Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+-
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  closed
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:  wontfix
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+-
Changes (by dcf):

 * status:  new => closed
 * resolution:   => wontfix


Comment:

 Closing this as it is well understood by now.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 People are not too happy with the situation with the Great Firewall of
 Russia: https://pastebin.com/Etp2TNBi
 https://news.ycombinator.com/item?id=16947082

 Interesting info tho:

 https://isitblockedinrussia.com/?host=1.0.0.1

 https://isitblockedinrussia.com/?host=1.1.1.1

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 > Google's favicon retrieval service, which allows to retrieve one 16×16
 PNG at the time.
 Output PNG up to 256px, but you need to specify size.
 > duckduckgo.com&sz=64

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 > Don't know how much data Moat and Snowflake need, but if it's only a
 tiny amount an alternative for the AMP proxy could be Google's favicon
 retrieval service, which allows to retrieve one 16×16 PNG at the time.
 Could perhaps be combined with wildcard DNS so you get .some-endpoint.torproject.org/favicon.ico, .some-
 endpoint.torproject.org/favicon.ifo

 That's neat for sure.
 But Google support DNS-over-HTTPS (Beta version).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by dcf):

 Replying to [comment:36 cypherpunks]:
 > Don't know how much data Moat and Snowflake need, but if it's only a
 tiny amount an alternative for the AMP proxy could be Google's favicon
 retrieval service, which allows to retrieve one 16×16 PNG at the time.

 That's neat, I like it :) I briefly ran the numbers on Snowflake for
 #25874. The client needs to send about 700 bytes, or about 500 bytes if
 compressed; and receive a similar amount. Unfortunately that's too long
 for a single DNS name (max 255 bytes). Sending an entire client offer will
 take multiple DNS requests, so it probably won't work in the favicon
 service.

 Moat is even harder, at least as currently implemented. It doesn't use a
 single request/response; it uses a tunneled TLS connection atop multiple
 serialized requests and responses. Making it work over a single
 request/response would require rearchitecting the protocol so that Moat
 messages have their own confidentiality and integrity protection,
 independent of TLS.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by dcf):

 Replying to [comment:35 cypherpunks]:
 > Crazy idea perhaps, but could HTTPS Everywhere collect a list of real-
 world *.appspot.com subdomains from people who have enabled the
 certificate observatory?

 Yes; but I think it would have limited benefit. *.appspot.com is blocked
 in China already (I don't know about elsewhere). If someone found some
 really solid *.appspot.com domains it might be worth doing.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 Don't know how much data Moat and Snowflake need, but if it's only a tiny
 amount an alternative for the AMP proxy could be Google's favicon
 retrieval service, which allows to retrieve one 16×16 PNG at the time.
 Could perhaps be combined with wildcard DNS so you get `.some-endpoint.torproject.org/favicon.ico`, `.some-
 endpoint.torproject.org/favicon.ifo`


 {{{
 curl --output example.png -H 'Host: www.google.com' https://ssl.google-
 analytics.com/s2/favicons?domain=torproject.org
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 Crazy idea perhaps, but could HTTPS Everywhere collect a list of real-
 world *.appspot.com subdomains from people who have enabled the
 certificate observatory?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by dcf):

 Replying to [comment:28 cypherpunks]:
 > [https://datatracker.ietf.org/doc/draft-ietf-tls-sni-
 encryption/?include_text=1 Make Meek Great Again?]

 Yes, there is some discussion about encrypted SNI and other related topics
 here:
   [https://groups.google.com/d/msg/traffic-obf/MagLb8FiMlA/c7nV7KrpAAAJ
 IETF draft: SNI Encryption in TLS Through Tunneling]
   [https://groups.google.com/d/msg/traffic-obf/bF61DndrA8I/tCGoXk2-DAAJ
 Secondary Cert Authentication.]
 Unfortunately I haven't thought about them very much or how they may be
 implemented. This is a good place for someone to get involved. There are
 more ideas than there are people to go after them.

