[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working



#25804: Domain fronting to App Engine stopped working
-----------------------------------+------------------------
 Reporter:  dcf                    |          Owner:  (none)
     Type:  defect                 |         Status:  new
 Priority:  Medium                 |      Milestone:
Component:  Obfuscation/Snowflake  |        Version:
 Severity:  Normal                 |     Resolution:
 Keywords:                         |  Actual Points:
Parent ID:                         |         Points:
 Reviewer:                         |        Sponsor:
-----------------------------------+------------------------

Comment (by dcf):

 Replying to [comment:2 cypherpunks]:
 > > <p>This HTTP request has a Host header that is not covered \
 > > by the TLS certificate used. Due to an infrastructure change, \
 > > this request cannot be processed.</p></body></html>
 >
 > No domain fronting to App Engine but works without SNI

 I confirm that this is the case. Resolve www.google.com to an IP address,
 access the server via its IP address (need to override the certificate
 check) and pass a Host header:
 {{{
 $ dig +short www.google.com
 172.217.11.164
 $ wget --content-on-error --save-header --no-check-certificate -q -O-
 https://172.217.11.164/ip --header 'Host: snowflake-reg.appspot.com'
 HTTP/1.1 200 OK
 Content-Type: text/plain; charset=utf-8
 X-Cloud-Trace-Context: b0805cfcb7d0d60a3f5352c65879afaa
 Date: Sun, 15 Apr 2018 22:18:54 GMT
 Server: Google Frontend
 Content-Length: 13
 Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431;
 quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"

 X.X.X.X
 }}}

 Related meek ticket (not implemented):
  * #12208: Make it possible to use an IP address as a front

 If someone has a ticket for SNI-less Snowflake rendezvous, it would be
 very welcome. The relevant code is here:
 https://gitweb.torproject.org/pluggable-
 transports/snowflake.git/tree/client/rendezvous.go?id=c61336c897b5d21cc94a21241e98b33df5dcbf78#n61

 Here is a cheesy proof of concept. It's not suitable because it disable
 certificate verification (`InsecureSkipVerify`). What's needed is another
 parameter to verify the certificate ''as if'' we had accessed
 www.google.com (or other specific domain).
 {{{#!diff
 diff --git a/client/rendezvous.go b/client/rendezvous.go
 index cab7f5a..c74e041 100644
 --- a/client/rendezvous.go
 +++ b/client/rendezvous.go
 @@ -14,9 +14,11 @@ package main
  import (
         "bufio"
         "bytes"
 +       "crypto/tls"
         "errors"
         "io/ioutil"
         "log"
 +       "net"
         "net/http"
         "net/url"
         "os"
 @@ -46,6 +48,10 @@ type BrokerChannel struct {
  func CreateBrokerTransport() http.RoundTripper {
         transport := http.DefaultTransport.(*http.Transport)
         transport.Proxy = nil
 +       // haxxx
 +       transport.TLSClientConfig = &tls.Config{
 +               InsecureSkipVerify: true,
 +       }
         return transport
  }

 @@ -61,9 +67,17 @@ func NewBrokerChannel(broker string, front string,
 transport http.RoundTripper)
         bc := new(BrokerChannel)
         bc.url = targetURL
         if "" != front { // Optional front domain.
 -               log.Println("Domain fronting using:", front)
 +               var addr net.Addr
 +               addr, err = net.ResolveIPAddr("ip", front)
 +               if nil != err {
 +                       addr, err = net.ResolveTCPAddr("tcp", front)
 +                       if nil != err {
 +                               return nil
 +                       }
 +               }
 +               log.Println("Domain fronting using:", addr)
                 bc.Host = bc.url.Host
 -               bc.url.Host = front
 +               bc.url.Host = addr.String()
         }

         bc.transport = transport
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25804#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs