The ECH proposal for Encrypted SNI is almost ready, but for a very small
debate. The original proposal was using trial description to distinguish
between ECH aware responses to the encrypted inner Client-Hello from non
ECH aware response to the "cover" outer CH. This is problematic in the
QUIC use
Hi Christian, Hi list,
The "don't stick out" property is a steganographic security goal: we want
the "real" protocol, i.e. TLS with ECH acceptance, to be indistinguishable
from the "cover" protocol, i.e., the handshake pattern in which the client
sends a "dummy" ECH extension that is ignored or re
>
> If we can establish how difficult it would be to hash the server keyshare
> into the hint in various implementations, I think we'll have our answer. I
> suspect it is difficult enough to create a problem for someone, but I'm not
> a TLS implementer.
>
One data point: In the standard Go implem