 About Secondary Cert Authentication, Nick Sullivan of Cloudflare gave a
 (fairly non-technical) talk about it at USENIX Enigma 2018:
 https://www.youtube.com/watch?v=xZN0H3jzwys

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 Loud Amazon were given the choice between dictator's $$$ and reputation.
 Amazon chose $$$...
 Learn google's history, amazon. Dictator would steal your $$$ and kill you
 later. Do stuff silently next time.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 Replying to [comment:24 cypherpunks]:
 > Replying to [comment:23 cypherpunks]:
 > > [https://news.ycombinator.com/item?id=16869269 Rumors]:
 > > > Hey, everyone. We spent a decent amount of time at Signal trying to
 come up with alternatives when we first heard rumors that Google was
 disabling domain fronting on GAE.
 > Wow, maybe sometime in the future will start learning about Google
 deprecating this or that from SecureDrop leakers at the nytimes/bezos
 post. Truly epic that they didn't even bother to put a notice or
 something, not even a two line blog post. Maybe people should no longer
 base things off anything Google related, and maybe RMS was right.
 This is no longer accurate, Moxie did receive a 30 day notice and the
 reason isn't related to Telegram but following lobbying efforts to not
 block requests from the fine people in Iran,
 > In early 2018, a number of policy organizations increased pressure on
 Google to change their position on how they were interpreting US sanction
 law so that domain fronting would be possible from Iran. Sadly, these
 lobbying efforts seem to have had the opposite effect. When Google’s
 leadership became more aware of domain fronting, it generated internal
 conversations about whether they wanted to put themselves in the situation
 of providing cover for sites that entire countries wished to block.
 >
 > A month later, we received 30-day advance notice from Google that they
 would be making internal changes to stop domain fronting from working
 entirely.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 Replying to [comment:30 cypherpunks]:
 > > Why not use Souq or some other CDN as the domain front like Signal is
 doing?
 > [https://signal.org/blog/looking-back-on-the-front/ Amazon threatens to
 suspend Signal's AWS account over censorship circumvention]
 Glad m0xie didn't shut up about this thing and voiced it loudly! It's
 receiving enough coverage now on Hacker News which, unfortunately, has a
 lot of pro-censorship pro-Bezos apologia (Russian Internet Agency trolls?)
 https://news.ycombinator.com/item?id=16970199

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 > Why not use Souq or some other CDN as the domain front like Signal is
 doing?
 [https://signal.org/blog/looking-back-on-the-front/ Amazon threatens to
 suspend Signal's AWS account over censorship circumvention]
 > Yesterday AWS became aware of your Github and Hacker News/ycombinator
 posts describing how Signal plans to make its traffic look like traffic
 from another site
 They reads?!
 RedTeamers is like censors, censors is like nazi.
 Punch a nazi in the face.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by dcf):

 Replying to [comment:7 yawning]:
 > Replying to [comment:6 dcf]:
 > > Here is a cheesy proof of concept. It's not suitable because it
 disable certificate verification (`InsecureSkipVerify`). What's needed is
 another parameter to verify the certificate ''as if'' we had accessed
 www.google.com (or other specific domain).
 >
 > https://golang.org/pkg/crypto/tls/#Config (VerifyPeerCertificate)
 > https://golang.org/pkg/crypto/x509/#Certificate.Verify

 I posted some prototype code in comment:11:ticket:12208. I would
 appreciate some review on it. It handles our use case of doing a TLS
 handshake without SNI, but still verifying the certificate.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 [https://datatracker.ietf.org/doc/draft-ietf-tls-sni-
 encryption/?include_text=1 Make Meek Great Again?]

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by joncamfield):

 Amazon may be following suit: https://aws.amazon.com/blogs/security
 /enhanced-domain-protections-for-amazon-cloudfront-requests/

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by dcf):

 Replying to [comment:25 twim]:
 > It turns out that AppEngine is not the only option for domain fronting
 with Google.
 > Google also provides a service called
 [https://developers.google.com/amp/cache/ AMP cache] for
 [https://ampproject.org/ AMP pages]. What it basically does is proxying
 random pages on the Internet and making them load faster (e.g. on Google
 search results). It requires pages to comply with some format though and
 also strips invisible content, resizes images, etc.
 > Despite it is being served via different domain names (one per real
 domain) it is still hosted at Google infrastructure which can be fronted.

