECH from ECH GREASE at scale. It is also useful for improving privacy > when client-facing servers support only one or a small number of > domains, as it enables clients to choose the outer SNI such that it is > not merely a direct stand-in for the inner name. > I think in the context of the censor discussion you linked, realistically they can just block ECH (including GREASed ECH), since there isn't really mass saturation of ECH (GREASed or not) across most TLS clients, so they won't face much blowback, especially since it appears they've straight up said ECH is banned technology. In fact if I'm not mistaken the GFW already does this. IMO if Russia if OK to block the `cloudflare-ech.com` SNI right now (which would effectively block all Cloudflare websites from ECH-enabled clients), they're probably not afraid to block entire IP ranges in the foreseeable future (or fingerprint on the ECH extension + destination IP) In general though, I do like the idea of "randomized" Outer-SNI to avoid leaking details to passive adversaries (I've written on the mailing list about this before a bit as well), however if the goal is nation-state level censorship circumvention in the context of popular CDN services, I'm not sure this will help too much. Regards, Raghu Saxena
- [TLS] Implicit ECH Config for TLS 1.3 – addressin… Nick Sullivan
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Raghu Saxena
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Yaroslav Rosomakho
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Yaroslav Rosomakho
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Nick Sullivan
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Loganaden Velvindron
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Eric Rescorla
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Nick Sullivan
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Nick Sullivan
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Stephen Farrell
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Christopher Patton
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Martin Thomson
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Stephen Farrell
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Kazuho Oku