Hi, I am not sure how important these findings are, but I've noticed three instances of unnecessarily predictable inputs in ESNI:
1) Trailing padding after domain names are zeros. 2) The checksum calculation seems to start with predictable version bytes in draft -04, and in shipping implementations 3) In practice, NSS inserts 8 bytes of zeros at the beginning of its AAD input (<https://github.com/tlswg/draft-ietf-tls-esni/issues/190>) It seems like these values should all be allowed to be opaque, and I am not sure why NSS is prepending zeros to its AAD (although I asked in the github issue). thanks, Rob
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
