Benjamin M. Schwartz
Benjamin M. Schwartz
I think I understand the problem. If a CDN has N customers who have CNAMEd their domains to a CDN domain, and some of those customers are using insecure HTTP...
Possible compromise: `disable-https-upgrade` only applies if `echconfig` is also present. This is extremely hacky and I'm not sure I really like it, but it would ensure that this is only...
This is an interesting idea, but I'm not sure it would help. My impression is that servers (especially web servers) are reliably tolerant of TFO, and the problem is that...
Middlebox statistics are easy(?): just send probes to some test domains with known configurations. The fallback logic seems to be about the same with or without this signal. If you're...
I believe this will be handled as part of the RFC Editor's process
The SOCKS 6 draft, and especially this DNS support proposal, are still early in the IETF review process. Ultimately, I trust the IETF to choose whether this is an acceptable...
To prevent replay attacks, you can bind the `ss-error` response to the request that generated it, e.g. by including the request's salt in the response's AEAD additional data (or in...
With an AEAD cipher, on TCP, the client opens a connection by sending something like ``` [client salt][encrypted length][length-tag][encrypted address][address-tag] ``` A simple version of my proposal would have the...
@Mygod could you add a link to your mailing list message?
Are you aware of a situation where it would be important to serve Outline on an interface that did not exist when the Outline daemon started? Note that SIGHUP, which...