On Tue, Jul 3, 2018 at 9:48 PM, Ilari Liusvaara <[email protected]> wrote:
> On Mon, Jul 02, 2018 at 04:39:14PM -0700, Eric Rescorla wrote:= > > I am working on an implementation for NSS/Firefox and I know some > > others are working on their own implementations, so hopefully we can > > do some interop in Montreal. > > > > This is at a pretty early stage, so comments, questions, defect > > reports welcome. > > One thing I noticed: First there is this in evaluation: > > 7.2.4. Do not stick out > > By sending SNI and ESNI values (with illegitimate digests), or by > sending legitimate ESNI values for and "fake" SNI values, clients do > not display clear signals of ESNI intent to passive eavesdroppers. > > Is that suggesting to send fake ESNI values? If so, there is this in > endpoint behavior: > No, you would not send fake ESNI values. The idea here is that there is a group of IPs (associated with a big provider, then all ESNI-supporting clients will send ESNI to it. So the provider will stick out, but the use of site X versus site Y on the provider will not stick out. And the provider's IPs are reasonably well known through other mechanisms, so this doesn't tell you much. Of course, this does not help big sites that aren't using shared infrastructure (e.g., Facebook), but I don't know how to do that. -Ekr > > > -Ilari >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
