[tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Apr 16 13:24:09 UTC 2018
#25804: Domain fronting to App Engine stopped working
-----------------------------------+------------------------
Reporter: dcf | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Obfuscation/Snowflake | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------+------------------------
Changes (by mcs):
* cc: brade, mcs (added)
Old description:
> On or about 2018-03-13 16:00:00 UTC, domain-fronted requests for
> snowflake-reg.appspot.com stopped working. It appears to affect fronting
> to all appspot.com domains, not only ours. This leaves all currently
> deployed clients unable to register themselves.
>
> Requests now fail with status code 502:
> {{{
> $ wget -q -O - --content-on-error -S https://www.google.com/ --header
> 'Host: snowflake-reg.appspot.com'
> HTTP/1.1 502 Bad Gateway
> Date: Sun, 15 Apr 2018 04:58:49 GMT
> Content-Type: text/html
> Server: HTTP server (unknown)
> Content-Length: 209
> X-XSS-Protection: 1; mode=block
> X-Frame-Options: SAMEORIGIN
> Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431;
> quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"
> <html><body><h1>502 Bad Gateway</h1>\
> <p>This HTTP request has a Host header that is not covered \
> by the TLS certificate used. Due to an infrastructure change, \
> this request cannot be processed.</p></body></html>
> }}}
>
> This ticket is to document the issue; I'm not sure we can do anything
> about it directly.
>
> Other related tickets:
> * #22782, use non-Google domain fronts
> * #25594, use non-fronting-based registration
New description:
On or about 2018-04-13 16:00:00 UTC, domain-fronted requests for
snowflake-reg.appspot.com stopped working. It appears to affect fronting
to all appspot.com domains, not only ours. This leaves all currently
deployed clients unable to register themselves.
Requests now fail with status code 502:
{{{
$ wget -q -O - --content-on-error -S https://www.google.com/ --header
'Host: snowflake-reg.appspot.com'
HTTP/1.1 502 Bad Gateway
Date: Sun, 15 Apr 2018 04:58:49 GMT
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 209
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431;
quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"
<html><body><h1>502 Bad Gateway</h1>\
<p>This HTTP request has a Host header that is not covered \
by the TLS certificate used. Due to an infrastructure change, \
this request cannot be processed.</p></body></html>
}}}
This ticket is to document the issue; I'm not sure we can do anything
about it directly.
Other related tickets:
* #22782, use non-Google domain fronts
* #25594, use non-fronting-based registration
--
Comment:
I corrected the month in the ticket description (April instead of March).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25804#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list