 Thanks, twim, this is good work. Would you create a new ticket for the
 Snowflake part and link it from #25594?

 I think, for the broker side, all we would need to do is add a new route,
 `/amp/client` or whatever, which is the same as the existing `/client`
 except that it adds the AMP header and trailer.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by twim):

 Hi there,

 It turns out that AppEngine is not the only option for domain fronting
 with Google.
 Google also provides a service called
 [https://developers.google.com/amp/cache/ AMP cache] for
 [https://ampproject.org/ AMP pages]. What it basically does is proxying
 random pages on the Internet and making them load faster (e.g. on Google
 search results). It requires pages to comply with some format though and
 also strips invisible content, resizes images, etc.
 Despite it is being served via different domain names (one per real
 domain) it is still hosted at Google infrastructure which can be fronted.

 I wrote a [https://github.com/nogoegst/amper library] that implements
 wrappers around AMP cache for tunneling traffic through it.
 I've also made a hacky pluggable transport thing as a PoC and managed to
 bootstrap tor using it. Have to say that no one should ever use AMP cache
 as an actual PT because it makes tons of requests (so you will probably be
 banned by Google) and it is incredibly slow.

 I guess that this can be a pretty good fit for both Moat and Snowflake use
 cases.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 Replying to [comment:23 cypherpunks]:
 > > Seems like Signal was affected by this as well (and they seem to have
 been aware of it in advance - from Mar 27, 2018)
 > [https://news.ycombinator.com/item?id=16869269 Rumors]:
 > > Hey, everyone. We spent a decent amount of time at Signal trying to
 come up with alternatives when we first heard rumors that Google was
 disabling domain fronting on GAE.
 Wow, maybe sometime in the future will start learning about Google
 deprecating this or that from SecureDrop leakers at the nytimes/bezos
 post. Truly epic that they didn't even bother to put a notice or
 something, not even a two line blog post. Maybe people should no longer
 base things off anything Google related, and maybe RMS was right.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 > Seems like Signal was affected by this as well (and they seem to have
 been aware of it in advance - from Mar 27, 2018)
 [https://news.ycombinator.com/item?id=16869269 Rumors]:
 > Hey, everyone. We spent a decent amount of time at Signal trying to come
 up with alternatives when we first heard rumors that Google was disabling
 domain fronting on GAE.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 Replying to [comment:21 coldsauce]:
 > Why not use Souq or some other CDN as the domain front like Signal is
 doing?

 It's already pointed out in the ticket's post:

 > Other related tickets:
 >
 > * #22782, use non-Google domain fronts
 > * #25594, use non-fronting-based registration

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by coldsauce):

 Why not use Souq or some other CDN as the domain front like Signal is
 doing?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by neel):

 Replying to [comment:19 cypherpunks]:
 > > Censors will just block the front innocent-app.appspot.com (it's
 already blocked in China FWIW). ¯\_(ツ)_/¯
 >
 > Google blocked by range of IP addresses.

 However, I can front a non-appspot.com domain with another non-appspot.com
 domain. For instance, I can front youtube.com with google.com.

 {{{
 neel@xb2:~ % wget -q -O - --content-on-error -S https://www.google.com/
 --header 'Host: www.youtube.com'
 }}}

 And it fetches YouTube's homepage.

 But this probably won't work for us because we have to use appspot in
 order to be able to front.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 > Censors will just block the front innocent-app.appspot.com (it's already
 blocked in China FWIW). ¯\_(ツ)_/¯

 Google blocked by range of IP addresses.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 Replying to [comment:17 djsf]:
 > https solution: use $WHATEVER.appspot.com (generated name or some
 popular application) instead of google.com to circumvent DNS censorship:
 >
 > wget -q -O - --content-on-error -S https://innocent-app.appsppot.com/
 --header 'Host: snowflake-reg.appspot.com'
 Censors will just block the front `innocent-app.appspot.com` (it's already
 blocked in China FWIW). ¯\_(ツ)_/¯

