Anatoli <m...@anatoli.ws> wrote: > > looking at the number of bytes moved in the sessions is sufficient to > > determine which firmwares were selected and downloaded. > > Theo, I may be completely wrong here (please excuse my ignorance if it > is the case), but I see it this way: > > On a shared server (or one fronted by a CDN) on the same pool of IPs > there are lots of domains hosted (at cdn.openbsd.org right now there are > 140 domains of which 63 are wildcards and they are shuffled all the > time), they could have infinite amount of files. > > With ESNI there's no way to know which domain we are requesting, so we > could be downloading/requesting anything (files and dynamic content, > RTC, streaming) from hundreds of unrelated domains. > > On top of this, if we use HTTP/2 multiplexing and request all the > firmware binaries over the same connection, the exact size wouldn't be > known either. You can add additional obfuscations if needed, like > randomly mix-querying small files over the same multiplexed connection. > > I know tls1.3 is not there yet in LibreSSL and ESNI is at draft-04 at > this moment, but I'm not talking about an immediate fully-DPI-resistant > deployment. All CloudFlare hosted domains are with ESNI already for a > year [1] and ff has it in nightly. OpenSSL, Fastly, Apple and Google are > also working on it, there's a fairly good interop testing ground.
The amazing thing about all those security buzzwords is they decrypt inside the servers of one company which operates under US legal doctrine. You are a very trustful believer. The internet is full of snakes, but the endpoint is paradise, there are no snakes at the endpoints.
