I think anything looking to serve China should at least avoid hosting on github pages until encrypted SNI is widely available. When someone visits the online documentation at trojan-gfw.github.io, the FQDN is sent plaintext as part of HTTPS.
If the data is plainly on github.com (like the wiki), it would at least require an MITM to see what you are reading. Of course an MITM might be likely in China regardless.
If I can assume Bob has Alice's public key (and that DNS was gold and whatever; i.e. the same axiom ESNI has), then:
- DNS lookup for _esni.domain CNAME _esni.cloudflare.net,
- client connect to _esni.cloudflare.net via HTTPS and negotiate TLS with SNI rejected
- HTTP Host header contains desired target
Servers can trivially support the above "new" protocol (chances are they already do), no changes to DNS clients libraries or servers, and clients can support the new "encrypted SNI" by using OpenSSL APIs that already exist. GFW can't do anything unless cloudflare give them the key for _esni.cloudflare.net.
Everyone wins except the nerds who really wanted to make a new protocol. Oh and they need to walk back this stupid shit:
And the reason this stupid shit of preventing domain fronting was put in place is the exact reason why eSNI doesn't work, i.e. because it prevents state censorship and forces the state to instead block all the IP addresses in turn forcing companies to either cooperate with the state or expose enough identifying info to not interfere with state censorship.
A given server might be hosting multiple websites, each with a different certificate (e.g. a CDN endpoint). It needs to know which certificate to present to the user. Therefore, during the initial TLS handshake, the client sends the server name (hostname) in plaintext in a field called the Server Name Indication (SNI). This is mandated by the fact that a certificate identifies a website, not a server.
This is distinct from the HTTP Host: header, which is sent inside the TLS session and therefore is encrypted along with the rest of the HTTP request.
Cloudflare terminates ssl at the edge, no? Then it has the private key and has no need to care about the site certificate. It just sends a certificate with all hosts in alt names.
Cloudflare has way more customers/hostnames than what would fit into a single X.509 certificate. (They actually do seem to do what you describe to support non-SNI clients, but not on their free tier.)
SNI also allows decoupling TLS and TCP termination, which in turn allows for shared IP addresses and load balancers without necessarily delegating TLS termination and exposing certificates to some shared host.
Back in the day there was mostly only 1 website per IP, so when you connected over port 443 for HTTPS, the server would only have the one cert to give you.
One day people wanted to serve multiple websites from one IP, so they had browsers tell the server which site they are looking for (Server Name Indication); that way the server would know which SSL cert to send for the handshake.
SNI is still plaintext, it's a glaring privacy hole that most people aren't aware of. Encrypted SNI needs to come sooner.
Nope, encrypted SNI cannot work against GFW or pretty much any state censorship as the whole idea is bullshit and relies on everyone a) tunneling DNS queries to a centralized party, which itself only operates under the state's mercy, and b) everyone hosting on a single centralized party and c) this party randomizing IP addresses of web sites (none of the CDNs do that, because they want to avoid risking all of their IP ranges being banned by states because of a single website).
Oh gosh that sounds awful. I have to admit I was using "Encrypted SNI" in a general sense, I hadn't looked at the details of ESNI, the proposed solution. In my head encrypted SNIs was a somewhat straightforward problem to solve but thinking about it more it's a bit tricky. What you describe of ESNI sounds horribly convoluted :(
The key exchange and identification for encrypted X is always the hard part.
For encrypted SNI, keys are expected to be published via DNS, which GFW is happy to disrupt.
Once you get a key, you have to send the key identifier in the clear (otherwise, the service doesn't know how to decrypt; unless you want to just do trial decryption with all available keys and hope that doesn't use too much CPU); the key identifier becomes the enforcement target at this point, unless you're on a host that shares ESNI keys among the many sites it hosts and is not acceptable collateral damage.
I remember the disappointment and discussions of people when Amazon announced the deprecation of the S3 "path-style" hosting in favor of supporting only "virtual-host" style hosting. It was about the same concern (ISPs being able to see which static S3-hosted sites are visited). The discussion even lead to a small change of the AWS S3 roadmap.
2. If it provides a packet with the right (encrypted) password, then the server acts as a SOCKS5 proxy.
3. If it doesn't provide the right password, the server responds like a normal HTTP server over the TLS connection.
Seems pretty clever, the hard bit is making sure the passwords don't leak and the firewall starts bombarding suspect servers with requests (brute-forcing passwords). Also if there are timing differences between a genuinely confused HTTP server and a "Trojan" server faking the confusion, they'd figure that out too.
Also, things like continuous back-and-forth between the client and a simple webserver would be suspicious, because usually clients send small requests in bursts, get the response, and activity would stop (it doesn't apply to streaming sites, obviously, but there the clients won't be as chatty either). So things like Skype calls might be easily recognized...
Personally, I'd be very careful telling people to rely on my software for avoiding the Chinese surveillance - traffic analysis is terrifyingly powerful.
For the people currently using random forks of ShadowsocksR they purchased via shady backchannels, an alternative that is less likely to get blocked is probably more important than absolute security guarantees. After all, most users of censorship circumvention tools aren't secretly plotting revolution, they just want to watch YouTube.
It used to be a standard of good writing to always expand acronyms at first use. That seems to be gone now as frequently I don't see that in practice much anymore.
I don't think it would be very difficult for the Chinese government to demand a compromised root cert authority be installed on every device sold there.
They certainly can try, but major vendor will resist. Kazakhstan government has tried this method[1]. They sure can try sneaky ways, but any imported laptop connecting to hotel Wi-Fi could reveal it.
