Hi Owen, On 31/10/17 21:03, Owen Friel (ofriel) wrote: >> Interesting. One bit puzzles me: wouldn't the new content-type >> give the game away and cause middleboxes to block this? >> >> S. >> > [ofriel] The intention isn’t to try and obscure the fact that there > is an ATLS session. Even if that new content-type was not defined, > it would be easy to write a simple pattern match script on the > middlebox to identity the JSON body and leading base64 bytes of the > TLS records in the body.
So that leaves me puzzled still, sorry. I can't think of a situation with a middlebox that isn't ok with the client doing proper TLS but is ok with ATLS. Can you give an example of such a situation? In case it helps, I can imagine that some middleboxes won't (yet) know about this and will let it through for a while, but that seems fairly brittle. So, I'd have thought it may be worthwhile trying to hide what's what here if you want it to be robust against an antagonistic middlebox or censor. But maybe you guys analysed that already and figured it'd not work. (Which brings me back to "puzzled":-) Cheers, S. > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
