IETF Logo Mail Archive

Re: [TLS] Possible blocking of Encrypted SNI extension in China

Christian Huitema <huitema@huitema.net> Tue, 11 August 2020 07:08 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 945EA3A0D56 for <tls@ietfa.amsl.com>; Tue, 11 Aug 2020 00:08:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.847
X-Spam-Level:
X-Spam-Status: No, score=-2.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.949, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cXU1xVhpk_Yo for <tls@ietfa.amsl.com>; Tue, 11 Aug 2020 00:08:21 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E60D3A0D2B for <tls@ietf.org>; Tue, 11 Aug 2020 00:08:21 -0700 (PDT)
Received: from xse483.mail2web.com ([66.113.197.229] helo=xse.mail2web.com) by mx165.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1k5OOI-000DQO-Fb for tls@ietf.org; Tue, 11 Aug 2020 09:08:18 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4BQkST1KwVz2Gkk for <tls@ietf.org>; Tue, 11 Aug 2020 00:08:09 -0700 (PDT)
Received: from [10.5.2.16] (helo=xmail06.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1k5OOH-0007hJ-22 for tls@ietf.org; Tue, 11 Aug 2020 00:08:09 -0700
Received: (qmail 21686 invoked from network); 11 Aug 2020 07:08:08 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.43.61]) (envelope-sender <huitema@huitema.net>) by xmail06.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tls@ietf.org>; 11 Aug 2020 07:08:08 -0000
From: Christian Huitema <huitema@huitema.net>
To: Rob Sayre <sayrer@gmail.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: "TLS@ietf.org" <tls@ietf.org>
References: <uGJxvVQRPcgn2GZKsKuuVN4SyTe7EOiV3iEK3Cq3Izo0ZstAh1LxEzMKrDZ_0VTrLqeYXQb4k1Qy5uJmEy04zNgngoHBONhVZnvddYYybt8=@iyouport.org> <71e4d18d-9ad8-fd72-729c-db5a0cf7593b@huitema.net> <20200809153526.vf5zlongieoswb22@bamsoftware.com> <1597030308337.61220@cs.auckland.ac.nz> <67d52e25-71ed-4584-b2c3-6a71a6bdd346@www.fastmail.com> <1597119980162.55300@cs.auckland.ac.nz> <b32110f8-c9ba-e8db-f136-7cc60eba54e4@huitema.net> <1597123970590.77611@cs.auckland.ac.nz> <CAChr6SzzuyB7sxXJQ4gNJwa3iaQcC5jGPE3-sgfY_EkB7DoykA@mail.gmail.com> <1597125488037.97447@cs.auckland.ac.nz> <CAChr6SxLAJyweEDHL48-hT3X=d5E6jNrWZheOt+fSydpS=HhQw@mail.gmail.com> <c7e033d9-aa39-1293-2233-4ebb8d1502dc@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Message-ID: <44efe45d-fb2f-8db6-f127-97de460b6453@huitema.net>
Date: Tue, 11 Aug 2020 00:08:11 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <c7e033d9-aa39-1293-2233-4ebb8d1502dc@huitema.net>
Content-Type: multipart/alternative; boundary="------------894FB187DD56C534643A4C5D"
Content-Language: en-US
X-Originating-IP: 66.113.197.229
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0X2OOYwfFINEXkW0Te3GMuqpSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDoOWO0i/H75teRGzF9TgV+efH zJ6mVE7ewsipSVIfs4baSnRMt7SjbbKqqXqZ1JpsgyWFxOA5dILPypvKxNVhWQwOVcNrdpWfEYrY fLBY3+cAdwcW/8Ox85Le8wqlbs5XUz0sPgnpAk2KA2vJwMd1uY6jSvfpO+1kZkomjtjB6X5Q5Q9f RUeIpTIC2ySfqvnqLwoxlgatmaBb0rBiK9xbkDrUqzcKIief90MVLZY9LbIZh9+IQ1oS9LBn3VIP 95Jz7ujRlJ9wSMlhvaudJXZ9EIBG/qaR+8r9SKFMmPJLf850OvZYsmoVQuOIhwKLK6IKBNB4LZ0v UHHKTzJX7b1JhLSQQ4vSj0QEim26t/Moy0UPX5E73H1QfrH/5kkrV/Cr0bm2vWdo8usP65i82q1C dZgGrpL44wdx9eXqjQjbvUopOMQJvQ/Ck3iiU+4DQAj3fuQgzT3K9JUHTNiGwfwAm65NdfLN8K9b ke08A4pcSPusgSYeYCQMSlpJmALhsMXc0us82HvGigcocyIjf+eZrerIIltEJAcLrdm5Lzw2Bzd8 g2fGU86cSswil+kDetUfttbLHdNhiUq2jBEvMVLlZ4GThCScvU0cCIiHSQbmcVLaS2AdKj0exU9z zU42qPClBLboNblxAkv88QN/My/4aatHwqxHcc0jM6JSkZmwDpemS/RIRA171L+41EWLpmw3XPWl FdaGOH191uXjgjQN/RTaYTLUj/RFhcnr3QktcdgisJSggBRl1V/o4yPFV0GZ1vEjHyvS2QZiR+AZ YvfxEvZFKu+ZM2mB1CpThxyaBpbeNHk15VolAGHS5rCXQKDyCQUljhSWDhWh87HBSLhNUo4qiB0X MVQG2R7iUfOzATaF5R3hQJk8CwyURYKQ0Ye0iR3bHfnMCIEU+nrglojKwJanfcoq9IsR6l/OZb9V MEM=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xAcE91au79ebDiZ86Z1GvpEsq2E>
Subject: Re: [TLS] Possible blocking of Encrypted SNI extension in China
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 07:08:24 -0000

On 8/10/2020 11:49 PM, Christian Huitema wrote:

> On 8/10/2020 11:14 PM, Rob Sayre wrote:
>> On Mon, Aug 10, 2020 at 10:58 PM Peter Gutmann
>> <pgut001@cs.auckland.ac.nz <mailto:pgut001@cs.auckland.ac.nz>> wrote:
>>
>>     Rob Sayre <sayrer@gmail.com <mailto:sayrer@gmail.com>> writes:
>>
>>     >Do you think this fingerprinting will work with the newer ECH
>>     design, if the
>>     >client can add arbitrary content to the encrypted payload?
>>
>>     ECH doesn't have any effect on web site fingerprinting so unless I've
>>     misunderstood your question the answer would be "N/A".
>>
>>
>> Assuming the definition here:
>> https://tools.ietf.org/html/draft-wood-pearg-website-fingerprinting-00
>>
>> it does seem like ECH would make this more difficult, at least for
>> pages in a large anonymity set. (agree that it won't matter much for
>> Twitter, Google, et al)
>
>
> Defeating fingerprinting is really hard. It has been tried in the
> past, as in "make me look like Skype" or "make me look like
> wikipedia". The idea is to build a target model, then inject enough
> noise and padding in your traffic to match the target model. But that
> way easier to say than to do!
>

There is also the question of what the anonymity set is. I just did a
little experiment of resolving 25000 domain names and looking at how
many resolved to the same IP address
(https://huitema.wordpress.com/2020/08/09/can-internet-services-hide-in-crowds/).
And then I redid the stats with 50000 domain names. Did not find a lot
of crowds. 75% of domain names in my sample resolve to their very own
address, not shared with anybody. Only 8% resolved by addresses shared
by 10 sites or more, and 1.3% resolved to addresses shared by 100 sites
or more.  Of course, 1% of the Internet is already something big. But
still, not quite the whole world...

-- Christian Huitema

v2.20.0 | Report a Bug | By Email