Re: [TLS] Possible blocking of Encrypted SNI extension in China

Christopher Wood <caw@heapingbits.net> Mon, 10 August 2020 14:45 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 617F33A1611 for <tls@ietfa.amsl.com>; Mon, 10 Aug 2020 07:45:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=CFnhMQZA; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=GnJruCR8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3-u4Igw97Kp for <tls@ietfa.amsl.com>; Mon, 10 Aug 2020 07:45:47 -0700 (PDT)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 865723A0C6E for <tls@ietf.org>; Mon, 10 Aug 2020 07:45:47 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 9E36FA6F for <tls@ietf.org>; Mon, 10 Aug 2020 10:45:46 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Mon, 10 Aug 2020 10:45:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=Xvi7trFtM9mvC1NXoEf4JRzzEhP/OeW JBHCwI6McZh8=; b=CFnhMQZAFPbmPsPRrpSpRoHwhdw2hxvZphZp9nRIlUwPWpL JgpOOm+roxigrdMWN3Q/AqvjnXpGinA80ohKbZKAQRmS2GGKRq8sgJV3hLcXz9Dg FJNLrSBju+cTyezpwrFZ51h4X+emAL7UpjvKBreuCGhJ64eDW0c0EHr75TezUypw I2m8fhBqXzfT5UR3MqPiGnzz8o9PEBEcO9mZotLZMIqq4lBg4BlK2woRr5tJSJ2z L4CP/R18fMZoQpYCbc371HaDZMOlmAKO3Z7cyOIQLVXia4hNSCi3bHNO7SJ/RYZ5 h7F4BrJ2jBRUR1IcIJHp794IWd/DRx/vJBp6SIA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=Xvi7tr FtM9mvC1NXoEf4JRzzEhP/OeWJBHCwI6McZh8=; b=GnJruCR8+7K1BNt7i9ya80 XDxvZrX4W5MaFDLxVnOTLiA5Vquqlsq4cr8IJhfKtc+f1FzG8MNr0Sjo8QK6X5n0 trpKbI6WR8Kaf/zKco1R0+6Zb/vLexA8blxrO+9BTvsxA4UrpdhWlEZCc1Pp868H bJs62kwi7UtajPa1x9dkRoamFRkdYEPivT4YdOdRZGFj0on584mxDzUCThUNJOKC 1UelAaGxRKGE8N+t46qEYHw8Gnf7dCUttD0wZC3t6dfi/G+cWZkvSFnLAc3U8hFH 1VD5twxaGUi+Q/laL21b7vjtwQ4X71o7gC22GHy7qqL+YBMsvH/sT+ExfYRScchQ ==
X-ME-Sender: <xms:mV0xXwJovtVz7RGD0d9XkM8ss5fOvEOdGxVovVBvvHLSQSGTi-s8jg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrkeekgdektdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdevhhhrihhsthhophhhvghrucghohhougdfuceotggrfies hhgvrghpihhnghgsihhtshdrnhgvtheqnecuggftrfgrthhtvghrnhepgfevgeegffdvue egveevgfevffeludelffegjedufffhfeekgeeuudegtdevffdtnecuffhomhgrihhnpehi vghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpegtrgifsehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:mV0xXwIxUvlT_FPMo5ARcNDPZ3NrLkFpMADUe2KvQwvlRx3bJD3ngA> <xmx:mV0xXwsCP-G104FgaOS29U5ke7QjsZQyg9aVPVshF_MXV9NswKxq_w> <xmx:mV0xX9YssTTOo_m7mtgSnY5ene3IMBtqw3Kd2T5S0359tE624Tc5DA> <xmx:ml0xX_oOXHlrwVbmBIhCRHR0q0eTdIAOIXqChDu0U3fwgoHqPn5Vgg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id C438B3C00A2; Mon, 10 Aug 2020 10:45:45 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-143-g3d58b38-fm-20200806.002-g3d58b387
Mime-Version: 1.0
Message-Id: <67d52e25-71ed-4584-b2c3-6a71a6bdd346@www.fastmail.com>
In-Reply-To: <1597030308337.61220@cs.auckland.ac.nz>
References: <uGJxvVQRPcgn2GZKsKuuVN4SyTe7EOiV3iEK3Cq3Izo0ZstAh1LxEzMKrDZ_0VTrLqeYXQb4k1Qy5uJmEy04zNgngoHBONhVZnvddYYybt8=@iyouport.org> <71e4d18d-9ad8-fd72-729c-db5a0cf7593b@huitema.net> <20200809153526.vf5zlongieoswb22@bamsoftware.com> <1597030308337.61220@cs.auckland.ac.nz>
Date: Mon, 10 Aug 2020 07:45:25 -0700
From: "Christopher Wood" <caw@heapingbits.net>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/n1o-piRFPIr_LIlIaGlyfC00Cys>
Subject: Re: [TLS] Possible blocking of Encrypted SNI extension in China
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 14:45:49 -0000

On Sun, Aug 9, 2020, at 8:31 PM, Peter Gutmann wrote:
> >From the writeups I've seen, what they're blocking is TLS 1.3, not ESNI.
> Since ESNI can be de-anonymised with a high degree of success (see various
> conference papers on this) 

For the benefit of the list, would you mind sharing these references?

Thanks,
Chris

> and in any case doesn't matter for the most
> frequently-blocked sites like Facebook, Instagram, Twitter, etc, it may not
> even be on the GFW's radar.  My guess is that the GFW doesn't have a fast-path
> mechanism for TLS 1.3 so as 1.3 use grows it's being overwhelmed, therefore
> they're blocking it until they can upgrade their hardware.  The fact that ESNI
> is also affected is just a coincidence of the blocking of 1.3.
> 
> Peter.
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>