There's a Def Con talk this week by Erik Hunstad called "Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise" (abstract, slides, video download, YouTube). It's a talk worth watching—at a high level, it's about how to achieve the same effect as domain fronting using ESNI/ECH, which Erik calls "domain hiding." The associated project Noctilucent is a replacement for the Go crypto/tls package with modifications to facilitate domain hiding: it supports setting an ESNI value that is different from the SNI and the Host header, and allows sending both ESNI and SNI extensions at once. It comes with a fork of Cloak that can use these techniques.
Aside from the main content of the talk, one tidbit that was new to me is that Netsweeper 6.4.1 (archive), released 2020-02-25, and later support detection/blocking of ESNI. This fact is found on page 61 of the slides. Netsweeper's ESNI blocking is all or nothing: you cannot selectively enable it for certain IP addresses, for example. According to Erik, no other commercial firewalls support blocking ESNI at this time.
Features in 6.4.1 EA include:
A new protocol ESNI has been added to detect Encrypted Server Name Information that allows users to block all ESNI traffic if they wish
Change Log 6.4.1
Ticket
Description
22358
FEATURE: A new protocol has been added to detect Encrypted Server Name Information. This must be first enabled in the Protocol Patterns, but once enabled users will get esni://destIP:destPort events, instead of https[]()://destIP:destPort events. This allows users who want to block all ESNI traffic to do so. If you do not want to block ALL ESNI traffic it is not recommended to enable this protocol as categorization is not performed.
There is an ISO download at the Netsweeper page; I don't know whether it may contain anything interesting. It may perhaps be possible to identify the ESNI detection module by searching for various forms of 0xffce (big-endian, little-endian, text), which is the code for the ESNI extension.
There's a Def Con talk this week by Erik Hunstad called "Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise" (abstract, slides, video download, YouTube). It's a talk worth watching—at a high level, it's about how to achieve the same effect as domain fronting using ESNI/ECH, which Erik calls "domain hiding." The associated project Noctilucent is a replacement for the Go crypto/tls package with modifications to facilitate domain hiding: it supports setting an ESNI value that is different from the SNI and the Host header, and allows sending both ESNI and SNI extensions at once. It comes with a fork of Cloak that can use these techniques.
Aside from the main content of the talk, one tidbit that was new to me is that Netsweeper 6.4.1 (archive), released 2020-02-25, and later support detection/blocking of ESNI. This fact is found on page 61 of the slides. Netsweeper's ESNI blocking is all or nothing: you cannot selectively enable it for certain IP addresses, for example. According to Erik, no other commercial firewalls support blocking ESNI at this time.
There is an ISO download at the Netsweeper page; I don't know whether it may contain anything interesting. It may perhaps be possible to identify the ESNI detection module by searching for various forms of 0xffce (big-endian, little-endian, text), which is the code for the ESNI extension.