>They certainly can try, but major vendor will resist
It's China. Apple/Microsoft isn't going to resist. Google might not resist because they're already banned there so they've got nothing to lose. Regardless, it doesn't really matter because there's a bunch of homegrown chromium forks that can readily replace Chrome.
"unidentifiable mechanism"
I'm not sure this is actually true.
You can determine that it is a VPN by checking the amount of exchanged packets between interval of time (e.g. if 5 kbps are routinely sent every 30 seconds for 5 minutes this is totally abnormal)
Another alternative for the government could be to limit the bandwidth and time of hosts who have a big standard deviation in the amount of the packets per second they transmit.
So undetectable I don't think so and I believe smarter people here can find even better ideas.
That being said it's a very nice tool, certainly useful in corporate environments as well (except of course, that it'll be suspicious that one single host is exchanging so much data and keeping so long connections)
39 comments
[ 3.0 ms ] story [ 76.6 ms ] threadIf the data is plainly on github.com (like the wiki), it would at least require an MITM to see what you are reading. Of course an MITM might be likely in China regardless.
It's also worth noting the Tor project has done a lot of work in this area: https://2019.www.torproject.org/docs/pluggable-transports.ht...
Can you please elaborate on that? domain name is sent after ssl handshake, no? Why is it sent plaintext?
https://en.wikipedia.org/wiki/Server_Name_Indication
- DNS lookup for _esni.domain CNAME _esni.cloudflare.net,
- client connect to _esni.cloudflare.net via HTTPS and negotiate TLS with SNI rejected
- HTTP Host header contains desired target
Servers can trivially support the above "new" protocol (chances are they already do), no changes to DNS clients libraries or servers, and clients can support the new "encrypted SNI" by using OpenSSL APIs that already exist. GFW can't do anything unless cloudflare give them the key for _esni.cloudflare.net.
Everyone wins except the nerds who really wanted to make a new protocol. Oh and they need to walk back this stupid shit:
https://support.cloudflare.com/hc/en-us/articles/36002977947...
And the reason this stupid shit of preventing domain fronting was put in place is the exact reason why eSNI doesn't work, i.e. because it prevents state censorship and forces the state to instead block all the IP addresses in turn forcing companies to either cooperate with the state or expose enough identifying info to not interfere with state censorship.
This is distinct from the HTTP Host: header, which is sent inside the TLS session and therefore is encrypted along with the rest of the HTTP request.
This includes all sites on a free Cloudflare plan to my knowledge.
SNI also allows decoupling TLS and TCP termination, which in turn allows for shared IP addresses and load balancers without necessarily delegating TLS termination and exposing certificates to some shared host.
Cloudflare can explain it much better than me.
https://www.cloudflare.com/learning/ssl/what-is-sni/
One day people wanted to serve multiple websites from one IP, so they had browsers tell the server which site they are looking for (Server Name Indication); that way the server would know which SSL cert to send for the handshake.
SNI is still plaintext, it's a glaring privacy hole that most people aren't aware of. Encrypted SNI needs to come sooner.
For encrypted SNI, keys are expected to be published via DNS, which GFW is happy to disrupt.
Once you get a key, you have to send the key identifier in the clear (otherwise, the service doesn't know how to decrypt; unless you want to just do trial decryption with all available keys and hope that doesn't use too much CPU); the key identifier becomes the enforcement target at this point, unless you're on a host that shares ESNI keys among the many sites it hosts and is not acceptable collateral damage.
HN discussion: https://news.ycombinator.com/item?id=19821406
AWS blog post as answer to the discussions: https://aws.amazon.com/blogs/aws/amazon-s3-path-deprecation-...
As far as I understand it:
1. Client connects to the standard HTTPS port.
2. If it provides a packet with the right (encrypted) password, then the server acts as a SOCKS5 proxy.
3. If it doesn't provide the right password, the server responds like a normal HTTP server over the TLS connection.
Seems pretty clever, the hard bit is making sure the passwords don't leak and the firewall starts bombarding suspect servers with requests (brute-forcing passwords). Also if there are timing differences between a genuinely confused HTTP server and a "Trojan" server faking the confusion, they'd figure that out too.
Also, things like continuous back-and-forth between the client and a simple webserver would be suspicious, because usually clients send small requests in bursts, get the response, and activity would stop (it doesn't apply to streaming sites, obviously, but there the clients won't be as chatty either). So things like Skype calls might be easily recognized...
Personally, I'd be very careful telling people to rely on my software for avoiding the Chinese surveillance - traffic analysis is terrifyingly powerful.
OTOH if you just wrap HTTP(S) requests to a different server into this, then it probably should look pretty natural.
[1]: https://blog.mozilla.org/security/2019/08/21/protecting-our-...
It's China. Apple/Microsoft isn't going to resist. Google might not resist because they're already banned there so they've got nothing to lose. Regardless, it doesn't really matter because there's a bunch of homegrown chromium forks that can readily replace Chrome.
You can determine that it is a VPN by checking the amount of exchanged packets between interval of time (e.g. if 5 kbps are routinely sent every 30 seconds for 5 minutes this is totally abnormal)
Another alternative for the government could be to limit the bandwidth and time of hosts who have a big standard deviation in the amount of the packets per second they transmit.
So undetectable I don't think so and I believe smarter people here can find even better ideas.
That being said it's a very nice tool, certainly useful in corporate environments as well (except of course, that it'll be suspicious that one single host is exchanging so much data and keeping so long connections)