[tor-dev] Domain Fronting, Meek, Cloudflare, and Encrypted SNI...
david at bamsoftware.com
Tue Sep 25 02:23:58 UTC 2018
On Mon, Sep 24, 2018 at 01:46:10PM -0400, Nathaniel Suchy wrote:
> What this means:
> Effectively domain fronting works by sending a different SNI and host header.
> CDN providers like Cloudflare started double checking to make governments
> happy, scratch that line, I mean to protect their customers from fraud and
> abuse. They seem to of backtracked now. Encrypted SNI means that a firewall or
> coffee shop owner won’t be able to use SNI to see the real origin of TLS
What we would need in order for meek to used encrypted SNI would be
1) support for encrypted SNI in Go's crypto/tls package; or
2) support for encrypted SNI in the Firefox that ships with Tor
Browser, which meek-client could use through its TLS camouflage
IMO (2) is less desirable because I'd like to get rid of the TLS
camouflage helper support and replace it with a Go-level TLS camouflage
library: https://github.com/refraction-networking/utls. The TLS helper
works, but its complexity is a pain to deal with and leads to problems
like https://bugs.torproject.org/12774 https://bugs.torproject.org/25405.
Note, however, that a transport based on encrypted SNI doesn't have to
be meek per se. I use "meek" to refer to a specific combination of
domain fronting and a certain (fairly stupid and inefficient) HTTP/1.1
serialization of a bidirectional byte stream. It's conceptually
straightforward to simply replace the "domain fronting" part with an
"encrypted SNI" part. But it's possible to do better: if you're willing
to abandon HTTP/1.1 compatibility and require HTTP/2, you can use the
"server push" feature to implement a serialization that's much more
efficient than the current one in meek. It may even be better to start
over with a new codebase, it's not like meek's code is that large.
But tjr's point stands: I think it's best not to push anything like this
out until after encrypted SNI has seen some level of adoption by
More information about the tor-dev