 And anyways, because of #22782 migrating from Google fronts is a
 necessity. DNS-over-HTTPS with `https://1.1.1.1/dns-query` and
 `https://1.0.0.1/dns-query (fallback in case 1.1.1.1 isn't reachable)`
 (not blocked in China) seems promising tho. So this seems like the best
 time to upgrade with both of those two solutions with the former acting as
 fallback (because 1.1.1.1 is free and a Amazon isn't).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by djsf):

 https solution: use $WHATEVER.appspot.com (generated name or some popular
 application) instead of google.com to circumvent DNS censorship:

 wget -q -O - --content-on-error -S https://innocent-app.appsppot.com/
 --header 'Host: snowflake-reg.appspot.com'

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by djsf):

 still works via plain http

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 > We’re constantly evolving our network, and as part of a planned software
 update, domain fronting no longer works

 Some google's code diff (insight job)
 {{{
 + if Host == appspot && SNI != appspot { // Let's break it
 }}}
 youtube (or anything else) didn't affected.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 [https://www.theverge.com/2018/4/18/17253784/google-domain-fronting-
 discontinued-signal-tor-vpn A Google update just created a big problem for
 anti-censorship tools]

 > Reached by The Verge, Google said the changes were the result of a long-
 planned network update. “Domain fronting has never been a supported
 feature at Google,” a company representative said, “but until recently it
 worked because of a quirk of our software stack. We’re constantly evolving
 our network, and as part of a planned software update, domain fronting no
 longer works. We don’t have any plans to offer it as a feature.”

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 >  It seems worthwhile in a general sense to try to salvage domain
 fronting with appengine if it's easy to do.

 SNI-less or *.appspot.com (like generated randomly)?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by arma):

 It seems worthwhile in a general sense to try to salvage domain fronting
 with appengine if it's easy to do.

 In addition, it seems smart to move to a world where the Snowflake client
 ships with more than one potential domain fronting domain. Then it should
 be able to survive one of them going away without us needing to ship an
 updated Tor Browser to the affected users (who suddenly also find
 themselves without a working privacy tool to fetch the updates).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords:  moat   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+
Changes (by dcf):

 * keywords:   => moat


Old description:

> On or about 2018-04-13 16:00:00 UTC, domain-fronted requests for
> snowflake-reg.appspot.com stopped working. It appears to affect fronting
> to all appspot.com domains, not only ours. This leaves all currently
> deployed clients unable to register themselves.
>
> Requests now fail with status code 502:
> {{{
> $ wget -q -O - --content-on-error -S https://www.google.com/ --header
> 'Host: snowflake-reg.appspot.com'
>   HTTP/1.1 502 Bad Gateway
>   Date: Sun, 15 Apr 2018 04:58:49 GMT
>   Content-Type: text/html
>   Server: HTTP server (unknown)
>   Content-Length: 209
>   X-XSS-Protection: 1; mode=block
>   X-Frame-Options: SAMEORIGIN
>   Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431;
> quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"
> 502 Bad Gateway\
> This HTTP request has a Host header that is not covered \
> by the TLS certificate used. Due to an infrastructure change, \
> this request cannot be processed.
> }}}
>
> This ticket is to document the issue; I'm not sure we can do anything
> about it directly.
>
> Other related tickets:
>  * #22782, use non-Google domain fronts
>  * #25594, use non-fronting-based registration

New description:

 On or about 2018-04-13 16:00:00 UTC, domain-fronted requests for
 *.appspot.com stopped working. It appears to affect fronting to all
 appspot.com domains, not only ours. This has broken Snowflake client
 registration and Moat (#25807).

 Requests now fail with status code 502:
 {{{
 $ wget -q -O - --content-on-error -S https://www.google.com/ --header
 'Host: snowflake-reg.appspot.com'
   HTTP/1.1 502 Bad Gateway
   Date: Sun, 15 Apr 2018 04:58:49 GMT
   Content-Type: text/html
   Server: HTTP server (unknown)
   Content-Length: 209
   X-XSS-Protection: 1; mode=block
   X-Frame-Options: SAMEORIGIN
   Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431;
 quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"
 502 Bad Gateway\
 This HTTP request has a Host header that is not covered \
 by the TLS certificate used. Due to an infrastructure change, \
 this request cannot be processed.
 }}}

 This ticket is to document the issue; I'm not sure we can do anything
 about it directly.

