42 comments

[ 3.6 ms ] story [ 57.0 ms ] thread
Would someone be able to block packets more easily or less easily if TLS didn't have the domain name in the packet in plaintext? Presumably someone couldn't tell where the packet was going, but that might mean you have to send it to the right server in the first place.
If you could remove the common name/url from the clear text portion of the packet, that would make filtering the web site more difficult. Some enterprise firewalls/filters look at the CN to match against a ratings database in lieu of DPI-SSL/MITM. Ex: https://itzecurity.blogspot.com/2014/05/configuring-fortios-...
I suspect if encrypted SNI became popular, you would find them censored via one means or another. I imagine state operators have the resources to scan all domains, connect to them to identify their content and just blacklist their IPs (along with any innocent domains hosted on the same IP).

I could also see state operators mandating the plaintext SNI (by dropping non-SNI TLS), and operating a transparent TLS proxy based on that SNI with their own DNS lookup (so you would have to provide a legit, resolvable hostname in the plaintext SNI).

SNI is used to allow the frontend gateway to select the correct certificate; it should be harder to block if the frontend gateway instead had a single certificate with all the domains it proxied (obviating the need for SNI).

Of course, that means the gateway must terminate the TLS connection for every site (and therefore be able to read its contents), whereas with SNI it could redirect the TLS connection itself to the appropriate server, while being unable to spy on it.

In practice what happened before SNI is that every SSL/TLS site used a dedicated IP, which makes it quite easy to block.

I meant something more like encrypted SNI in TLS 1.3[1], but that has covering as an explicit design goal, so I guess that answers my question.

Still, it's a matter of politics, and not of technology. Google here chooses to stop covering for Telegram/Signal, even if the technology allows it.

[1]: https://www.ietf.org/proceedings/94/slides/slides-94-tls-8.p...

What fortunate timing.
What fortunate timing indeed. That's just a kind reminder about what the interests of Google and Amazon are. Not those of their consumers for sure.

Also, especially Google have all the interest to let the Russians destroy Telegram. At this point I would be very suspicious of all other messengers that still work in Russia.

Edit: also Amnesty International is on it: https://twitter.com/amnesty/status/986955700550144002

>At this point I would be very suspicious of all other messengers that still work in Russia.

That's a conjecture is rational, but I think you already have to be very suspicious of anything that worked there for last 5 years, Telegram inclusively.

It is unbelievable for me that they maintained legal presence in the country up until now, while all others were indiscriminately blocked years ago, and incompliant software authors were raided by 3 letter agencies and raped with assault rifles.

Others were "indiscriminately blocked years ago"? Do you have a source for that?

As far I know - but I might be wrong - Google, Facebook, Instagram or Whatsapp have never been blocked in Russia.

BBM public server was certainly blocked as early as 5 years ago.

Blackphone servers at around 4 or 3 years ago as well, just few months after its market release (while signal is still available though)

All modded GSM phones were under blanket ban for even longer. Modded GSM phone vendors are routinely raided.

Then Line, KaoKao and gazillion of others.

There is no doubt that they were very deliberate in targeting anything with hard crypto.

FB, and Google are routinely complying with Russians, so no wonder about them still being there.

Thanks! It's even more suspicious why Google and Facebook products still works then... And they have never been blocked.
> modded GSM phones

What do you mean by this? I'm genuinely curious. "modded GSM phones" yields zero hits on Google for me.

Stuff like TopSec S35 or Security AG. Some are garage made. All of them basically put a block cypher in between the GSM codec chip and the modem. Such stuff was relatively easy to do on old dumbphones
Are there any modern incarnations?
>while all others were indiscriminately blocked years ago

As far as I am concerned Telegram was blocked for 1) being used by terrorists and 2) the Telegram staff refusing to turn in data to aid the investigation. This has not happened to other messengers like WhatsApp and they are not blocked. Am I wrong?

>WhatsApp and they are not blocked. Am I wrong?

FB routinely complied with regime's requests, just take a look on a number of chatrooms they took down. So no wonder them not being seen as a problem.

Calling Russia a regime is like calling Microsoft "Micro$oft".
I would imagine the analogy would be to call Russia ₽ussia.
Actually there are interesting legal details in the story.

Telegram should be blocked under the Russian court order for not providing decryption keys, but that order doesn't contain ruling to block entire Amazon or Google network - only IP addresses used by Telegram. Whole networks are being blocked under the order by Prosecutor General from 2015 (yes, from 2015, and recently they started to use new order from 2018). But the problem is that Prosecutor's Office doesn't have authority to block messengers, so the order is about discovering illegal content (extremist content or appeals for organizing unapproved rally - not sure if I translated correctly) located on all of those IP addresses which obviously is a lie.

So this is dubious even under russian laws.

Why are they blocking entire networks? Well, the problem is that there are limits in ACL size so if Telegram starts using thousands of IP addresses the tables can become too big. So they chose to block entire networks instead. Also, finding out which IP addresses they are using takes time, distributing and updating blocking rules by ISP takes time (on order of hours, up to a day), so without this Telegram could change IPs faster than they are blocked.

There already are russian businesses that were using IP addresses from those networks, that are suffering damages because of blocking. They are moving to other datacenters in a rush. It is unlikely that they will try to recover damages from the government.

