Hacker News new | ask | show | jobs
by shockinglytrue 2196 days ago
> Now all those traffic shaping middle-boxes are worthless

No reasonable implementation of encrypted SNI has been proposed or standardized. Those middleboxes are still more than useful

AFAIK in QUIC there is some light obfuscation of the ClientHello, but it is not intended to be an anti-filtering measure, middleboxes can still fish out any presented name with a little bit of new code
1 comments
tialaramex 2196 days ago
What about EKR's

https://datatracker.ietf.org/doc/draft-ietf-tls-esni/

... do you feel is unreasonable?

link
shockinglytrue 2196 days ago
Unsurprisingly for a spec from Fastly & CloudFlare, the privacy offered is predicated on the existence of large centralized providers that due to their size cannot be blocked. One outcome of this design is that if you want to offer truly private service to an end user, you must have a relationship with one of these providers, otherwise your traffic, even if it implements the spec, becomes easily identifiable as its EKR config was served by some unique non-shared infrastructure.

In practical terms I guess it is reasonable, but viewed from the angle of how the Internet was originally intended to work, it is obviously abhorrent and self-serving.

link
tialaramex 2196 days ago
eSNI can only effectively prevent people from distinguishing things which aren't otherwise distinguishable anyway. This is not a forgetfulness potion, if you already know by some other means where I'm going then eSNI doesn't fix that.

If cat-videos.example and elect-bob.example are just names for the same IP 10.20.30.40 then we can use eSNI to prevent eavesdroppers discovering which you visited and that's all.

But if you've got 10.20.30.40 assigned by your ISP for your personal web server then eSNI can't hide that, you can use eSNI to prevent eavesdroppers learning whether visitors were looking at snakes-control-nasa.example or soup-does-not-exist.example but if all you host are crazy conspiracy theory sites then they don't need to know which one is which to block all of them, that's just how IP works.

The configuration for eSNI is delivered over DNS, so it's up to you to choose how you want get secure DNS.

link