[tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges

ithor ithor at protonmail.com
Thu Oct 4 06:23:32 UTC 2018 



Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, October 3, 2018 4:25 PM, Andreas Krey <a.krey at gmx.de> wrote:

> On Wed, 03 Oct 2018 13:03:14 +0000, ithor wrote:
> ...
>
> > Can you elaborate upon that for the noob I am. If i understand you correctly, when using domain fronting, Tor basically spoofs or "hijacks" the ip address of an existing Azure server client ?
>
> SNI: Server Name Indication. While setting up the encryption the client
> needs to send (in cleartext) the host name it wishes to connect to
> (so that the server can use the corresponding certificate). That is how
> https still gives away whom you're talking to.

Ok, correct me if I'm wrong. Is this what happens in a meek request :
1. unencrypted http request with the hostname I want to connect to in cleartext.
2. encrypted https connection to the hostname.
3. encrypted (http?) relay connection to the Tor entry node.

>
> > What exactly is in the SNI : the name of the Azure server or some kind of information of a real client using that service ?
>
> The name of some service (web site) hosted. Domain fronting means that
> the meek client uses one hostname for establishing the encrytion, and
> inside the encrypted channel a different hostname it actually wants to
> talk to. Google apparently now enforces that these two are the same.

Ok, so here is my question : this 'some service' is this some kind of dummy request, like an empty formular that just mimics the looks of a real request, or is this actually a real-world request with an actual website. The reason I ask is if the latter is the case (some real website hosted on a Azure server), it might contain information the DPI finds harmful or compromising for some reason or another to the gvt, and so, beacuse I don't know what 'some service' is actually being used, I might very well be playing Russian roulette with the DPI.

>
> > What could China block ? The ip of the real client who was spoofed ?
>
> The cleartest hostname in the SNI (if it bothers to). (Question is how
> they detect what hostnames are used there.)

Well, if the hostname is sent in cleartext, that shouldn't be too much of a problem...

>
> > What would ESNI (encrypted SNI) bring into the mix concerning meek connections ?
>
> Here the SNI host field is already sent encrypted so china can't tell
> anymore which service/website on azure/whatever you're connecting to,
> it only sees that you are addressing azures/googles/amazons/cloudflares
> cloud. But it will take time until this is widely in use so that you're
> not suspicious for just using ESNI (not sure if that is an official
> acronym).
>
> Actually:
> https://en.wikipedia.org/wiki/Domain_fronting
> https://blog.cloudflare.com/encrypted-sni/
>
> Andreas
>
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> "Totally trivial. Famous last words."
> From: Linus Torvalds <torvalds@*.org>
>
> Date: Fri, 22 Jan 2010 07:29:21 -0800
>
> --------------------------------------
>
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

More information about the tor-talk mailing list