[tor-dev] Domain Fronting, Meek, Cloudflare, and Encrypted SNI...

Tom Ritter tom at ritter.vg
Mon Sep 24 18:15:37 UTC 2018

On Mon, Sep 24, 2018, 12:46 PM Nathaniel Suchy <me at lunorian.is> wrote:

> Hi everyone,
> Cloudflare has added support to TLS 1.3 for encrypted server name
> indication (SNI). This mailing list post is a high level overview of how
> meek could take advantage of this in relation to Cloudflare who until just
> now wasn’t an option for domain fronting.
> What this means:
> Effectively domain fronting works by sending a different SNI and host
> header. CDN providers like Cloudflare started double checking to make
> governments happy, scratch that line, I mean to protect their customers
> from fraud and abuse. They seem to of backtracked now. Encrypted SNI means
> that a firewall or coffee shop owner won’t be able to use SNI to see the
> real origin of TLS traffic.
> Why this matters:
> With the right adjustments for TLS 1.3 and Encrypted SNI support,
> Cloudflare may be a viable option for Meek.
> Risks:
> * Firewall products could always use DPI and block TLS 1.3 altogether.
> * Firewall products could block all requests with encrypted SNI.
> Thoughts anyone?

The latter concern seems real enough for me that we should consider not
front-running major adoption in browsers.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20180924/4a9dd11e/attachment.html>

More information about the tor-dev mailing list