Re: [TLS] ECH not protect SNI

Tue, 23 Aug 2022 18:51:23 -0700 


Hiya,

On 24/08/2022 02:26, 涛叔 wrote:

Hi, Stephen,

I actually has some trouble to understand your point.


Yes, perhaps we're not understanding one another and
it might help if you could describe what you think is
the win here? What would you like to see?




On Aug 24, 2022, at 08:58, Stephen Farrell
<stephen.farr...@cs.tcd.ie> wrote:

Factually, many people do deploy a web server hosted as a VPS by a
small hoster, so could benefit from ECH, to some extent. I know in
the small part of the world where I live (.ie) there are dozens of
such hosters who run probably tens of thousands of web sites. ISTM
making accesses to those less easily distinguished from one another
brings potential benefits.


My point there is some people run their website without intermediary
proxy. They still deserve the protection of ECH. 

"Deserve" seems like an odd term to use. If a web site
operator wants to benefit from ECH, then they need to be
part of a set of web sites where it's hard to distinguish
which is being accessed based on the TLS traffic.

Perhaps you disagree with some of the content of RFC8744
rather than the ECH mechanism?


So what is you point
here?


I think I made my point, perhaps badly, but nonetheless
it was made as well as it was:-) I don't think it'd help
either of us to only re-iterate.




I think you're wrong to only consider there being two cases of
interest. People are fairly inventive in how they use new tools
like ECH. But time will tell I guess.


I have said there are two cases, but has not stated there are only
two cases. 

I'm glad we agree there are a bunch of different ways in
which ECH could be used. I read your earlier mail as you
discounting anything other than the two cases you mentioned.
Sorry if that was wrong.


The current design of ECH requires an intermediary proxy
with dedicated domain name and SSL certificate to work. And I think
it is huge burden for indie website. 

"Huge burden" seems entirely wrong based on my experience.
It's very easy to setup a web site with TLS these days in
many different ways.

Cheers,
S.


So again, what is your point
here?

Thanks.

Attachment: OpenPGP_0x5AB2FAF17B172BEA.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to