Re: [TLS] Possible blocking of Encrypted SNI extension in China

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 11 August 2020 07:14 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CB543A0D89 for <tls@ietfa.amsl.com>; Tue, 11 Aug 2020 00:14:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wqw-9_v1ik9m for <tls@ietfa.amsl.com>; Tue, 11 Aug 2020 00:14:54 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F1043A0D88 for <tls@ietf.org>; Tue, 11 Aug 2020 00:14:53 -0700 (PDT)
Received: from AUS01-SY3-obe.outbound.protection.outlook.com (mail-sy3aus01lp2051.outbound.protection.outlook.com [104.47.117.51]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-75-JsaH3SFFMm2Eg7NYgUyEfQ-1; Tue, 11 Aug 2020 17:14:50 +1000
X-MC-Unique: JsaH3SFFMm2Eg7NYgUyEfQ-1
Received: from SG2PR0302CA0015.apcprd03.prod.outlook.com (2603:1096:3:2::25) by MEXPR01MB1030.ausprd01.prod.outlook.com (2603:10c6:200:4::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.19; Tue, 11 Aug 2020 07:14:46 +0000
Received: from HK2APC01FT054.eop-APC01.prod.protection.outlook.com (2603:1096:3:2:cafe::36) by SG2PR0302CA0015.outlook.office365.com (2603:1096:3:2::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.5 via Frontend Transport; Tue, 11 Aug 2020 07:14:45 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.208) smtp.mailfrom=cs.auckland.ac.nz; heapingbits.net; dkim=none (message not signed) header.d=none;heapingbits.net; dmarc=none action=none header.from=cs.auckland.ac.nz;
Received: from uxcn13-ogg-b.UoA.auckland.ac.nz (130.216.95.208) by HK2APC01FT054.mail.protection.outlook.com (10.152.249.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3261.16 via Frontend Transport; Tue, 11 Aug 2020 07:14:43 +0000
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-b.UoA.auckland.ac.nz (10.6.2.3) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 11 Aug 2020 19:14:41 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::99ff:fdcc:ecb:10c7]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::99ff:fdcc:ecb:10c7%14]) with mapi id 15.00.1497.006; Tue, 11 Aug 2020 19:14:41 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Christian Huitema <huitema@huitema.net>, Rob Sayre <sayrer@gmail.com>
CC: Christopher Wood <caw@heapingbits.net>, "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Possible blocking of Encrypted SNI extension in China
Thread-Index: AQHWZo5K+iu3hjU4UEa0XHCZQtwYy6kfpOkAgA+KOACAAZBRDP//9AqAgAGtqQz//z7aAIAA1Exf//85pgAAGbGd0///O3IAgAAJ4ICAAM/+FA==
Date: Tue, 11 Aug 2020 07:14:41 +0000
Message-ID: <1597130085200.4129@cs.auckland.ac.nz>
References: <uGJxvVQRPcgn2GZKsKuuVN4SyTe7EOiV3iEK3Cq3Izo0ZstAh1LxEzMKrDZ_0VTrLqeYXQb4k1Qy5uJmEy04zNgngoHBONhVZnvddYYybt8=@iyouport.org> <71e4d18d-9ad8-fd72-729c-db5a0cf7593b@huitema.net> <20200809153526.vf5zlongieoswb22@bamsoftware.com> <1597030308337.61220@cs.auckland.ac.nz> <67d52e25-71ed-4584-b2c3-6a71a6bdd346@www.fastmail.com> <1597119980162.55300@cs.auckland.ac.nz> <b32110f8-c9ba-e8db-f136-7cc60eba54e4@huitema.net> <1597123970590.77611@cs.auckland.ac.nz> <CAChr6SzzuyB7sxXJQ4gNJwa3iaQcC5jGPE3-sgfY_EkB7DoykA@mail.gmail.com> <1597125488037.97447@cs.auckland.ac.nz> <CAChr6SxLAJyweEDHL48-hT3X=d5E6jNrWZheOt+fSydpS=HhQw@mail.gmail.com>, <c7e033d9-aa39-1293-2233-4ebb8d1502dc@huitema.net>
In-Reply-To: <c7e033d9-aa39-1293-2233-4ebb8d1502dc@huitema.net>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0e15b174-ffe7-439e-fca0-08d83dc638d7
X-MS-TrafficTypeDiagnostic: MEXPR01MB1030:
X-Microsoft-Antispam-PRVS: <MEXPR01MB10307E0CBED179D71FB6A596EE450@MEXPR01MB1030.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:7219;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: PDrVNmA2CYKt18oikFGArIpCIM2nAxZzVopDKaXZMpYYd5/AocSDGMLzMjB/qJ0Eq7qIpw0EdM62UUC2UOnuhq6B1si01qBsjawDk0+czZ9GZDve3PUbcr9bpaaNi4pbJC4StiZQgSH4BsOP4fLaykv/G+SzN9zvSDrwtC0rASuqFzzTH/qw+hIBUHb17oXCqkbgP7N4T357qdyNI2axmvA43QFUEsjpVM7eGUwCiIXnnUwc79LJNFztSnUcgTVEL5D58lXeB2VqEII1bus0/OUWv9ul0eJHPtwQsbib2LIH7VjgpW0fhCKLnWKWlogkbTYKA93uW4FiD8kltUfMLjwnI6gmbBy8hVoseHisaCABg4OfceeB2I3hDhZSlANIgI7CS197lffp/7g9eR+U2P2YFg7vgz20L9L8lpPPIUOcAh04ZROPecX3EFKVb+3IZIsSG4SaOQi2N/LGXWK5ow==
X-Forefront-Antispam-Report: CIP:130.216.95.208; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-ogg-b.UoA.auckland.ac.nz; PTR:natgate1-1.auckland.ac.nz; CAT:NONE; SFTY:; SFS:(4636009)(136003)(346002)(39860400002)(376002)(396003)(46966005)(186003)(26005)(2616005)(4744005)(82310400002)(4326008)(478600001)(356005)(5660300002)(7636003)(966005)(786003)(110136005)(8676002)(70586007)(70206006)(36906005)(82740400003)(316002)(86362001)(336012)(8936002)(47076004)(2906002)(54906003); DIR:OUT; SFP:1101;
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Aug 2020 07:14:43.6114 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0e15b174-ffe7-439e-fca0-08d83dc638d7
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.208]; Helo=[uxcn13-ogg-b.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: HK2APC01FT054.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEXPR01MB1030
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pgKilDiO3JxkRv2Dn7WrUioPtmE>
Subject: Re: [TLS] Possible blocking of Encrypted SNI extension in China
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 07:14:57 -0000

Christian Huitema <huitema@huitema.net> writes:
 
>Defeating fingerprinting is really hard. It has been tried in the past, as in
>"make me look like Skype" or "make me look like wikipedia". The idea is to
>build a target model, then inject enough noise and padding in your traffic to
>match the target model. But that way easier to say than to do!

As Yuri Totrov, a.k.a the shadow director of personnel at the CIA, showed:

https://mindmatters.ai/2018/11/how-the-kgb-found-cia-agents/

the only way to hide A as B is if you become B.  Which means you can't be A
any more.  There was a paper that looked a traffic morphing published a year
or two ago that came to the same conclusion, to look like you're Skype or a
SIP VoIP call you need to actually be Skype or a SIP VoIP call.

Peter.