Dear Ed, On 11/15/24 4:09 AM, evasi...@yandex.ru wrote:
It's something I've raised in the past, but I think the general IETF consensus (well at least for the TLS WG) is that ECH is designed to improve privacy, not necessarily fight censorship. That said, server providers who wish to try and get around it, can advertise ECH records with "legit" looking domains, since they can be configured to not care about the "Outer SNI" at all. As an example, you can check out my website, which hosts several different ECH configs on different ports[0]. Depending on which port you try and connect to, your client should use a different ECHConfig.Hi Experts,I am not a strong person on encryption, but it is evident for me that “TLS Encrypted Hello” https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22 has no value in fighting censorship.Whatever DNS name would be used for “client-facing server”, it is easy for a particular country authority to drop traffic directed to it. Because transit traffic to the real content owners (“backend servers”) would not be affected.It is especially useless to use a special DNS name (like cloudflare-ech.com) for “TLS Encrypted Hello” – it is a clear instruction for the country authority on what to drop.
Regards, Raghu Saxena [0] https://rfc5746.mywaifu.best:4443/
OpenPGP_0xA1E21ED06A67D28A.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
