[TLS] Re: ECH Proxy Mode
涛叔 <hi@taoshu.in> Tue, 10 September 2024 15:01 UTC
Return-Path: <hi@taoshu.in>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 920C3C18DB87 for <tls@ietfa.amsl.com>; Tue, 10 Sep 2024 08:01:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=taoshu.in
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3lm9JCV3lFKC for <tls@ietfa.amsl.com>; Tue, 10 Sep 2024 08:01:00 -0700 (PDT)
Received: from mx1.lehu.in (mx1.lehu.in [IPv6:2603:c024:c00c:9e00:1::]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB688C151095 for <tls@ietf.org>; Tue, 10 Sep 2024 08:00:59 -0700 (PDT)
DKIM-Signature: a=rsa-sha256; bh=9CxewtoK820LuyiG7B/mN73+cIw+DLxAbTZ5/H+DvNo=; c=relaxed/relaxed; d=taoshu.in; h=Subject:Subject:Sender:To:To:Cc:Cc:From:From:Date:Date:MIME-Version:MIME-Version:Content-Type:Content-Type:Content-Transfer-Encoding:Reply-To:In-Reply-To:In-Reply-To:Message-Id:Message-Id:References:References:Autocrypt:Openpgp; i=@taoshu.in; s=default; t=1725980457; v=1; x=1726412457; b=OGaMWo8fQ2FA8WdarQa75HHqqDx+Phos2smuHkf4zPrPONiLrh1lNymB1tZ/oCr4HGW3EgUG IGuzUid+rA4zhWxCvdG78RXXajGAKWU13we4B6n5IItlHZl4TVpAlkn08LZ4cXUlCabpJkPyPZb jupXMThe1AAsQg+rZNoBi/vnvJjiUtD2ZatYSyPQKN5FDTmVPa7MUYAQiDvV2G+ib/t6+7W/gMh dca+kKsIrtkcacaN1i8pWGnILC1ZcgsCgYHpzMnbPQ/Agqozq51FqOVy2IY7gQ9a3eT0sp8/vBa MBjuthmwE0xAUgKyHz8g3XkSZeNH5rhncWhgnRo18Obqg==
Received: by mx1.lehu.in (envelope-sender <hi@taoshu.in>) with ESMTPS id 7aaf7bc4; Tue, 10 Sep 2024 15:00:57 +0000
From: 涛叔 <hi@taoshu.in>
Message-Id: <7E16914E-3F97-4DB3-8AFD-40898A4DABD0@taoshu.in>
Content-Type: multipart/alternative; boundary="Apple-Mail=_79C5FA20-C5F1-4DE6-8752-2743F8132630"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3818.100.11.1.3\))
Date: Tue, 10 Sep 2024 23:00:41 +0800
In-Reply-To: <ME0P282MB55870395CC2C672C7A607C01A3992@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM>
To: Raghu Saxena <poiasdpoiasd@live.com>
References: <03D6DC16-2AFE-41E8-8404-F456D67582EB@taoshu.in> <ME0P282MB5587AFB9A303CE7FABEAF008A39C2@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM> <C3A1FBAA-CEB9-49FD-A50F-831D86FDECC7@taoshu.in> <ME0P282MB55870395CC2C672C7A607C01A3992@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3818.100.11.1.3)
Message-ID-Hash: 7PU33U2TPZJFBXGETKIQT4LNUJUL3ZCJ
X-Message-ID-Hash: 7PU33U2TPZJFBXGETKIQT4LNUJUL3ZCJ
X-MailFrom: hi@taoshu.in
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: ECH Proxy Mode
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qHYAzfMIkUPdw8ST12MfeUOhoNc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi, Raghu, > On Sep 10, 2024, at 00:35, Raghu Saxena <poiasdpoiasd@live.com> wrote: > > I'm still not sure what specific benefit this has compare to a TLS HTTPS connect proxy + HTTP CONNECT. > > In both cases, we need to modify the User-Agent behavior a little bit (e.g. tell browser to use HTTPS proxy, vs. configure a "custom" DoH server to do the hijacking), and configure a remote server a bit (setup HTTPS proxy, vs. setup the ECH-based SNI proxy). > > In fact, I'd argue looking at the common HTTP User-Agents today, the support for configuring an HTTPS proxy is already very widely supported, so it would have a better reach immediately. > > I'd like to hear if you have any ECH specific benefits of this proposed proxy design, maybe I'm missing something. It could simplify the configuration. Suppose we need to proxy traffic according to one list. If we use the classical CONNECT methods, we need install some web extension like Proxy Switcher in chrome. Then we need to setup the proxy server's host/port and auth data. Then we need setup the proxy rule list. It's too complicate to use for normal people who are not familiar with computer or network. If we can use the ECH-based proxy, we could transfer all these tasks to the server side. The only task that the end user need to do is to setup a custom DoH URL, which is personalized to this user only with auth data in the URL. The proxy list is maintained on the server side, and the server works as both DoH and ECH-based SNI proxy. Once the DoH has been set, the browser will query A/AAAA/ECH records for one domain. The server will response "fake" records according to the proxy list. The public_name of the fake ECHConfig will be used to associate to the target domain and for auth. But the current draft requires the backed server to be ECH-aware, which makes it impossible to implement something like ECH-based SNI proxy. All in all, the ECH-based SNI proxy is not the biggest problem. The biggest problem, in my opinion, is that the backed need to be upgraded to deploy ECH. With the help like Cloudflare, we could deploy HTTPS/HTTP2/HTTP3 without change the backend server. As a result, the deployment rate has been very quick. Big thanks to Chris, I have read through the discussion on https://github.com/tlswg/draft-ietf-tls-esni/issues/274 The reason for the change of backend server is to respond the accept confirmation to simplify the client side implementation without stick out the ECH traffic. The cost of simplifying is to upgrade the server. It is impossible to deploy ECH without changing the client side, and the whole design of ECH is very complicated. If we want to deploy ECH, why we prefer a more simplified client with a must be modified server side? As the ECH its self is already, would it be more easy to deploy ECH if we choose the more complicated client solution without changing backend server? I don't know. Just FYI~ Regards.
- [TLS] Re: ECH Proxy Mode Raghu Saxena
- [TLS] Re: ECH Proxy Mode 涛叔
- [TLS] Re: ECH Proxy Mode Christopher Patton
- [TLS] Re: ECH Proxy Mode Raghu Saxena
- [TLS] Re: ECH Proxy Mode 涛叔
- [TLS] Re: ECH Proxy Mode Raghu Saxena
- [TLS] Re: ECH Proxy Mode 涛叔
- [TLS] Re: ECH Proxy Mode A A
- [TLS] Re: ECH Proxy Mode 涛叔
- [TLS] Re: ECH Proxy Mode A A
- [TLS] Re: ECH Proxy Mode Naomi Kirby
- [TLS] ECH Proxy Mode 涛叔
- [TLS] Re: ECH Proxy Mode A A