So I've spent some time today trying to understand the various hoopla around "domain fronting". And it's a TOCTOU bug that cloud providers could fix, but hopefully won't. Previous state of the art in bypassing WebSense and Cisco's proxy and FortiGate and the rest was just to hack some random PHP website. This never gets old, and is a good warm-up for real hacking.
The basic understanding is that when you make an HTTPS request, the server presents to you the SSL cert for the website you've requested in your SNI extension header (which is essentially any server set up with Cloudfront or any CDN). Then once your connection is established, you request a different virtual host using the Host header. You can see why AV's that inject into browsers and network proxy appliances want to do MITM on every SSL connection, despite it annoying INFILTRATE's keynote speaker <http://infiltratecon.com/speakers.html>. :) -dave * https://www.mdsec.co.uk/2017/02/domain-fronting-via-cloudfront-alternate-domains/ * http://blog.attackzero.net/2015/11/domain-fronting-and-you.html?m=1 (SNI Explanation) * https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/ * https://www.youtube.com/watch?v=IKO1ovl7Ky4 (CS, HTTP) * https://www.youtube.com/watch?v=WowECw4YePU (CS, HTTPS) * http://www.icir.org/vern/papers/meek-PETS-2015.pdf * https://vimeo.com/202836537 (INNUENDO)
_______________________________________________ Dailydave mailing list Dailydave@lists.immunityinc.com https://lists.immunityinc.com/mailman/listinfo/dailydave