I’m pretty sure your reasoning is wrong. In the ideal world, if *everybody* enabled ESNI - then *maybe* the GFW would relent.
The way things are - is not smart pretending reality is not what it is. Using your terminology - better blend with the crowd, because you aren’t likely to live long enough to see the crowd change to match you. There are a lot of technical details why the whole crowd won’t change regardless of your wishes - e.g., who controls TLS implementations in various devices - but I won’t go there. Regards, Uri > On Aug 9, 2020, at 11:36, David Fifield <da...@bamsoftware.com> wrote: > > On Thu, Jul 30, 2020 at 11:16:50AM -0700, Christian Huitema wrote: >> Thanks for the report. I think this relates to our ambivalence about the >> requirement for ESNI to not "stick out". That requirement is hard to >> meet, and designs have drifted towards an acceptation that it is OK to >> stick out as long as a sufficiently large share of the traffic does it. >> If that share is large, goes the reasoning, it would be too costly for >> censors to just "drop everything that looks like ESNI". Well, given >> actors like the Great Firewall, one wonders. > > There's nothing wrong with that reasoning, in my opinion. To blend in > with a crowd, you can change yourself to match the crowd; or you can > change the crowd to match yourself. My feeling is that ESNI is currently > easy to block (or to put it in terms I like, *inexpensive* to block) > because very few TLS connections use it--nothing valuable depends on it > yet. Whereas if encrypted SNI were somehow deployed suddenly and > massively such that it became a normal feature of TLS connections both > essential and inessential, it would be more difficult (read: expensive) > to block. > > After all, even the GFW is not all-powerful. Surely it would prefer to > abolish TLS altogether, but it's too late for that. At this point, > blocking TLS would cost too much--not in terms of implementing firewall > rules, but in how much essential communication it would damage. Put > another way, the GFW itself, and the people who operate/manage it, would > feel some of the pain of blocking. > > I don't mean to imply that coordinated deployment is the only path to > success, just saying that if SNI encryption were already widespread, > even an obvious tag like 0xffce would not be a useful distinguisher. And > though I find it useful to think of these things in terms of the costs > of overblocking, it's not an infallible guide. A large organization like > the GFW is made up of many conflicting motivations, and it is as prone > as any other to making bad decisions and enacting policies that are > evidently against its own interests. For that reason I believe it's > possible to reduce the risk surrounding the deployment of encrypted SNI, > but not eliminate it completely. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
