Looks neat. 1) TFO DOS vector: is the idea servers will disable TFO under strain but not be able to disable ESNI?
2) “clients might opt to attempt captive portal detection to see if they are in the presence of a MITM proxy, and if so disable ESNI.” If I’m operating a great firewall, I can use this to discover dissidents, right? Either they send me dangerous SNI values or they are configured to not disable ESNI, and taking the fifth is fatal. To protect them, I think nobody can have this mode. 3) How many bits does this offer? Hiding in a set of a million uniform hosts is 20 bits, and the nonuniformity will accrue to the adversary’s benefit. Active probing will unmask visitors to dissident sites. I worry that this tool is so weak against a GFW-style adversary for the purpose of allowing dissident access to restricted web sites that it will be dangerous if released. But maybe I misunderstand the purpose. If this is just to keep Western ISPs from monkeying with traffic, sure, ship it. Labelling the encryption with its strength as applied, or showing CDNs and ISPs how to work out some bounds, seems one way to help users understand whether this can help them or put them more at risk. -- Brian Sniffen _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
