[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Domain Fronting, Meek, Cloudflare, and Encrypted SNI...



Hi everyone,

Cloudflare has added support to TLS 1.3 for encrypted server name indication (SNI). This mailing list post is a high level overview of how meek could take advantage of this in relation to Cloudflare who until just now wasn’t an option for domain fronting.

What this means:
Effectively domain fronting works by sending a different SNI and host header. CDN providers like Cloudflare started double checking to make governments happy, scratch that line, I mean to protect their customers from fraud and abuse. They seem to of backtracked now. Encrypted SNI means that a firewall or coffee shop owner won’t be able to use SNI to see the real origin of TLS traffic.

Why this matters:
With the right adjustments for TLS 1.3 and Encrypted SNI support, Cloudflare may be a viable option for Meek.

Risks:
* Firewall products could always use DPI and block TLS 1.3 altogether.
* Firewall products could block all requests with encrypted SNI.

Thoughts anyone?

References:
* https://blog.cloudflare.com/encrypted-sni/
* https://blog.cloudflare.com/esni





_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev