IETF Logo Mail Archive

Re: [TLS] ECH not protect SNI

Rob Sayre <sayrer@gmail.com> Wed, 24 August 2022 00:49 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CEE5C1522A9 for <tls@ietfa.amsl.com>; Tue, 23 Aug 2022 17:49:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j8GBn0N1G3D0 for <tls@ietfa.amsl.com>; Tue, 23 Aug 2022 17:49:58 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 154C1C14CF04 for <tls@ietf.org>; Tue, 23 Aug 2022 17:49:58 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id sd33so9266823ejc.8 for <tls@ietf.org>; Tue, 23 Aug 2022 17:49:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=wW5uceB0CDe9Lj9TIgczBmA/UClvIwzuH+nOV7lt6c4=; b=NvvWft1ooj8U4Uqk9te2DVyAdHG5MIJJ3mirWF2PhS7sXlsYGtwpoehfrk/P9bxIiD vXSg6UEnJprc7lcUZguQ8o+d8qVC36DXLMJRg0kUxI3Wi7q4gCiQ15IZXx0fGzhfvdkc sYRdVWNBOzVHzPbuRhUTzCETcQIC/S3BoEBms84jM84QKg3hi8sdZldCmvG0q/g4nnQ+ 6IvCXI3NzLk2GlhCmotIdVB3nKvSk1FnB6Asxh/It3vkQgZq8XIoV0e0iIrHEDrdvs2N KTZu92rKRd5UYx236/CcMMiVvVZ2IVP7FnvGdpWgmHGLDN3Otn01fwwcMrT72mwNc4pE 9iAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=wW5uceB0CDe9Lj9TIgczBmA/UClvIwzuH+nOV7lt6c4=; b=FXu9NeD0ibcLaCzJWYpm3dLVNKhm5Vc50LkmXHcHWyy2RrjXzQjJsz67d+esombojt aIr70YoOqJBwZdwF4iCrdYU+Tss4x1FB+B+EI258VPfaqmk+dk6T4OHntT3vQfYdJuFB uCyekdw/f6H3YJJe7LT02hgZwDjQ63WcTI1Uxj9+qGAbv9waQMJv4UWlOWmGpg450V7Y Wrc7Vk4I/5d+G/sDd26azIe6mUy169jZ5XYfpAHH54qISmTetq0nuhAgCmaoReXXdGDN Sgz6mY5/Ql4q/XvOBcyjGB5iq7YmoRC5TtwaOBFhUTdU3AQlVVId9GL7FOsXls0aIo99 347Q==
X-Gm-Message-State: ACgBeo1o+8IOAikaW58McGqeK+fFzCYZB5ZRg6fZ1Mmj7ZTgrPgtZBPs 02lKLCuWP46+HkCErjrmFt/GwWIP/JKh+j6nryrnBRK8
X-Google-Smtp-Source: AA6agR7j2CgOE5Cmgxaixm2ttfa8/Ii+B8NXFcZlddtOYN2koY0T28E2yG+voGlXT+rEjmFJ5lp+KHzk0csUCr1bPM8=
X-Received: by 2002:a17:907:6818:b0:731:e57:bf2c with SMTP id qz24-20020a170907681800b007310e57bf2cmr1356231ejc.61.1661302196269; Tue, 23 Aug 2022 17:49:56 -0700 (PDT)
MIME-Version: 1.0
References: <5D283623-EBD0-42AE-B753-EDD221D05F1C@taoshu.in> <7D51D019-50C4-402B-81C9-4548C377E0D9@taoshu.in> <fc0e943a-04f3-79f4-ca5f-de3a6de1aabb@cs.tcd.ie> <08832EFE-FBF9-4E44-A39A-F325952D286A@taoshu.in> <CAChr6SxqhUZfXPdLSVMjsXyUvL=5BkgdfMZd9su8KTn-3VRzbQ@mail.gmail.com> <95E6175F-EEA7-4B93-A75A-8943D48FBE57@taoshu.in>
In-Reply-To: <95E6175F-EEA7-4B93-A75A-8943D48FBE57@taoshu.in>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 23 Aug 2022 17:49:44 -0700
Message-ID: <CAChr6SxhMqaRea1hbMDJYHCgmVLx+0j-S8uPYTP5rFjEcQL4EQ@mail.gmail.com>
To: 涛叔 <hi@taoshu.in>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000045f5bf05e6f20f3b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/u-dpPB1we0zK1nhxDP6CaSjgsSw>
Subject: Re: [TLS] ECH not protect SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2022 00:49:58 -0000

On Tue, Aug 23, 2022 at 5:45 PM 涛叔 <hi@taoshu.in> wrote:

>
> Some countries and organizations will block website by SNI. If they want,
> the could block all sites protected by
> the common outer SNI domain. All the websites not after some intermediary
> will be blocked more easily, because
> they could not deploy ECH.
>
> This is why I think the current design is not well enough.
>

Hi,

I agree that's basically the standoff here, but it's inherent to the design
of the protocol.

thanks,
Rob

v2.38.3 | Report a Bug | By Email | System Status