top | item 23477476

(no title)

> Now all those traffic shaping middle-boxes are worthless

No reasonable implementation of encrypted SNI has been proposed or standardized. Those middleboxes are still more than useful

AFAIK in QUIC there is some light obfuscation of the ClientHello, but it is not intended to be an anti-filtering measure, middleboxes can still fish out any presented name with a little bit of new code

discuss

tialaramex|5 years ago

What about EKR's

https://datatracker.ietf.org/doc/draft-ietf-tls-esni/

... do you feel is unreasonable?

shockinglytrue|5 years ago

Unsurprisingly for a spec from Fastly & CloudFlare, the privacy offered is predicated on the existence of large centralized providers that due to their size cannot be blocked. One outcome of this design is that if you want to offer truly private service to an end user, you must have a relationship with one of these providers, otherwise your traffic, even if it implements the spec, becomes easily identifiable as its EKR config was served by some unique non-shared infrastructure.

In practical terms I guess it is reasonable, but viewed from the angle of how the Internet was originally intended to work, it is obviously abhorrent and self-serving.