On Wed, 03 Oct 2018 13:03:14 +0000, ithor wrote:
...
> Can you elaborate upon that for the noob I am. If i understand you correctly, 
> when using domain fronting, Tor basically spoofs or "hijacks" the ip address 
> of an existing Azure server client ?

SNI: Server Name Indication. While setting up the encryption the client
needs to send (in cleartext) the host name it wishes to connect to
(so that the server can use the corresponding certificate). That is how
https still gives away whom you're talking to.

> What exactly is in the SNI : the name of the Azure server or some kind of 
> information of a real client using that service ?

The name of some service (web site) hosted. Domain fronting means that
the meek client uses one hostname for establishing the encrytion, and
inside the encrypted channel a different hostname it actually wants to
talk to. Google apparently now enforces that these two are the same.

> What could China block ? The ip of the real client who was spoofed ?

The cleartest hostname in the SNI (if it bothers to). (Question is how
they detect what hostnames are used there.)

> What would ESNI (encrypted SNI) bring into the mix concerning meek 
> connections ?

Here the SNI host field is already sent encrypted so china can't tell
anymore which service/website on azure/whatever you're connecting to,
it only sees that you are addressing azures/googles/amazons/cloudflares
cloud. But it will take time until this is widely in use so that you're
not suspicious for just using ESNI (not sure if that is an official
acronym).

Actually:
  https://en.wikipedia.org/wiki/Domain_fronting
  https://blog.cloudflare.com/encrypted-sni/

Andreas

-- 
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Reply via email to