Dear Peter, On Wed, Feb 20, 2019 at 6:43 AM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Dmitry Belyavsky <beld...@gmail.com> writes: > > >The draft describes a Fake SNI mechanism intended to cheat DPI systems in > a > >case when a DPI system blocks the connection if ESNI is present. > > Since this mechanism advertises the fact that a fake SNI is present, > wouldn't > the DPI then also block the connection for that? > The suggested mechanism does not advertise the presence of a Fake SNI. Fake SNI is delivered out-of-band for the handshake and an observer has to discover that ClientHello message contains a SNI extension that does not match to any host present at the IP address where we try to connect. Passive collection and blocking the Fake SNI values also has little sense because the value can be changed relatively easily. -- SY, Dmitry Belyavsky
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
