#12208: Make it possible to use an IP address as a front (no DNS request and no SNI) ------------------------------+------------------------------ Reporter: dcf | Owner: dcf Type: enhancement | Status: needs_review Priority: Medium | Milestone: Component: Obfuscation/meek | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: ------------------------------+------------------------------
Comment (by dcf): Replying to [comment:13 cypherpunks]: > > Will it be easier for a censor to block the SNI-less domain fronting or it's of similar difficulty as the "original" domain fronting implementation? > > Depends censorship level. > https://en.wikipedia.org/wiki/Server_Name_Indication#Support Ya it depends. [https://www.bamsoftware.com/papers/fronting/#sec:introduction Back in June 2014] (ctrl+f for "domainless"), about 16% of observed TLS connections didn't have SNI. I don't know what it is now. But the TLS fingerprint also matters. If the fingerprint looks exactly like a specific version of Firefox, except that it lacks SNI, that's probably unusual enough to block. It would only happen in normal use when someone browses to an IP address, which is unusual except for rare cases like https://1.1.1.1/. For this reason I'm thinking of adopting the [https://github.com/refraction-networking/utls utls] library which allows modifying the TLS fingerprint from ordinary Go code. In any case, using the Firefox helper won't be possible when making SNI-less requests, because I'm not aware of any way to control behavior like that from a browser extension. But another issue is potential blocking by the intermediary services. Maybe a CDN decides they want to always require SNI and they stop dropping SNI-less connections. [https://www.bamsoftware.com/papers/thesis/#p239 Cloudflare did this in 2015] on all of their edge servers except for a few special ones, requiring SNI and enforcing a match between SNI and Host header. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12208#comment:14> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs