Hacker News new | past | comments | ask | show | jobs | submit login

And eSNI is not even a solution to anything, it merely pushes a bit of cleartext identification data from one protocol to another, while assuming that lots of websites share a single IP address and that it's not possible to correlate what website on the IP is used by simply observing what kind of packets are sent from a machine, which is actually pretty easy (as each website comes with connections to multiple other IPs with specific sizes of data transfer generating a unique traffic pattern).



Sure it is, you just have to consider the threat model.

Working out what website I'm browsing by doing packet analysis between my client and an IP address is vastly more difficult than just reading "www.pornhub.com" out of the SSL handshake. Despite what you think, it's not "pretty easy".

Just because a security control doesn't mitigate all risks against all threats doesn't mean it's not useful.


But it's not more difficult, it's just a bit different approach, where you need to do some work besides parsing to get those patterns, i.e. visit websites. It's more work for software engineers, but not difficult work.


"It's not more difficult" is a claim that at least needs a POC.

Like, build a prototype, show it works for some set of things Cloudflare offers over eSNI today.

Otherwise this claim is hollow. If it isn't more difficult then it sure is weird that nobody does it.


You don't need a PoC, you can just go through research of traffic analysis to see what's out there. But you are welcome to fund a challenge for it or something like that.


No, see you're the one claiming it's "not more difficult" so if it now needs funding apparently I suggest you put up any funding you think it'll need. The ordinary person presumably would agree that it was "not more difficult" for them to afford a mansion than a shack if you're paying for it.

Let us know how expensive "not more difficult" ends up being. It'd be great to know that DoH plus eSNI made things "Not more difficult" by say $5M per target. I'd call that more difficult but I know you disagree.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: