DKG analyses the "don't stand out" requirement, and points out that this is in fact a trade-off. From DKG's review:
While i understand the motivation of this section, I think it's interesting that it rules out an entire (simple) class of solution, namely the ssh-style approach: encrypt first (without authenticating the server), then authenticate within the encrypted tunnel. While this approach has several drawbacks (an extra round-trip; leakage of SNI to an active adversary willing to break connections to learn the desired SNI; difficulties for non-crypto loadbalancers), it is really simple and straightforward to implement and deploy (no third-party coordination, etc). (this proposed approach also violates §2.7, "Fronting Server Spoofing")
If this approach were widely implemented, it wouldn't "stick out" any more than SNI-free TLS handshakes did 10 years ago. Is it worth documenting some solution of this class, just to provide a standard way to do it, so that everyone doing it would at least be mixed into a single (hopefully large) anonymity set?
Not sure that there is consensus on the specific solution that DKG is proposing, but it is certainly reasonable to describe the tradeoff in time.
DKG analyses the "don't stand out" requirement, and points out that this is in fact a trade-off. From DKG's review:
While i understand the motivation of this section, I think it's interesting that it rules out an entire (simple) class of solution, namely the ssh-style approach: encrypt first (without authenticating the server), then authenticate within the encrypted tunnel. While this approach has several drawbacks (an extra round-trip; leakage of SNI to an active adversary willing to break connections to learn the desired SNI; difficulties for non-crypto loadbalancers), it is really simple and straightforward to implement and deploy (no third-party coordination, etc). (this proposed approach also violates §2.7, "Fronting Server Spoofing")
If this approach were widely implemented, it wouldn't "stick out" any more than SNI-free TLS handshakes did 10 years ago. Is it worth documenting some solution of this class, just to provide a standard way to do it, so that everyone doing it would at least be mixed into a single (hopefully large) anonymity set?
Not sure that there is consensus on the specific solution that DKG is proposing, but it is certainly reasonable to describe the tradeoff in time.