 Other related tickets:
  * #22782, use non-Google domain fronts
  * #25594, use non-fronting-based registration

--

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords: |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+
Changes (by mcs):

 * cc: brade, mcs (added)


Old description:

> On or about 2018-03-13 16:00:00 UTC, domain-fronted requests for
> snowflake-reg.appspot.com stopped working. It appears to affect fronting
> to all appspot.com domains, not only ours. This leaves all currently
> deployed clients unable to register themselves.
>
> Requests now fail with status code 502:
> {{{
> $ wget -q -O - --content-on-error -S https://www.google.com/ --header
> 'Host: snowflake-reg.appspot.com'
>   HTTP/1.1 502 Bad Gateway
>   Date: Sun, 15 Apr 2018 04:58:49 GMT
>   Content-Type: text/html
>   Server: HTTP server (unknown)
>   Content-Length: 209
>   X-XSS-Protection: 1; mode=block
>   X-Frame-Options: SAMEORIGIN
>   Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431;
> quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"
> 502 Bad Gateway\
> This HTTP request has a Host header that is not covered \
> by the TLS certificate used. Due to an infrastructure change, \
> this request cannot be processed.
> }}}
>
> This ticket is to document the issue; I'm not sure we can do anything
> about it directly.
>
> Other related tickets:
>  * #22782, use non-Google domain fronts
>  * #25594, use non-fronting-based registration

New description:

 On or about 2018-04-13 16:00:00 UTC, domain-fronted requests for
 snowflake-reg.appspot.com stopped working. It appears to affect fronting
 to all appspot.com domains, not only ours. This leaves all currently
 deployed clients unable to register themselves.

 Requests now fail with status code 502:
 {{{
 $ wget -q -O - --content-on-error -S https://www.google.com/ --header
 'Host: snowflake-reg.appspot.com'
   HTTP/1.1 502 Bad Gateway
   Date: Sun, 15 Apr 2018 04:58:49 GMT
   Content-Type: text/html
   Server: HTTP server (unknown)
   Content-Length: 209
   X-XSS-Protection: 1; mode=block
   X-Frame-Options: SAMEORIGIN
   Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431;
 quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"
 502 Bad Gateway\
 This HTTP request has a Host header that is not covered \
 by the TLS certificate used. Due to an infrastructure change, \
 this request cannot be processed.
 }}}

 This ticket is to document the issue; I'm not sure we can do anything
 about it directly.

 Other related tickets:
  * #22782, use non-Google domain fronts
  * #25594, use non-fronting-based registration

--

Comment:

 I corrected the month in the ticket description (April instead of March).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords: |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+
Changes (by gk):

 * cc: gk (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords: |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by gk):

 Actually, as #25807 shows, this is not only affecting snowflake but moat,
 too.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords: |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by yawning):

 Replying to [comment:6 dcf]:
 > Here is a cheesy proof of concept. It's not suitable because it disable
 certificate verification (`InsecureSkipVerify`). What's needed is another
 parameter to verify the certificate ''as if'' we had accessed
 www.google.com (or other specific domain).

 https://golang.org/pkg/crypto/tls/#Config (VerifyPeerCertificate)
 https://golang.org/pkg/crypto/x509/#Certificate.Verify

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords: |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by dcf):

 Replying to [comment:2 cypherpunks]:
 > > This HTTP request has a Host header that is not covered \
 > > by the TLS certificate used. Due to an infrastructure change, \
 > > this request cannot be processed.
 >
 > No domain fronting to App Engine but works without SNI

 I confirm that this is the case. Resolve www.google.com to an IP address,
 access the server via its IP address (need to override the certificate
 check) and pass a Host header:
 {{{
 $ dig +short www.google.com
 172.217.11.164
 $ wget --content-on-error --save-header --no-check-certificate -q -O-
 https://172.217.11.164/ip --header 'Host: snowflake-reg.appspot.com'
 HTTP/1.1 200 OK
 Content-Type: text/plain; charset=utf-8
 X-Cloud-Trace-Context: b0805cfcb7d0d60a3f5352c65879afaa
 Date: Sun, 15 Apr 2018 22:18:54 GMT
 Server: Google Frontend
 Content-Length: 13
 Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431;
 quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"

