On Thu, May 29, 2025, at 12:00, David Schinazi wrote: > Not a total loss of privacy. Just the ability to detect which > implementation initiated this connection. That's what I > understood MT's goal to be.
I don't think that we can win on the real vs. fake ECH front. Not here. Especially not if we think that there is anything worth protecting in transport parameters (same applies to ClientHello extensions generally). The goal I was angling toward is having the public envelope look similar between implementations when real ECH is in use. That seems achievable based on the above analysis. As you say, the privacy loss should be relatively fixed, unless we start to really rely on ECH and put stuff in there that is genuinely in need of protection. Otherwise, I don't think that preventing the identification of a specific implementation is the goal, though we might get closer to a state where it takes more than casual inspection to spot differences, which might be worthwhile.
