[TLS] Re: Implicit ECH Config for TLS 1.3 – addressing public_name fingerprinting
Yaroslav Rosomakho <yrosomakho@zscaler.com> Wed, 26 February 2025 11:37 UTC
Return-Path: <yrosomakho@zscaler.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9A0DB1C57DF for <tls@mail2.ietf.org>; Wed, 26 Feb 2025 03:37:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietfa.org (amavisd-new); dkim=pass (1024-bit key) header.d=zscaler.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietfa.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0W2-madLOs1e for <tls@mail2.ietf.org>; Wed, 26 Feb 2025 03:37:58 -0800 (PST)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 29F7C1C57C3 for <tls@ietf.org>; Wed, 26 Feb 2025 03:37:58 -0800 (PST)
Received: by mail-lj1-x22f.google.com with SMTP id 38308e7fff4ca-3098088c630so63630861fa.1 for <tls@ietf.org>; Wed, 26 Feb 2025 03:37:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zscaler.com; s=google; t=1740569877; x=1741174677; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=4y082jPYMi0k/MM8ZyU3uIFh2lbgSGo7A3tGpaIaSjc=; b=bow/9leM5zf71RIkQ2f9menN5kQ5GGKichDHMsy26658jFCZ2+1NxMHZfasQbzIwtm Asx4pF9Dg8+1urbiHp/vyKxMB0Iyl/I2su4r10SYcrcktYCrpHmFFMOVWmZF5UI+mdaU qpgAAWg9mV0pFBqIikLadFZdcqDZNif8csgJU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740569877; x=1741174677; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4y082jPYMi0k/MM8ZyU3uIFh2lbgSGo7A3tGpaIaSjc=; b=XkgPG+k7hk03/4+wMaTeBcA+RNT3BXmiIZcgFgiXqJcyJ1W/vZ//4xRVMH4pGZ8JIn XrI0niXbD8FGqELliCAPGacrR8VS+XGpOqJHUNuwsAvqQpVQBkn6PSU1qi9chjHSF/pR bm7/nswuIRzUwlBKShqLFOq0M8PN67BZNjhldBBFtpRaAfvBLloEsZpETOx1K7Gn7umQ Qy6/LiHqp5BgA8qeV9f94WkWBupWmkbI/7+c/F4Gh6v4aHfN782gjm1cgoFGlHZZl/Td sbEaUP9HGdzi3Rv5t82g2xiUorL8DxttF6pVUHbkDmbZkaDsVfk1EShLOUYpy/bVvV9+ vXIg==
X-Gm-Message-State: AOJu0YzhxJZ8dXnEzrwp6jqj21e+jD5834/qrNFpuOlKy4TOKBVMe+ev UEytQb5ocxIwJQHl+JRxT79DxjaOhudPRi/wYdoJUsCWIX+VfHJlzCMMinEtViTOtzlwZ4vq71v XNFMssbuGJqD9KktL7QtzUXd5QG816ORYtGm/R1rwVJUU1TzXUhEz9ahxFY4JT7gHYSVXZMFqMI 6sV0QQcIs=
X-Gm-Gg: ASbGnctNF/ucoiVcPjkF4wyW+px5X44vlMQ9RipTK2f94HGyWnoGmezpoWspn1MkRxL A81EZWhQk+cIlGVV1C5ba7RKAXkSLtvgDi9PqT8V88fmctI2ZdF2FQal60WJ35mt08Z8AqJ/1h/ NMn9mYw2bSkxbCEWMI13lB61tpXwvBTPw07eQBaiSwBQ==
X-Google-Smtp-Source: AGHT+IGiF4wXmmzWXJrkjpI9tmgJ/3l79oDrbq4atSEI3xx8wLILYIhCSwRweiZqE8ZdIQyQffy+UsFOiQr3s+iHkYI=
X-Received: by 2002:a2e:9811:0:b0:309:20e5:244b with SMTP id 38308e7fff4ca-30a80c400e3mr42409061fa.18.1740569876844; Wed, 26 Feb 2025 03:37:56 -0800 (PST)
MIME-Version: 1.0
References: <CAOjisRzBNG2KdAZXssnR9Ura9HuAUKxOH+VLCAE5B9MfYyeT2A@mail.gmail.com> <ME0P282MB558709F984758D4FE1F3C794A3C22@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM>
In-Reply-To: <ME0P282MB558709F984758D4FE1F3C794A3C22@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM>
From: Yaroslav Rosomakho <yrosomakho@zscaler.com>
Date: Wed, 26 Feb 2025 11:37:45 +0000
X-Gm-Features: AQ5f1JqHYjyTAu5p3fzVp4L0L75F9uhG7vjsNNCxCsrjus6s14Qv7YpWCuliYno
Message-ID: <CAMtubr2hLEEtvrcoVf0t677=D4ZsfTwXtY3dBksA_cHYABSXbw@mail.gmail.com>
To: Raghu Saxena <poiasdpoiasd@live.com>
Content-Type: multipart/alternative; boundary="0000000000003769a7062f0a018f"
Message-ID-Hash: TZ46ZC6JPH4ASEA3INE7CTO3VSKGUSUC
X-Message-ID-Hash: TZ46ZC6JPH4ASEA3INE7CTO3VSKGUSUC
X-MailFrom: yrosomakho@zscaler.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Implicit ECH Config for TLS 1.3 – addressing public_name fingerprinting
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sFp8P7nNoYUo5ARmR5wkooqSOTU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi Raghu, On Wed, Feb 26, 2025 at 10:41 AM Raghu Saxena <poiasdpoiasd@live.com> wrote: > > I think in the context of the censor discussion you linked, > realistically they can just block ECH (including GREASed ECH), since > there isn't really mass saturation of ECH (GREASed or not) across most > TLS clients, so they won't face much blowback, especially since it > appears they've straight up said ECH is banned technology. > I don't think this is correct as Chrome, Edge and Firefox include GREASEd ECH in all ClientHellos since late 2023. Blocking merely based on the presence of ECH extension in ClientHello now would essentially block the majority of the web browsing. Best Regards, Yaroslav -- This communication (including any attachments) is intended for the sole use of the intended recipient and may contain confidential, non-public, and/or privileged material. Use, distribution, or reproduction of this communication by unintended recipients is not authorized. If you received this communication in error, please immediately notify the sender and then delete all copies of this communication from your system.
- [TLS] Implicit ECH Config for TLS 1.3 – addressin… Nick Sullivan
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Raghu Saxena
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Yaroslav Rosomakho
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Yaroslav Rosomakho
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Nick Sullivan
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Loganaden Velvindron
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Eric Rescorla
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Nick Sullivan
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Nick Sullivan
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Stephen Farrell
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Christopher Patton
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Martin Thomson
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Stephen Farrell
- [TLS] Re: Implicit ECH Config for TLS 1.3 – addre… Kazuho Oku