[TLS] Re: ECH Proxy Mode

t which receives a legacy_session_id_echo field that does not match whatit sent in the ClientHello MUST abort the handshake with an "illegal_parameter" alert.So we can't use the legacy_session_id_echo of SH.On Sep 11, 2024, at 17:35, A A <tom25...@yandex.com> wrote:I don't

[TLS] Re: ECH Proxy Mode

lientHello MUST abort the handshake with an "illegal_parameter" alert. So we can't use the legacy_session_id_echo of SH. On Sep 11, 2024, at 17:35, A A <tom25...@yandex.com> wrote: I don't think need to use random, we can use Session ID, which is deprecated since TLS 1.3. R

[TLS] Re: ECH Proxy Mode

- all I don't think need to use random, we can use Session ID, which is deprecated since TLS 1.3. Random is used to derive master key, AFAIK.  11.09.2024, 17:29, "涛叔" :Dear Raghu, The MiTM solution may works for self-host, because the user controls both the browser an

[TLS]Re: Curve-popularity data?

But X25519, X448, which are mark as safe in safecurves are protected against certain side-channel and other attacks, not only performance advantage. 07.06.2024, 22:33, "Hubert Kario" :On Friday, 7 June 2024 15:54:17 CEST, D. J. Bernstein wrote: Hubert Kario writes: Fedora 39, openssl-3.1.1-4.fc39.x

[TLS]Re: Curve-popularity data?

024, 18:22, "Hubert Kario" :On Thursday, 6 June 2024 00:57:52 CEST, A A wrote: "E.g. a client might also have legitimate reasons to nudge  servers to use a stronger curve than P-256 in the initial CH and  only fall back to weaker curves by explicit request via HRR.  Probably the reason for

[TLS]Re: Curve-popularity data?

, 06:58, "A A" :"E.g. a client might also have legitimate reasons to nudge servers to use a stronger curve than P-256 in the initial CH and only fall back to weaker curves by explicit request via HRR. Probably the reason for Chrome for requesting HRR for P-256 is the attempt to nudge

[TLS]Re: Curve-popularity data?

"E.g. a client might also have legitimate reasons to nudge servers to use a stronger curve than P-256 in the initial CH and only fall back to weaker curves by explicit request via HRR. Probably the reason for Chrome for requesting HRR for P-256 is the attempt to nudge servers to use an algorithm wh

[TLS]Re: Adoption Call for draft-davidben-tls-key-share-prediction

In my opinion, to prevent downgrade attack, server MUST or SHOULD using DNSSEC when announcing DNS record.21.05.2024, 21:48, "David Benjamin" :Off the cuff, folding it into the transcript sounds tricky, since existing TLS servers won't know to do it, and, as with any other DNS hints, we need to acc

Re: [TLS] Working Group Last Call for ECH

I think we should change outer SNI randomly and periodicity (e.g 1 hours), if it change fast enough, censor will need to pay a price to block it,13.03.2024, 23:40, "Amir Omidi" :I'd like to understand how the behavior of the latest draft will be under an adversarial condition.One of the things that

[TLS] Use Session ID or PSK in Client Hello to transfer enctypred SNI

Is it possible to use Session ID in Client Hello, which is obsoleted in TLS 1.3, to transfer enctypred SNI? If it looks random enough, attacker could't distinguish Session ID is encrypted SNI or not. It may have some restrictions, for example, the SNI maybe couldn't longer than Session ID (32 bytes