[tor-dev] Domain Fronting, Meek, Cloudflare, and Encrypted SNI...

Nathaniel Suchy me at lunorian.is
Mon Sep 24 17:46:10 UTC 2018

Hi everyone,

Cloudflare has added support to TLS 1.3 for encrypted server name
indication (SNI). This mailing list post is a high level overview of how
meek could take advantage of this in relation to Cloudflare who until just
now wasn’t an option for domain fronting.

What this means:
Effectively domain fronting works by sending a different SNI and host
header. CDN providers like Cloudflare started double checking to make
governments happy, scratch that line, I mean to protect their customers
from fraud and abuse. They seem to of backtracked now. Encrypted SNI means
that a firewall or coffee shop owner won’t be able to use SNI to see the
real origin of TLS traffic.

Why this matters:
With the right adjustments for TLS 1.3 and Encrypted SNI support,
Cloudflare may be a viable option for Meek.

* Firewall products could always use DPI and block TLS 1.3 altogether.
* Firewall products could block all requests with encrypted SNI.

Thoughts anyone?

* https://blog.cloudflare.com/encrypted-sni/
* https://blog.cloudflare.com/esni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20180924/6001bb95/attachment.html>

More information about the tor-dev mailing list