Closed Bug 1540061 Opened 6 years ago Closed 2 years ago

Ability to add arbitrary SNI when using ESNI

Categories

(NSS :: Libraries, enhancement, P3)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: alireza.root, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36

Steps to reproduce:

Iran is blocking TLS connections without an SNI (Server Name Indication) extension in the Client Hello packet. In ESNI specification draft, it's noted that the server must ignore SNI record when ESNI is present in the packet. Can we add a configuration parameter to Firefox to add SNI as well when using ESNI? Note that SNI could be "misleading" (eg. always pointing to google.com) so it would not be a privacy issue.

This issue is an enhancement. Also, it is too high level for me to understand so I will set the component as (Core) Networking and let a developer decide how to address it. Thank you for your contribution!

Component: Untriaged → Networking
Product: Firefox → Core

Dragana, can you have a look?

Flags: needinfo?(dd.mozilla)

The upcoming version of eSNI will include an SNI value. We need to negotiate with servers on when that can be rolled out, plus work out how to fit it into our schedule.

Assignee: nobody → nobody
Component: Networking → Libraries
Flags: needinfo?(dd.mozilla)
Product: Core → NSS
QA Contact: jjones
Version: 66 Branch → other
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3

Current Firefox version (69.0.1) does not add SNI if ESNI is used.

In Russia, we have lots of ISPs (thousand), each of them have different hardware and implement different blocking methods.
Usually, ESNI makes things worse in terms of website availability for ISPs with DPI.
Russia has a Registry of Blocked Websites, every entry in which includes:

  • Type of blocking: default (usually used for exact HTTP URIs), domain, ip
  • Domain name
  • IP address/addresses
  • Some other non-technical information, like the reason for blocking and the organization which added this item to the list

Example: say we have blockedwebsite.com HTTPS website which is blocked by domain name (type=domain), and is hosted on Cloudflare. Other (not blocked) website notblocked.com share the same IP address on Cloudflare.

The person wants to access notblocked.com.

What happens with usual SNI: DPI detects request to the IP address listed in the registry (even type=domain has a list of IP addresses). DPI detects SNI, checks that it's not in the registry, determines that the user tries to access non-blocked website and allows the connection.

What happens with ESNI: DPI detects request to the IP address listed in the registry. DPI does not detect any SNI in TLS ClientHello packet and rejects the connection.

Please also note that default DoH resolver, mozilla.cloudflare-dns.com, is blocked in Russia.
https://isitblockedinrussia.com/?host=mozilla.cloudflare-dns.com

Blocks: 1590863
Severity: normal → S3

This is no longer relevant for ECH.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.