That's bad, especially that last paragraph, but I would lay the blame directly on Amazon and Google. They should kick Telegram out if having them affects other customers. That's standard practice in hosts, for example when a specific website is receiving a DoS, the website is blackholed so other customers don't see their service interrupted.
No, they should not. They are not under russian jurisdiction and are not obliged to comply with russian laws. Or should they comply with laws of Thailand, Iran, China and North Korea too? Kick out sites that criticise communist party?
I did not say that. I said that Telegram moved to their clouds to evade the sentence of a judge, which means Russian ISPs resorted to banning entire IP ranges, which means law-abiding customers are now affected by it. This is, because of the malicious actions of Telegram, now Russian citizens can't access law-abiding websites hosted in Google and Amazon. That should bother Google and Amazon, who should guarantee the connectivity of their law-abiding customers by kicking out Telegram so the IP range bans are lifted.

In the end Google and Amazon will kick out Telegram, it's probably a matter of days, so I don't understand what this fuss is about.

Which malicious actions by telegram? Providing their customers with private communication not eavesdropped by the russian government? A government linked with the murder of political oposition personalities? If the Russian government decided to ban Amazon and make law abiding Russian businesses suffer the responsibility lays on the Russian government,not Amazon. I personally think that if Amazon would ban telegram and succumb to the heavy handed Russian policy it'll hurt the law abiding Russian citizen ability to express any dissatisfaction with their government and decisions. This would directly lead to a government that governs for the sake of its own existance and not for the betterment of its citizens. How could it if it doesn't allow the citizens to express their wishes and plights? But that is an internal Russian issue which I believe the Russians should deal with however they like. My interest in Amazon not succumbing is the effect it'll have around the world. I would not like my government to get such ideas because it directly affects my rights.
> In the end Google and Amazon will kick out Telegram,

Telegram invented a nice trick. Durov wants to reward people hosting proxies so Google and Amazon will have to identify them and kick them out too.

Telegram has no authority to ban anything so it cannot be at fault. Trying to make your service work cannot be called "malicious activity".

> That should bother Google and Amazon, who should guarantee the connectivity of their law-abiding customers by kicking out Telegram so the IP range bans are lifted.

This might increase an influx of complaints from other governments. If they kicked out Telegram, why not kick out someone else?

> Telegram has no authority to ban anything so it cannot be at fault. Trying to make your service work cannot be called "malicious activity".

Telegram knew the Russian government was trying to censor them. So they disguised their traffic as Google traffic. Now, because Telegram did this and Russia called their bluff, some Google clients who have nothing to do with Telegram can no longer reach the Russian market.

Why isn't this just as malicious as any other denial of service attack? It sucks for Telegram, but it's not reasonable or sustainable to let anyone who needs to evade censorship impersonate Google.

Well, unlike other execs, Durov has been challenging Russia at a great personal cost for years.
No longer than a couple of years ago Durov was writing sweet fairy tales about Great Russia and how he's never going to leave because it is the greatest place on Earth. Only when his business (based on hosting pirated content and stolen designs) was slightly "shared" with more important people did he suddenly change his tune.

I don't have any opinion on this, but it is rather common sentiment in Runet that really Telegram is in cahoots with Russian TLAs anyway.

If you want to spin conspiracy theories think about the following: It's very likely that every time we hear that government x can't beat software y (TrueCrypt, Telegram, etc.) it's fake news to make you think that software is safe and increase the amount of users who trust it.
Viber currently has problems with connectivity in Russia. They have been complying with russian laws, but they made an unwise decision to use servers in Amazon network that are being blocked now because of Telegram. So the messenger that complies with the law now has problems and Telegram just works.
What are you referring to?
Telegram I'd assume.
I already guessed a few days ago that this is probably the next step we will see from Google and Amazon after the Russian blanket ban on AWS and GCP IPs [1]. It was either that, or the Russian goverment backing off an extreme measure.

[1] https://news.ycombinator.com/item?id=16856763

awful news, but not the end just yet - hopefully amazon and azure stay viable for meek.
This seems like something you could do yourself on a VM instance, no?
It helps a lot more to masquerade as google.com than it does to masquarade as etaioinshrdlu.com. The censors would need to think more about blocking something as big a google than a single use-domain.
Another reason why Google/Amazon is too centralized to be a single point of failure.

We need more decentralized Internet. Not more clever hacks.

> Another reason why Google/Amazon is too centralized to be a single point of failure.

> We need more decentralized Internet. Not more clever hacks.

IIRC, didn't domain fronting only work because Google/Amazon were thought to be too big to block?

IMHO, what we need is a stronger consensus that Western companies shouldn't let themselves be bullied by censorious regimes dangling the promise of profits or access. They shouldn't be allowed to defend such decisions as profit-seeking amorality.

In this particular case, the problem is not Google or Amazon. They are technology providers and isolating each of their customers is actually a good thing.

The problem is the Internet censoring by governments.

Previous discussion: https://news.ycombinator.com/item?id=16868564

As was brought up in the previous thread, though only briefly mentioned in the linked article, domain fronting is used by malware as well. It was allegedly exploited by Russian state-sponsored hacking group APT29.[0][1]

It's unfortunate that it can't be used to help avoid censorship either now, but it was never an intended feature. As the article quotes, other CDNs such as Cloudfront also do not support domain fronting.

[0]: https://www.fireeye.com/blog/threat-research/2017/03/apt29_d...

[1]: https://www.cyberark.com/threat-research-blog/red-team-insig...

You can still use ELB's to hide behind amazon.com, right?