On Wed, Feb 20, 2019 at 10:21 AM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Dmitry Belyavsky <beld...@gmail.com> writes: > > >Fake SNI is delivered out-of-band for the handshake > > But then won't the DPI check the out-of-band source as well? If you've > got a > MITM sitting there then they can do the same lookups and whatnot that the > client does, unless you're relying on the client being off-path, which > seems a > bit of a leap. You'd need to implement it via some sort of subliminal > signalling mechanism that the DPI can't detect. > > In fact if DPI begins to poll domains whether FakeSNI record is present, we have a race between changing the value in FakeSNI and DPI polling. And DoH/DoT ensures that DPI has to poll. -- SY, Dmitry Belyavsky
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
