IETF Logo Mail Archive

Re: [TLS] Possible blocking of Encrypted SNI extension in China

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 10 August 2020 03:31 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECA943A07E2 for <tls@ietfa.amsl.com>; Sun, 9 Aug 2020 20:31:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajOk9bsqf4iO for <tls@ietfa.amsl.com>; Sun, 9 Aug 2020 20:31:58 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E668F3A07DB for <tls@ietf.org>; Sun, 9 Aug 2020 20:31:56 -0700 (PDT)
Received: from AUS01-SY3-obe.outbound.protection.outlook.com (mail-sy3aus01lp2052.outbound.protection.outlook.com [104.47.117.52]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-69-j_mZ8f_bMa27cOACSJuC6Q-1; Mon, 10 Aug 2020 13:31:53 +1000
X-MC-Unique: j_mZ8f_bMa27cOACSJuC6Q-1
Received: from HK2PR04CA0051.apcprd04.prod.outlook.com (2603:1096:202:14::19) by SYXPR01MB0783.ausprd01.prod.outlook.com (2603:10c6:0:d::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.20; Mon, 10 Aug 2020 03:31:49 +0000
Received: from HK2APC01FT034.eop-APC01.prod.protection.outlook.com (2603:1096:202:14:cafe::5b) by HK2PR04CA0051.outlook.office365.com (2603:1096:202:14::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.19 via Frontend Transport; Mon, 10 Aug 2020 03:31:48 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.208) smtp.mailfrom=cs.auckland.ac.nz; ietf.org; dkim=none (message not signed) header.d=none; ietf.org; dmarc=none action=none header.from=cs.auckland.ac.nz;
Received: from uxcn13-tdc-e.UoA.auckland.ac.nz (130.216.95.208) by HK2APC01FT034.mail.protection.outlook.com (10.152.248.191) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3261.16 via Frontend Transport; Mon, 10 Aug 2020 03:31:48 +0000
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-e.UoA.auckland.ac.nz (10.6.3.9) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 10 Aug 2020 15:31:46 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1497.006; Mon, 10 Aug 2020 15:31:46 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Possible blocking of Encrypted SNI extension in China
Thread-Index: AQHWZo5K+iu3hjU4UEa0XHCZQtwYy6kfpOkAgA+KOACAAZBRDA==
Date: Mon, 10 Aug 2020 03:31:45 +0000
Message-ID: <1597030308337.61220@cs.auckland.ac.nz>
References: <uGJxvVQRPcgn2GZKsKuuVN4SyTe7EOiV3iEK3Cq3Izo0ZstAh1LxEzMKrDZ_0VTrLqeYXQb4k1Qy5uJmEy04zNgngoHBONhVZnvddYYybt8=@iyouport.org> <71e4d18d-9ad8-fd72-729c-db5a0cf7593b@huitema.net>, <20200809153526.vf5zlongieoswb22@bamsoftware.com>
In-Reply-To: <20200809153526.vf5zlongieoswb22@bamsoftware.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b500b1ca-8c3a-4f05-fe9e-08d83cdde9fd
X-MS-TrafficTypeDiagnostic: SYXPR01MB0783:
X-Microsoft-Antispam-PRVS: <SYXPR01MB07830594E9FE313A1843A941EE440@SYXPR01MB0783.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: if17qhs2Aknyuuf5lh1coA69w4tezPiluTZS1NDf+ktJS3jt0QOVhjgBJITJS2RJH7PBj/qdSH/AQKWRAe5yZAlySW9voSd70T37dcqWb7KdyARoL8ny8coscPKwXiWY9nOcw8sXarcK2y3WINgKCW82me96aRQKXOZZBUFkzWRapbCJWjoibSDnK1uL6DJ7Hph7C4VOmPU5iP1Mn2S2tSFXphpm6/LQwLKLLCy6L/fgMiinG1kaoRmVgWdvVDkb73FD34eZIGw6mjMKooavh8c8uojrZj+BMqqEJ5eh4advst/iW4HI7DIcf6qbcg5QYxajmWr3NGJVpJnDNz8DjJfCx+s/qkMVd5oLdqxrOC0zJsogulsztWK4lzlhr5V9RWojViYRubOIAvt/am7BEQ==
X-Forefront-Antispam-Report: CIP:130.216.95.208; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-tdc-e.UoA.auckland.ac.nz; PTR:natgate1-1.auckland.ac.nz; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(376002)(346002)(136003)(396003)(46966005)(7636003)(70586007)(356005)(82310400002)(5660300002)(82740400003)(83380400001)(4744005)(2616005)(47076004)(26005)(336012)(70206006)(186003)(478600001)(86362001)(316002)(786003)(8936002)(8676002)(36906005)(6916009)(2906002); DIR:OUT; SFP:1101;
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Aug 2020 03:31:48.0732 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b500b1ca-8c3a-4f05-fe9e-08d83cdde9fd
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.208]; Helo=[uxcn13-tdc-e.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: HK2APC01FT034.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB0783
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/n9laaLCo1-UuZbofsR06hQzYUFQ>
Subject: Re: [TLS] Possible blocking of Encrypted SNI extension in China
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 03:32:00 -0000

>From the writeups I've seen, what they're blocking is TLS 1.3, not ESNI.
Since ESNI can be de-anonymised with a high degree of success (see various
conference papers on this) and in any case doesn't matter for the most
frequently-blocked sites like Facebook, Instagram, Twitter, etc, it may not
even be on the GFW's radar.  My guess is that the GFW doesn't have a fast-path
mechanism for TLS 1.3 so as 1.3 use grows it's being overwhelmed, therefore
they're blocking it until they can upgrade their hardware.  The fact that ESNI
is also affected is just a coincidence of the blocking of 1.3.

Peter.

v2.23.0 | Report a Bug | By Email