Comments (11)
Sorry to correct you all, but 2024 Feb 27.
As of Jan 19, fronted requests still work.
from bbs.
Do i get it right that "grandfathered in" domain fronting will stop working on 2023-02-27 and new domain fronting will stop working immediately? What is the significance of the cert expiry then, is it "feb 27 or that, whichever comes first"?
My read of this is that "new" domain fronting requests will stop working on 2023-02-27, where new here means that they do not have a record of any requests with the same Host header and front domain mismatch. The report they sent us contains a record of all such requests, so presumably any requests that have a different combination of Host header and front domain than those listed will be blocked after February 27th.
I can't speak for Fastly on the significance of the front domain certificate expiry, but if I had to guess, I would say that their implementation includes an exception for enforcing the match between the host and TLS certificate SAN entries if the certificate is older than February 27th (or some other date) in order to give their customers time to "correct" their requests. Once the certificates are renewed or updated, the timestamp would be newer than the cutoff date and requests to that front with mismatched hosts would begin to be blocked.
I am not sure how this will affect customers who have not received a report from them.
from bbs.
It will work for front domains that have been used for domain fronting before and whose certificates have not been renewed since before February 27th, 2024. I just took a look at foursquare.com
, which is the front used for the snowflake builtin bridge lines and for Tor Browser's moat settings. Their certificate renewed today at 12:21:56 UTC
: https://crt.sh/?id=12239699880
Sure enough, neither Connect Assist or the builtin Snowflake bridges are currently working.
from bbs.
Do i get it right that "grandfathered in" domain fronting will stop working on 2023-02-27 and new domain fronting will stop working immediately? What is the significance of the cert expiry then, is it "feb 27 or that, whichever comes first"? Very confusing, I am also currently using domain fronting and have not received such an email, despite being affected.
from bbs.
Если я правильно понял,то перестанут работать бесплатнные аккаунты для фронтинга.
If I understand correctly, free accounts will stop working for fronting.
from bbs.
Today is the day. Fronting still works as for 06:11 EST.
from bbs.
@ValdikSS Same here. But I think this still tracks with @cohosh's explanation. Existing pairings of SNI to Host header still work but new deployments of domain fronting may not. It may also be that they are starting with only a few customers and will get to other accounts later. That would explain why only some customers have received emails.
from bbs.
Well, now it stopped working. Fronting no longer works for me on Fastly.
Requested host does not match any Subject Alternative Names (SANs) on TLS certificate [e0b1ad3a7e7c0dccfce6f444920b7f483938b31f652d030b6f2291e01ba34da7] in use with this connection.
Visit https://docs.fastly.com/en/guides/common-400-errors#error-421-misdirected-request for more information.
from bbs.
it still works here (using the same fronting domain i've been using for months though)
from bbs.
Fronting works....
Try changing the address if it doesn't work.
from bbs.
I'm testing on www.techradar.com
and www.wikihow.com
as a fronted domain. It used to work all these months, today it doesn't.
However cdn.yelp.com
, www.cosmopolitan.com
, www.esquire.com
, www.shazam.com
still work.
from bbs.
Related Issues (20)
- Thinking about building a covert TCP proxy that's based on DPI. But is it possible? HOT 12
- کانفیگ برای v2ray / v2ray configuration HOT 4
- "Anti-fraud" (反诈) spyware apps, phone inspections in China HOT 12
- National Anti-Fraud Center based plugins allegedly found in residential FTTR modem in China. HOT 3
- PowerTunnel HOT 3
- CN4Iran 2.0
- China-Linked 'Muddling Meerkat' Conducts DNS Hijacking for Internet Mapping HOT 3
- REALITY servers in Iran being abused as sort-of SNI proxies HOT 2
- CensorWatch: On the Implementation of Online Censorship in India (FOCI 2023)
- Some IP addresses used for DNS censorship in India HOT 3
- Defense against AI-guided Traffic Analysis (DAITA)
- Blocking of fully encrypted protocols (Shadowsocks, VMess) in Russia, targeting HTTPS traffic fingerprints HOT 12
- Blocking of *.pages.dev in Russia HOT 4
- I have my own VPN application, and I published it in the app markets. What is the difference between LTE and Home internet? HOT 3
- Snowflake, a censorship circumvention system using temporary WebRTC proxies (USENIX Security 2024) HOT 1
- Bleeding Wall: A Hematologic Examination on the Great Firewall (FOCI 2024)
- Assistance Needed to Bypass Restrictions on Irancell Network HOT 5
- VPN blocking in Myanmar since 2024-05-30 reportedly implemented by a Chinese company HOT 1
- Is TLS fragment available in China?
- Firefox Add-ons blocks access to some proxy extensions from Russia HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bbs.