> With random names from the pool, the observer has to determine which of
> thousands/millions of names might be an ECH outer SNI, and there's no easy
> way to enumerate that list.
Yes, but why aren't they all ECH outer SNIs? Why would you ever end up in this
situation where you have a mix of ECH and ECH-GREASE going to the same server?
This seems like a misconfigured server that can be fixed by publishing more
ECHConfigs.
> Your scenario (1) is relevant: DNS interference means clients fall back to
> GREASE, which adds non-ECH connections as cover. But that doesn't change the
> anonymity set. What changes the anonymity set is whether the observer can
> enumerate the names in it.
I think you are referring to the anonymity set of domains ("which domains could
this connection be accessing?"), and I was referring to the anonymity set of
connections ("which connections could be accessing this domain?"). Regardless,
I don't know how to think about the enumeration concern without a more detailed
threat model.
Is a primary motivation of this draft to improve privacy when some users are
prevented from retrieving the ECHConfigs, by giving ECH and ECH-GREASE
overlapping wire images? If so, the draft could make that a lot clearer. Then
we can think through the details (Why would an attacker bother with this attack
if they can observe and modify DNS? Can the attacker inject a false ECHConfig?
How would the client choose the public name? Is there a better defense for
this situation?).
--Ben
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
