On Wed, 03 Oct 2018 13:03:14 +0000, ithor wrote: ... > Can you elaborate upon that for the noob I am. If i understand you correctly, > when using domain fronting, Tor basically spoofs or "hijacks" the ip address > of an existing Azure server client ?
SNI: Server Name Indication. While setting up the encryption the client needs to send (in cleartext) the host name it wishes to connect to (so that the server can use the corresponding certificate). That is how https still gives away whom you're talking to. > What exactly is in the SNI : the name of the Azure server or some kind of > information of a real client using that service ? The name of some service (web site) hosted. Domain fronting means that the meek client uses one hostname for establishing the encrytion, and inside the encrypted channel a different hostname it actually wants to talk to. Google apparently now enforces that these two are the same. > What could China block ? The ip of the real client who was spoofed ? The cleartest hostname in the SNI (if it bothers to). (Question is how they detect what hostnames are used there.) > What would ESNI (encrypted SNI) bring into the mix concerning meek > connections ? Here the SNI host field is already sent encrypted so china can't tell anymore which service/website on azure/whatever you're connecting to, it only sees that you are addressing azures/googles/amazons/cloudflares cloud. But it will take time until this is widely in use so that you're not suspicious for just using ESNI (not sure if that is an official acronym). Actually: https://en.wikipedia.org/wiki/Domain_fronting https://blog.cloudflare.com/encrypted-sni/ Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds <torvalds@*.org> Date: Fri, 22 Jan 2010 07:29:21 -0800 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
