On Mon, Sep 24, 2018, 12:46 PM Nathaniel Suchy <m...@lunorian.is> wrote:
> Hi everyone, > > Cloudflare has added support to TLS 1.3 for encrypted server name > indication (SNI). This mailing list post is a high level overview of how > meek could take advantage of this in relation to Cloudflare who until just > now wasn’t an option for domain fronting. > > What this means: > Effectively domain fronting works by sending a different SNI and host > header. CDN providers like Cloudflare started double checking to make > governments happy, scratch that line, I mean to protect their customers > from fraud and abuse. They seem to of backtracked now. Encrypted SNI means > that a firewall or coffee shop owner won’t be able to use SNI to see the > real origin of TLS traffic. > > Why this matters: > With the right adjustments for TLS 1.3 and Encrypted SNI support, > Cloudflare may be a viable option for Meek. > > Risks: > * Firewall products could always use DPI and block TLS 1.3 altogether. > * Firewall products could block all requests with encrypted SNI. > > Thoughts anyone? > The latter concern seems real enough for me that we should consider not front-running major adoption in browsers. -tom >
_______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
