[tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Apr 16 17:03:49 UTC 2018
#25804: Domain fronting to App Engine stopped working
-----------------------------------+------------------------
Reporter: dcf | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Obfuscation/Snowflake | Version:
Severity: Normal | Resolution:
Keywords: moat | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------+------------------------
Changes (by dcf):
* keywords: => moat
Old description:
> On or about 2018-04-13 16:00:00 UTC, domain-fronted requests for
> snowflake-reg.appspot.com stopped working. It appears to affect fronting
> to all appspot.com domains, not only ours. This leaves all currently
> deployed clients unable to register themselves.
>
> Requests now fail with status code 502:
> {{{
> $ wget -q -O - --content-on-error -S https://www.google.com/ --header
> 'Host: snowflake-reg.appspot.com'
> HTTP/1.1 502 Bad Gateway
> Date: Sun, 15 Apr 2018 04:58:49 GMT
> Content-Type: text/html
> Server: HTTP server (unknown)
> Content-Length: 209
> X-XSS-Protection: 1; mode=block
> X-Frame-Options: SAMEORIGIN
> Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431;
> quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"
> <html><body><h1>502 Bad Gateway</h1>\
> <p>This HTTP request has a Host header that is not covered \
> by the TLS certificate used. Due to an infrastructure change, \
> this request cannot be processed.</p></body></html>
> }}}
>
> This ticket is to document the issue; I'm not sure we can do anything
> about it directly.
>
> Other related tickets:
> * #22782, use non-Google domain fronts
> * #25594, use non-fronting-based registration
New description:
On or about 2018-04-13 16:00:00 UTC, domain-fronted requests for
*.appspot.com stopped working. It appears to affect fronting to all
appspot.com domains, not only ours. This has broken Snowflake client
registration and Moat (#25807).
Requests now fail with status code 502:
{{{
$ wget -q -O - --content-on-error -S https://www.google.com/ --header
'Host: snowflake-reg.appspot.com'
HTTP/1.1 502 Bad Gateway
Date: Sun, 15 Apr 2018 04:58:49 GMT
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 209
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431;
quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"
<html><body><h1>502 Bad Gateway</h1>\
<p>This HTTP request has a Host header that is not covered \
by the TLS certificate used. Due to an infrastructure change, \
this request cannot be processed.</p></body></html>
}}}
This ticket is to document the issue; I'm not sure we can do anything
about it directly.
Other related tickets:
* #22782, use non-Google domain fronts
* #25594, use non-fronting-based registration
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25804#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list