On Mon, 24 Sep 2018 11:57:48 +0000, David Fifield wrote:
I have to admit that I don't fully understand the apparent enthusiasm for encrypted SNI from groups that formerly were not excited about domain fronting.
It's simply wrong to use different names in SNI and the host header. :-)
customer's domains are potentially affected, rather than just one. It's a rational enough viewpoint (greater potential collateral damage ??? lower probability of blocking), but to my mind encrypted SNI doesn't fundamentally alter the nature of the game, it just raises the stakes.
But in a game-changingly massive way. Remember the github blocking?
When you block one domain that is on cloudflare, almost noboby will care. When you block all of cloudflare you will get an outcry of a lot of people, and probably worse for the censors, businesses.
- Andreas