Comment by xyzzy123
5 months ago
According to https://gfw.report/publications/usenixsecurity25/en/#3 they sniff the SNI out of the handshake like for TLS.
5 months ago
According to https://gfw.report/publications/usenixsecurity25/en/#3 they sniff the SNI out of the handshake like for TLS.
Is that a new technique? Shouldn't this be mitigated?
Encrypted Client Hello is the mitigation to that, IIRC it hasn't rolled out yet, and if it does then the GFW would probably just block connections that use it.
ECH is on by default for Cloudflare’s free plans, and paying customers can adjust the setting. That’s why CF already has an interesting history with the Russian authorities [1] (The discussion is short but has a lot of interesting details)
[1] https://news.ycombinator.com/item?id=44392221
...parsing SNI to find the server name is like the second-oldest trick in the book, after reverse DNS from the 80s? Maybe I'm not understanding the question