Re: [TLS] Possible blocking of Encrypted SNI extension in China
David Fifield <david@bamsoftware.com> Tue, 11 August 2020 21:31 UTC
Return-Path: <david@bamsoftware.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E3C53A0CF8 for <tls@ietfa.amsl.com>; Tue, 11 Aug 2020 14:31:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bamsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QtDqZkRaQXzq for <tls@ietfa.amsl.com>; Tue, 11 Aug 2020 14:31:31 -0700 (PDT)
Received: from melchior.bamsoftware.com (melchior.bamsoftware.com [IPv6:2600:3c00:e000:128:de39:20ee:9704:752d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4CE83A0CEC for <tls@ietf.org>; Tue, 11 Aug 2020 14:31:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bamsoftware.com; s=mail; h=In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=xfHbA8og0tjaOEPdbOQZ+A/gx/maBv8Urk4VthbBfrY=; b=RTxEO7dwQRTLbKMwY9UMleF4Z2 6QlvDSzYJbgt58mhz/84nwKJGVDETpxlVPPiz/8vD53BWZSXtcqAQ+EyI/nOZ3gs6zDC3ahH+bQLy 4R6dO5nCDTpUAuUegkQna+9+MJt78ZyzKSTYT/UQM8GY/ebEY6nE0GsaN5LliEpEJRgU=;
Date: Tue, 11 Aug 2020 15:31:26 -0600
From: David Fifield <david@bamsoftware.com>
To: tls@ietf.org
Message-ID: <20200811213126.q57jondj2pdwoxjr@bamsoftware.com>
Mail-Followup-To: tls@ietf.org
References: <1597030308337.61220@cs.auckland.ac.nz> <67d52e25-71ed-4584-b2c3-6a71a6bdd346@www.fastmail.com> <1597119980162.55300@cs.auckland.ac.nz> <b32110f8-c9ba-e8db-f136-7cc60eba54e4@huitema.net> <1597123970590.77611@cs.auckland.ac.nz> <CAChr6SzzuyB7sxXJQ4gNJwa3iaQcC5jGPE3-sgfY_EkB7DoykA@mail.gmail.com> <1597125488037.97447@cs.auckland.ac.nz> <CAChr6SxLAJyweEDHL48-hT3X=d5E6jNrWZheOt+fSydpS=HhQw@mail.gmail.com> <c7e033d9-aa39-1293-2233-4ebb8d1502dc@huitema.net> <44efe45d-fb2f-8db6-f127-97de460b6453@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <44efe45d-fb2f-8db6-f127-97de460b6453@huitema.net>
User-Agent: NeoMutt/20180716
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/i5dk5w6a4CtmfhjBdS9sdhEIj8Q>
Subject: Re: [TLS] Possible blocking of Encrypted SNI extension in China
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 21:31:33 -0000
On Tue, Aug 11, 2020 at 12:08:11AM -0700, Christian Huitema wrote: > There is also the question of what the anonymity set is. I just did a little > experiment of resolving 25000 domain names and looking at how many resolved to > the same IP address (https://huitema.wordpress.com/2020/08/09/ > can-internet-services-hide-in-crowds/). And then I redid the stats with 50000 > domain names. Did not find a lot of crowds. 75% of domain names in my sample > resolve to their very own address, not shared with anybody. Only 8% resolved by > addresses shared by 10 sites or more, and 1.3% resolved to addresses shared by > 100 sites or more. Of course, 1% of the Internet is already something big. But > still, not quite the whole world... Here is a related experiment done last year. "On the Importance of Encrypted-SNI (ESNI) to Censorship Circumvention" https://censorbib.nymity.ch/#Chai2019a https://www.usenix.org/conference/foci19/presentation/chai My capsule summary: https://github.com/net4people/bbs/issues/10 The authors tested an Alexa top 1 million list for blocking from China, under three different modalities: DNS poisoning, SNI filtering, and IP address blocking. (The GFW blocked different web sites in different ways; ESNI is effective against DNS poisoning and SNI filtering but not IP address blocking.) Of 24,210 domains blocked by either DNS poisoning or SNI filtering, 16,928 (70%) were additionally blocked by IP address, so ESNI would not help to unblock them if they remained at their current hosting. The other 30% of domains would have been unblocked by ESNI. This analysis, of course, assumes a static situation; if ESNI were deployed and found to be effective, then blocked sites might choose to move to shared co-hosting, or the GFW might increase the scope of its IP address blocking to include addresses with small anonymity sets. I'll add that it's not just the size of the anonymity set that matters. The domains that make up the anonymity set, and the cost of blocking them, matters as well. An anonymity set of 100,000 could still be blockable if none of the 100,000 is disruptive or costly to block. (Measure cost however you like: effect on the local economy, for example.) An anonymity set of size 10 might be hard to block, if just one of those 10 is one that the would-be blocker greatly cares to preserve.
- [TLS] Possible blocking of Encrypted SNI extensio… onoketa
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Possible blocking of Encrypted SNI exte… Dmitry Belyavsky
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christopher Wood
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Salz, Rich
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Christian Huitema
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Nick Sullivan
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… Peter Gutmann
- Re: [TLS] Possible blocking of Encrypted SNI exte… Rob Sayre
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield
- Re: [TLS] Possible blocking of Encrypted SNI exte… Carrick Bartle
- Re: [TLS] Possible blocking of Encrypted SNI exte… David Fifield