[tor-bugs] #12208 [Obfuscation/meek]: Make it possible to use an IP address as a front (no DNS request and no SNI)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue May 1 16:25:31 UTC 2018
#12208: Make it possible to use an IP address as a front (no DNS request and no
SNI)
------------------------------+------------------------------
Reporter: dcf | Owner: dcf
Type: enhancement | Status: needs_review
Priority: Medium | Milestone:
Component: Obfuscation/meek | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------+------------------------------
Comment (by dcf):
Replying to [comment:13 cypherpunks]:
> > Will it be easier for a censor to block the SNI-less domain fronting
or it's of similar difficulty as the "original" domain fronting
implementation?
>
> Depends censorship level.
> https://en.wikipedia.org/wiki/Server_Name_Indication#Support
Ya it depends.
[https://www.bamsoftware.com/papers/fronting/#sec:introduction Back in
June 2014] (ctrl+f for "domainless"), about 16% of observed TLS
connections didn't have SNI. I don't know what it is now.
But the TLS fingerprint also matters. If the fingerprint looks exactly
like a specific version of Firefox, except that it lacks SNI, that's
probably unusual enough to block. It would only happen in normal use when
someone browses to an IP address, which is unusual except for rare cases
like https://1.1.1.1/. For this reason I'm thinking of adopting the
[https://github.com/refraction-networking/utls utls] library which allows
modifying the TLS fingerprint from ordinary Go code. In any case, using
the Firefox helper won't be possible when making SNI-less requests,
because I'm not aware of any way to control behavior like that from a
browser extension.
But another issue is potential blocking by the intermediary services.
Maybe a CDN decides they want to always require SNI and they stop dropping
SNI-less connections. [https://www.bamsoftware.com/papers/thesis/#p239
Cloudflare did this in 2015] on all of their edge servers except for a few
special ones, requiring SNI and enforcing a match between SNI and Host
header.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12208#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list