R. du Toit pointed out that "The middlebox would not participate or interfere in any of the out-of-band channels between the fronting server and the hidden server, which implies that the middlebox will not be able to decode the session ticket generated by the hidden server - but it does not have to. The middlebox would be able to observe the encoded session ticket in the NewSessionTicket message because it intercepts the initial TLS session between the client and the hidden server (even if mechanism #1 is used for the first session). The middlebox would thus be able to extract the SNI of the hidden server from the NewSessionTicket message and build a mapping of encoded session tickets to hidden servers. TLS sessions (destined to the fronting server) that were not previously intercepted by the middlebox will use PSK identities that are not in the mapping table - the middlebox would likely force intercept of those sessions and strip the unknown PSK identities, which would result in a TLS session that terminates on the fronting server, leaving the fronting server without any knowledge of the hidden server."
A middlebox that sees all client transactions can indeed maintain a history of all client connections. Not clear that this is an attack that can be defeated in the general case.
R. du Toit pointed out that "The middlebox would not participate or interfere in any of the out-of-band channels between the fronting server and the hidden server, which implies that the middlebox will not be able to decode the session ticket generated by the hidden server - but it does not have to. The middlebox would be able to observe the encoded session ticket in the NewSessionTicket message because it intercepts the initial TLS session between the client and the hidden server (even if mechanism #1 is used for the first session). The middlebox would thus be able to extract the SNI of the hidden server from the NewSessionTicket message and build a mapping of encoded session tickets to hidden servers. TLS sessions (destined to the fronting server) that were not previously intercepted by the middlebox will use PSK identities that are not in the mapping table - the middlebox would likely force intercept of those sessions and strip the unknown PSK identities, which would result in a TLS session that terminates on the fronting server, leaving the fronting server without any knowledge of the hidden server."
A middlebox that sees all client transactions can indeed maintain a history of all client connections. Not clear that this is an attack that can be defeated in the general case.