On Wed, Feb 20, 2019 at 10:35 AM Dmitry Belyavsky <beld...@gmail.com> wrote:
> > > On Wed, Feb 20, 2019 at 10:21 AM Peter Gutmann <pgut...@cs.auckland.ac.nz> > wrote: > >> Dmitry Belyavsky <beld...@gmail.com> writes: >> >> >Fake SNI is delivered out-of-band for the handshake >> >> But then won't the DPI check the out-of-band source as well? If you've >> got a >> MITM sitting there then they can do the same lookups and whatnot that the >> client does, unless you're relying on the client being off-path, which >> seems a >> bit of a leap. You'd need to implement it via some sort of subliminal >> signalling mechanism that the DPI can't detect. >> >> > In fact if DPI begins to poll domains whether FakeSNI record is present, > we have a race between changing the value in FakeSNI and DPI polling. > And DoH/DoT ensures that DPI has to poll. > > Let me clarify. I understand that the solution I propose is not perfect. But there is no silver bullet, and this is just another way to make a life of DPI harder. -- SY, Dmitry Belyavsky
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls