[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #12208 [Obfuscation/meek]: Make it possible to use an IP address as a front (no DNS request and no SNI)

#12208: Make it possible to use an IP address as a front (no DNS request and no
SNI)
------------------------------+------------------------------
 Reporter:  dcf               |          Owner:  dcf
     Type:  enhancement       |         Status:  needs_review
 Priority:  Medium            |      Milestone:
Component:  Obfuscation/meek  |        Version:
 Severity:  Normal            |     Resolution:
 Keywords:                    |  Actual Points:
Parent ID:                    |         Points:
 Reviewer:                    |        Sponsor:
------------------------------+------------------------------

Comment (by dcf):

 Replying to [comment:13 cypherpunks]:
 > > Will it be easier for a censor to block the SNI-less domain fronting
 or it's of similar difficulty as the "original" domain fronting
 implementation?
 >
 > Depends censorship level.
 > https://en.wikipedia.org/wiki/Server_Name_Indication#Support

 Ya it depends.
 [https://www.bamsoftware.com/papers/fronting/#sec:introduction Back in
 June 2014] (ctrl+f for "domainless"), about 16% of observed TLS
 connections didn't have SNI. I don't know what it is now.

 But the TLS fingerprint also matters. If the fingerprint looks exactly
 like a specific version of Firefox, except that it lacks SNI, that's
 probably unusual enough to block. It would only happen in normal use when
 someone browses to an IP address, which is unusual except for rare cases
 like https://1.1.1.1/. For this reason I'm thinking of adopting the
 [https://github.com/refraction-networking/utls utls] library which allows
 modifying the TLS fingerprint from ordinary Go code. In any case, using
 the Firefox helper won't be possible when making SNI-less requests,
 because I'm not aware of any way to control behavior like that from a
 browser extension.

 But another issue is potential blocking by the intermediary services.
 Maybe a CDN decides they want to always require SNI and they stop dropping
 SNI-less connections. [https://www.bamsoftware.com/papers/thesis/#p239
 Cloudflare did this in 2015] on all of their edge servers except for a few
 special ones, requiring SNI and enforcing a match between SNI and Host
 header.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12208#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs