‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, August 9, 2020 6:09 PM, grarpamp <grarpamp@gmail.com> wrote: ...
There is now a detailed written report on the new phenomenon of ESNI blocking in China. ... Here are some of the points most likely to be of interest to this group: ... - The ESNI detector only matches the ESNI encrypted_server_name extension 0xffce (draft-ietf-tls-esni-00 through -06), not the ECH extensions encrypted_client_hello 0xff02, ech_nonce 0xff03, outer_extension 0xff04 (draft-ietf-tls-esni-07).
interesting that encrypted client hello is not blocked, as this would also make the SNI private! perhaps this is targeting by adoption, rather than capability. if hosts move to encrypted client hello, will this next be blocked? also, per https://tools.ietf.org/html/draft-ietf-tls-esni-07#section-10.5.4 : ``` Moreover, as more clients enable ECH support, e.g., as normal part of Web browser functionality, with keys supplied by shared hosting providers, the presence of ECH extensions becomes less unusual and part of typical client behavior. In other words, if all Web browsers start using ECH, the presence of this value will not signal unusual behavior to passive eavesdroppers. ``` :P best regards,