Is it assumed that blacklisting IP's is a difficult challenge for a censor? Most major blacklisted sites have static or rarely changing addresses. Still, it's an interesting idea for small back channels.
Various reasons. Here's a technical one: a redirect gets you one more HTTP roundtrip (and perhaps one more TCP roundtrip, and/or one more HTTPS handshake, and/or one more DNS lookup). In other words: this is simple on server-side but slooooooow and brittle on client-side.
As for the scenario "couldn't the censor send a redirect?" - no. Unless the user trusts the censor's CA (Etilasat or eDellRoot comes to mind), the censor doesn't see inside the HTTPS tunnel, only that it exists to an IP address (looked up by a previous DNS request).
9 comments
[ 199 ms ] story [ 493 ms ] threadI wonder if this is even possible with HTTP2?
https://news.ycombinator.com/item?id=13232756
Couldn't they just send a redirect, forcing the client to make a second request which would get blocked?
As for the scenario "couldn't the censor send a redirect?" - no. Unless the user trusts the censor's CA (Etilasat or eDellRoot comes to mind), the censor doesn't see inside the HTTPS tunnel, only that it exists to an IP address (looked up by a previous DNS request).