On Sat, Sep 13, 2014 at 11:00:25PM -0700, David Fifield wrote:
On Tue, Sep 09, 2014 at 09:05:21PM -0400, Andrew Lewman wrote:
Unless some company/country are going to block all of cloudflare or a CDN, our mirrors can still be reachable. This is the same idea that David Fifeld is counting on with the meek transport using Google App Engine. Blocking all of Google seems a huge cost vs the gain of stopping some tor users.
On that note, it's worth looking at what GreatFire.org is doing for some of their mirror sites: https://github.com/greatfire/wiki.
Here is one of the URLs: https://a248.e.akamai.net/f/1/1/1/dci.download.akamai.com/35985/159415/1/f/ This URL is from an Akamai reseller, http://cachesimple.com/, who have a plan starting at $50/month. The long URL is an explicit form of what normally happens implicitly through SNI at the Akamai CDN (see page 5 of https://research.microsoft.com/en-us/um/people/ratul/akamai/freeflow.pdf for Akamai URL structure). The important thing is that all the blockable content is encrypted in the path component. The censor only gets to see the domain name a248.e.akamai.net, which is some kind of magic Akamai HTTPS domain that's used for tons of stuff. I think a mirror like this would be very hard to block.
I found out that the a248.e.akamai.net domain name is DNS-poisoned in China, since late September 2014. https://en.greatfire.org/https/a248.e.akamai.net (Click on one of the calendar dates to see details.)
Their wiki page https://github.com/greatfire/wiki replaced Akamai with Level 3: https://secure.footprint.net/pingfan/fw
David Fifield