On Tue, Aug 11, 2020 at 12:08:11AM -0700, Christian Huitema wrote: > There is also the question of what the anonymity set is. I just did a little > experiment of resolving 25000 domain names and looking at how many resolved to > the same IP address (https://huitema.wordpress.com/2020/08/09/ > can-internet-services-hide-in-crowds/). And then I redid the stats with 50000 > domain names. Did not find a lot of crowds. 75% of domain names in my sample > resolve to their very own address, not shared with anybody. Only 8% resolved > by > addresses shared by 10 sites or more, and 1.3% resolved to addresses shared by > 100 sites or more. Of course, 1% of the Internet is already something big. > But > still, not quite the whole world...
Here is a related experiment done last year. "On the Importance of Encrypted-SNI (ESNI) to Censorship Circumvention" https://censorbib.nymity.ch/#Chai2019a https://www.usenix.org/conference/foci19/presentation/chai My capsule summary: https://github.com/net4people/bbs/issues/10 The authors tested an Alexa top 1 million list for blocking from China, under three different modalities: DNS poisoning, SNI filtering, and IP address blocking. (The GFW blocked different web sites in different ways; ESNI is effective against DNS poisoning and SNI filtering but not IP address blocking.) Of 24,210 domains blocked by either DNS poisoning or SNI filtering, 16,928 (70%) were additionally blocked by IP address, so ESNI would not help to unblock them if they remained at their current hosting. The other 30% of domains would have been unblocked by ESNI. This analysis, of course, assumes a static situation; if ESNI were deployed and found to be effective, then blocked sites might choose to move to shared co-hosting, or the GFW might increase the scope of its IP address blocking to include addresses with small anonymity sets. I'll add that it's not just the size of the anonymity set that matters. The domains that make up the anonymity set, and the cost of blocking them, matters as well. An anonymity set of 100,000 could still be blockable if none of the 100,000 is disruptive or costly to block. (Measure cost however you like: effect on the local economy, for example.) An anonymity set of size 10 might be hard to block, if just one of those 10 is one that the would-be blocker greatly cares to preserve. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
