Comments (2)
What happens with usual SNI: DPI detects request to the IP address listed in the registry (even type=domain has a list of IP addresses). DPI detects SNI, checks that it's not in the registry, determines that the user tries to access non-blocked website and allows the connection.
What happens with ESNI: DPI detects request to the IP address listed in the registry. DPI does not detect any SNI in TLS ClientHello packet and rejects the connection.
I think you're right that ESNI, used to access ordinary web sites, does not always increase availability. ESNI only forces the censor into a choice of "block all or block none" for each IP address, where before it could selectively "block some." The decision is not always in our favor; surely in some cases the choice will be "block all" and formerly unblocked sites will become blocked. Just like when wikipedia.org went all-HTTPS and the GFW could no longer selectively block single articles, and blocked the whole domain instead.
But using ESNI in a browser to directly browse web sites is just one application. There's another important application, which is building proxies. We host a proxy on an IP address the censor is unwilling to block, and connect to that proxy using ESNI to hide its identity. Then we can access blocked sites through the proxy, rather than connecting to their IP address directly. In a hypothetical future, browsers start using ESNI by default ⇒ censor cannot easily use presence of ESNI / absence of plaintext SNI as a blocking signal ⇒ we can use ESNI to access a proxy on an IP address that is not otherwise blocked.
In the domain fronting world, there's an analogy with CacheBrowser/CDNReaper and meek. CacheBrowser and CDNReaper do not use proxies; you can only use them to access sites co-hosted on a CDN, and you access the CDN edge server directly, domain-fronting your requests to hide which specific site you're accessing. meek uses a proxy hosted on the CDN, which imposes an additional layer of overhead, but from that proxy you can access any site, whether it's on the same CDN or a different CDN, or not on a CDN at all.
I have hopes, too, that browsers will implement ESNI when accessing plain old HTTP proxies over HTTPS. That would be great because then users would not need any additional client-side software, only a line of configuration. On the deployment side, it would require finding co-hosting for the proxy that permits a standard HTTP proxy to run (instead of the custom tunneling protocol used in meek).
from bbs.
In Russia, we have lots of ISPs (thousands), each of them have different hardware and implement different blocking methods.
Usually, ESNI makes things worse in terms of website availability for ISPs with DPI.
Russia has a Registry of Blocked Websites, every entry in which includes:
- Type of blocking: default (usually used for exact HTTP URIs), domain, ip
- Domain name
- IP address/addresses
- Some other non-technical information, like the reason for blocking and the organization which added this item to the list
Example: say we have blockedwebsite.com HTTPS website which is blocked by domain name (type=domain), and is hosted on Cloudflare. Other (not blocked) website notblocked.com share the same IP address on Cloudflare.
The person wants to access notblocked.com.
What happens with usual SNI: DPI detects request to the IP address listed in the registry (even type=domain has a list of IP addresses). DPI detects SNI, checks that it's not in the registry, determines that the user tries to access non-blocked website and allows the connection.
What happens with ESNI: DPI detects request to the IP address listed in the registry. DPI does not detect any SNI in TLS ClientHello packet and rejects the connection.
from bbs.
Related Issues (20)
- Possible Cloudflare blocking in Russia HOT 2
- EU.ORG got blocked by GFW recently HOT 15
- Anamorphic Encryption Covert Channels HOT 1
- Thinking about building a covert TCP proxy that's based on DPI. But is it possible? HOT 12
- کانفیگ برای v2ray / v2ray configuration HOT 3
- "Anti-fraud" (反诈) spyware apps, phone inspections in China HOT 12
- National Anti-Fraud Center based plugins allegedly found in residential FTTR modem in China. HOT 3
- PowerTunnel HOT 3
- CN4Iran 2.0
- China-Linked 'Muddling Meerkat' Conducts DNS Hijacking for Internet Mapping HOT 3
- REALITY servers in Iran being abused as sort-of SNI proxies HOT 2
- CensorWatch: On the Implementation of Online Censorship in India (FOCI 2023)
- Some IP addresses used for DNS censorship in India HOT 3
- Defense against AI-guided Traffic Analysis (DAITA)
- Blocking of fully encrypted protocols (Shadowsocks, VMess) in Russia, targeting HTTPS traffic fingerprints HOT 12
- Blocking of *.pages.dev in Russia HOT 4
- I have my own VPN application, and I published it in the app markets. What is the difference between LTE and Home internet? HOT 1
- Snowflake, a censorship circumvention system using temporary WebRTC proxies (USENIX Security 2024) HOT 1
- Bleeding Wall: A Hematologic Examination on the Great Firewall (FOCI 2024)
- Assistance Needed to Bypass Restrictions on Irancell Network
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bbs.