[tor-dev] Domain Fronting, Meek, Cloudflare, and Encrypted SNI...

David Fifield david at bamsoftware.com
Thu Oct 4 01:01:21 UTC 2018


On Mon, Oct 01, 2018 at 07:55:31PM +0200, Andreas Krey wrote:
> On Mon, 24 Sep 2018 20:23:58 +0000, David Fifield wrote:
> ...
> > "encrypted SNI" part. But it's possible to do better: if you're willing
> > to abandon HTTP/1.1 compatibility and require HTTP/2, you can use the
> > "server push" feature to implement a serialization that's much more
> > efficient than the current one in meek.
> 
> How about websockets instead of trying to cram this into HTTP/2?

And for that matter, why not a plain old HTTP CONNECT proxy? That would
be even more efficient. But we're limited to what the CDN supports. Most
CDNs only support basic methods like GET and POST, not CONNECT or the
special headers needed by WebSocket.

Cloudflare does support WebSocket, though:
https://www.cloudflare.com/website-optimization/web-sockets/
https://blog.cloudflare.com/cloudflare-now-supports-websockets/
So this, combined with encrypted SNI, could be a viable technique when
tunneling through Cloudflare--it just wouldn't be portable to other
services. We even already have an existing WebSocket-based pluggable
transport implementation--it would need changes to the client to support
encrypted SNI.
https://gitweb.torproject.org/pluggable-transports/websocket.git/


More information about the tor-dev mailing list