Dan replies:

On Mon, Jul 30, 2012 at 11:33:09AM -0700, Dan Kaminsky wrote:

Basically, if you spoof HTTP or HTTPS headers from a Flash socket to your own IP, with someone else's Host/SNI, a transparent proxy is going to send its interposing content to the Flash SWF and not to the browser. It's a really deployable way to see nasty stuff.

One warning is that if hijacking is DNS based, and not transparent proxy based, you don't see anything with this stunt (though favicon.ico detection still works).

On Mon, Jul 30, 2012 at 10:57 AM, David Fifield david@bamsoftware.com wrote:

I saw an interesting talk by Dan Kaminsky at Def Con that touched on
some ideas for censorship detection. He mentioned OONI-probe and talked
about his project CensorSweeper. It tests blockedness of web sites by
making cross-domain requests for favicon.ico and displaying them in a
minesweeper-like grid.

http://www.censorsweeper.com/
https://www.hackerleague.org/hackathons/wsj-data-transparency-code-a-thon/
hacks/censorsweeper

He also mentioned something, which unfortunately I didn't follow very
closely, about using Flash sockets to spoof HTTP and HTTPS headers. I
think the gag here was sending these spoofed connections to a server you
control (so you can answer the crossdomain policy requests without which
Flash Player will refuse to connect), but you give it a Host header of a
censored site or something like that.

http://miriku.com/wp/2012/07/decon-day-3/comment-page-1/#comment-1416

Unfortunately I don't have the conference DVD which presumably contains
the slides he used, but videos usually show up online after some number
of months.

David Fifield