On 7/30/2020 8:45 AM, onoketa wrote: > Hi, > > The Great Firewall of China may have identified and blocked > Cloudflare's ESNI implementation. > > I have found that when using a TLS client hello with ESNI extension to > connect to servers behind Cloudflare's CDN, the connection will be cut > off after the whole TLS handshake is done. And then that IP address > will be blocked at the TCP level for several minutes.
Thanks for the report. I think this relates to our ambivalence about the requirement for ESNI to not "stick out". That requirement is hard to meet, and designs have drifted towards an acceptation that it is OK to stick out as long as a sufficiently large share of the traffic does it. If that share is large, goes the reasoning, it would be too costly for censors to just "drop everything that looks like ESNI". Well, given actors like the Great Firewall, one wonders. -- Christian Huitema
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
