On Tue, Sep 09, 2014 at 09:05:21PM -0400, Andrew Lewman wrote:
Unless some company/country are going to block all of cloudflare or a CDN, our mirrors can still be reachable. This is the same idea that David Fifeld is counting on with the meek transport using Google App Engine. Blocking all of Google seems a huge cost vs the gain of stopping some tor users.
On that note, it's worth looking at what GreatFire.org is doing for some of their mirror sites: https://github.com/greatfire/wiki.
Here is one of the URLs: https://a248.e.akamai.net/f/1/1/1/dci.download.akamai.com/35985/159415/1/f/ This URL is from an Akamai reseller, http://cachesimple.com/, who have a plan starting at $50/month. The long URL is an explicit form of what normally happens implicitly through SNI at the Akamai CDN (see page 5 of https://research.microsoft.com/en-us/um/people/ratul/akamai/freeflow.pdf for Akamai URL structure). The important thing is that all the blockable content is encrypted in the path component. The censor only gets to see the domain name a248.e.akamai.net, which is some kind of magic Akamai HTTPS domain that's used for tons of stuff. I think a mirror like this would be very hard to block.
I know of another Akamai reseller that would probably work, http://www.hpcloud.com/products-services/cdn. That one apparently gives you URLs that look like https://a248.e.akamai.net/cdn.hpcloudsvc.com/.... This one would also for sure serve the files itself from HP's cloud storage.
Other GreatFire URLs are: https://objects.dreamhost.com/freeweibo/index.html https://edgecastcdn.net/00107ED/g/ The blockable information is hidden in the path component behind the generic shared-SSL domains objects.dreamhost.com and edgecastcdn.net.
As far as I know, https://fw2.azurewebsites.net/ https://d1stdkq55ggsv7.cloudfront.net/ don't have the same claim to unblockability because the important information is in the domain. I guess the rationale here is it's easy to get a new name when an old one gets blocked.
David Fifield