Hi Raghu, OTTs reading this statement about privacy is probably laughing. OTTs are collecting the volume of private information - they are the primary danger for privacy. ECH would not help even theoretically. Hence, I do not care about privacy. It is not possible anyway. I remember a good joke, it was a banner on the street "XXXX is hiring in your region, resume is not needed".
About your idea to use many DNS names (and probably keys) per IP:UDP. It looks like it is a burden for censor to trace many DNS names. Actually, it is not a problem for them, not at all. As I stated in the message that you did not copy in the quote: they would filter out any Hello that has nested InnerHello. It is pretty automatic solution. As soon as implemented on DPI, this feature would not need any configuration or manual intervention. Only people that upgraded their browser would be punished (not the whole population) - they would have to look how to downgrade the browser or disable feature. By the way, InnerHello intersect with interest of many censors, they would block it, it would result in the lost hope for privacy too, right? Eduard -----Original Message----- From: Raghu Saxena <poiasdpoi...@live.com> Sent: Friday, November 15, 2024 5:51 PM To: evasi...@yandex.ru; tls@ietf.org Subject: Re: [TLS] TLS against censorship Dear Ed, On 11/15/24 4:09 AM, evasi...@yandex.ru wrote: > > Hi Experts, > > I am not a strong person on encryption, but it is evident for me that > “TLS Encrypted Hello” > https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22 has no > value in fighting censorship. > > Whatever DNS name would be used for “client-facing server”, it is easy > for a particular country authority to drop traffic directed to it. > Because transit traffic to the real content owners (“backend servers”) > would not be affected. > > It is especially useless to use a special DNS name (like > cloudflare-ech.com) for “TLS Encrypted Hello” – it is a clear > instruction for the country authority on what to drop. > It's something I've raised in the past, but I think the general IETF consensus (well at least for the TLS WG) is that ECH is designed to improve privacy, not necessarily fight censorship. That said, server providers who wish to try and get around it, can advertise ECH records with "legit" looking domains, since they can be configured to not care about the "Outer SNI" at all. As an example, you can check out my website, which hosts several different ECH configs on different ports[0]. Depending on which port you try and connect to, your client should use a different ECHConfig. Regards, Raghu Saxena [0] https://rfc5746.mywaifu.best:4443/ _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