 X.X.X.X
 }}}

 Related meek ticket (not implemented):
  * #12208: Make it possible to use an IP address as a front

 If someone has a ticket for SNI-less Snowflake rendezvous, it would be
 very welcome. The relevant code is here:
 https://gitweb.torproject.org/pluggable-
 
transports/snowflake.git/tree/client/rendezvous.go?id=c61336c897b5d21cc94a21241e98b33df5dcbf78#n61

 Here is a cheesy proof of concept. It's not suitable because it disable
 certificate verification (`InsecureSkipVerify`). What's needed is another
 parameter to verify the certificate ''as if'' we had accessed
 www.google.com (or other specific domain).
 {{{#!diff
 diff --git a/client/rendezvous.go b/client/rendezvous.go
 index cab7f5a..c74e041 100644
 --- a/client/rendezvous.go
 +++ b/client/rendezvous.go
 @@ -14,9 +14,11 @@ package main
  import (
 "bufio"
 "bytes"
 +   "crypto/tls"
 "errors"
 "io/ioutil"
 "log"
 +   "net"
 "net/http"
 "net/url"
 "os"
 @@ -46,6 +48,10 @@ type BrokerChannel struct {
  func CreateBrokerTransport() http.RoundTripper {
 transport := http.DefaultTransport.(*http.Transport)
 transport.Proxy = nil
 +   // haxxx
 +   transport.TLSClientConfig = &tls.Config{
 +   InsecureSkipVerify: true,
 +   }
 return transport
  }

 @@ -61,9 +67,17 @@ func NewBrokerChannel(broker string, front string,
 transport http.RoundTripper)
 bc := new(BrokerChannel)
 bc.url = targetURL
 if "" != front { // Optional front domain.
 -   log.Println("Domain fronting using:", front)
 +   var addr net.Addr
 +   addr, err = net.ResolveIPAddr("ip", front)
 +   if nil != err {
 +   addr, err = net.ResolveTCPAddr("tcp", front)
 +   if nil != err {
 +   return nil
 +   }
 +   }
 +   log.Println("Domain fronting using:", addr)
 bc.Host = bc.url.Host
 -   bc.url.Host = front
 +   bc.url.Host = addr.String()
 }

 bc.transport = transport
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords: |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 *.appspot.com still works as domain fronting.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords: |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 Seems like Signal was affected by this as well (and they seem to have been
 aware of it in advance): https://github.com/signalapp/Signal-
 Android/pull/7584 https://github.com/signalapp/Signal-
 Android/commit/a573ab7c7668360c3ab411627bbb23109ef9facc

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords: |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 > Due to an infrastructure change
 Reason: Zello app (amazon then google fronting) versus censorship.
 Global business sold all users. Nothing personal just a business.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords: |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by cypherpunks):

 > This HTTP request has a Host header that is not covered \
 > by the TLS certificate used. Due to an infrastructure change, \
 > this request cannot be processed.

 No domain fronting to App Engine but works without SNI

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords: |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+

Comment (by dcf):

 I am estimating the time by looking at
 
[https://metrics.torproject.org/rs.html#details/5481936581E23D2D178105D44DB6915AB06BFB7F
 the Relay Search page] for the Snowflake bridge. It shows nonzero
 bandwidth at 2018-04-13 14:00:00 and zero bandwidth starting at 2018-04-13
 18:00:00.

 [[Image(5481936581E23D2D178105D44DB6915AB06BFB7F-20180415.svg)]]

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working

[Tor Bug Tracker & Wiki]

#25804: Domain fronting to App Engine stopped working
---+
 Reporter:  dcf|  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords: |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+
Changes (by dcf):

 * Attachment "5481936581E23D2D178105D44DB6915AB06BFB7F-20180415.svg"
 added.

 
https://metrics.torproject.org/rs.html#details/5481936581E23D2D178105D44DB6915AB06BFB7F

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs