[tor-bugs] #22782 [Obfuscation/Snowflake]: Additional domain fronts for Snowflake rendezvous

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Apr 30 18:09:41 UTC 2018 

#22782: Additional domain fronts for Snowflake rendezvous
-----------------------------------+------------------------------
 Reporter:  cypherpunks            |          Owner:  (none)
     Type:  enhancement            |         Status:  needs_review
 Priority:  Medium                 |      Milestone:
Component:  Obfuscation/Snowflake  |        Version:
 Severity:  Normal                 |     Resolution:
 Keywords:                         |  Actual Points:
Parent ID:                         |         Points:
 Reviewer:                         |        Sponsor:
-----------------------------------+------------------------------

Comment (by joncamfield):

 Note that Amazon may also be dropping this support soon:

 https://aws.amazon.com/blogs/security/enhanced-domain-protections-for-
 amazon-cloudfront-requests/

 "
 **Enhanced Protection against Domain Fronting**
 CloudFront will also be soon be implementing enhanced protections against
 so-called “Domain Fronting”. Domain Fronting is when a non-standard client
 makes a TLS/SSL connection to a certain name, but then makes a HTTPS
 request for an unrelated name. For example, the TLS connection may connect
 to “www.example.com” but then issue a request for “www.example.org”.

 In certain circumstances this is normal and expected. For example,
 browsers can re-use persistent connections for any domain that is listed
 in the same SSL Certificate, and these are considered related domains. But
 in other cases, tools including malware can use this technique between
 completely unrelated domains to evade restrictions and blocks that can be
 imposed at the TLS/SSL layer.

 To be clear, this technique can’t be used to impersonate domains. The
 clients are non-standard and are working around the usual TLS/SSL checks
 that ordinary clients impose. But clearly, no customer ever wants to find
 that someone else is masquerading as their innocent, ordinary domain.
 Although these cases are also already handled as a breach of our AWS Terms
 of Service, in the coming weeks we will be checking that the account that
 owns the certificate we serve for a particular connection always matches
 the account that owns the request we handle on that connection. As ever,
 the security of our customers is our top priority, and we will continue to
 provide enhanced protection against misconfigurations and abuse from
 unrelated parties."
 "

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22782#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list