← Back to context

Comment by gruez

9 hours ago

>GFW has been able to filter SNI to block https traffic for a few years now.

SNI isn't really the threat here, because any commercial VPN is going to be blocked by IP, no need for SNI. The bigger threat is tell-tale patterns of VPN use because of TLS-in-TLS, TLS-in-SSH, or even TLS-in-any-high-entropy-stream (eg. shadowsocks).

3 comments

gruez

Reply
rfv6723  9 hours ago

> because any commercial VPN is going to be blocked by IP, no need for SNI.

Proxy server can hide behind CDN like Cloudflare via websocket tunnel.

This is why GFW develops SNI filter, Cloudflare is too big to block.

  • eptcyka  5 hours ago

    CDN traffic is quite expensive, don’t believe it would be feasible to provide a VPN product for that. But for individuals, sure.

  • gruez  8 hours ago

    >Proxy server can hide behind CDN like Cloudflare via websocket tunnel.

    cloudflare doesn't support domain fronting so any SNI spoofing won't work.