Opened 11 months ago

Closed 3 weeks ago

#22782 closed enhancement (fixed)

Additional domain fronts for Snowflake rendezvous

Reported by: cypherpunks Owned by:
Priority: Medium Milestone:
Component: Obfuscation/Snowflake Version:
Severity: Normal Keywords:
Cc: dcf, arlolra Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

China and Iran people have google blocked => snowflake's domain front no work => snowflake wont work.

Change it with something that works => example amazon.

Child Tickets

Attachments (2)

0001-Switch-to-a-CloudFront-Amazon-domain-front.patch (1.6 KB) - added by dcf 5 weeks ago.
0001-Switch-to-an-Azure-domain-front.patch (1.6 KB) - added by dcf 4 weeks ago.

Download all attachments as: .zip

Change History (20)

comment:1 Changed 11 months ago by dcf

Priority: HighMedium
Severity: BlockerNormal

comment:2 Changed 11 months ago by dcf

Cc: dcf added

We can solve this by first doing #22874 (standalone broker).

comment:3 Changed 11 months ago by dcf

Corresponding GitHub ticket is #17.

comment:4 Changed 5 weeks ago by dcf

Summary: Change domain front for snowflake to something that isn't blockedAdditional domain fronts for Snowflake rendezvous

comment:5 Changed 5 weeks ago by dcf

Status: newneeds_review
Type: defectenhancement

I set up a cloudfront.net forwarder to the standalone broker. A patch for it is attached.

I had it completely replace the appspot.com one, which no longer works because of #25804.

I also set up an azureedge.net forwarder; however it doesn't work yet because of a technical issue (the CDN doesn't use SNI in its requests to the origin). I have a support request in for that. But I propose we merge the cloudfront.net one right away, in order to work around #25804 and get things working again.

comment:6 in reply to:  5 Changed 5 weeks ago by dcf

Replying to dcf:

I also set up an azureedge.net forwarder; however it doesn't work yet because of a technical issue (the CDN doesn't use SNI in its requests to the origin). I have a support request in for that.

Customer support says that they've scheduled the activation of SNI for 2018-04-30. It seems like it is some manual process; MS has to file a work order with Verizon.

comment:7 Changed 4 weeks ago by dcf

The Azure CDn configuration started working today. I attached a revised patch. Because of Amazon's recent blog post hostile to domain fronting, I propose we go with the Azure configuration as the default.

Please test: tor -f torrc SocksPort auto

comment:8 Changed 4 weeks ago by joncamfield

Note that Amazon may also be dropping this support soon:

https://aws.amazon.com/blogs/security/enhanced-domain-protections-for-amazon-cloudfront-requests/

"
Enhanced Protection against Domain Fronting
CloudFront will also be soon be implementing enhanced protections against so-called “Domain Fronting”. Domain Fronting is when a non-standard client makes a TLS/SSL connection to a certain name, but then makes a HTTPS request for an unrelated name. For example, the TLS connection may connect to “www.example.com” but then issue a request for “www.example.org”.

In certain circumstances this is normal and expected. For example, browsers can re-use persistent connections for any domain that is listed in the same SSL Certificate, and these are considered related domains. But in other cases, tools including malware can use this technique between completely unrelated domains to evade restrictions and blocks that can be imposed at the TLS/SSL layer.

To be clear, this technique can’t be used to impersonate domains. The clients are non-standard and are working around the usual TLS/SSL checks that ordinary clients impose. But clearly, no customer ever wants to find that someone else is masquerading as their innocent, ordinary domain. Although these cases are also already handled as a breach of our AWS Terms of Service, in the coming weeks we will be checking that the account that owns the certificate we serve for a particular connection always matches the account that owns the request we handle on that connection. As ever, the security of our customers is our top priority, and we will continue to provide enhanced protection against misconfigurations and abuse from unrelated parties."
"

comment:9 Changed 4 weeks ago by cypherpunks

Amazon

One site, one FQDN, one IP address
"Ein Volk, ein Reich, ein Führer"

comment:10 in reply to:  8 Changed 4 weeks ago by cypherpunks

Replying to joncamfield:

Note that Amazon may also be dropping this support soon:

Seems like the Telegram ban and the resulting blockade of many Amazon IPs by Russia was the last straw that broke the camel's back, so they're giving it a security camouflage to hide the fact that they're conceding to the censors ("muh malware uses domain fronting!1!!"). I bet 0.01 Satoshis that Microsoft will follow suit in the near-term future.

comment:11 Changed 4 weeks ago by cypherpunks

Press coverage: https://www.theverge.com/2018/4/30/17304782/amazon-domain-fronting-google-discontinued (use new circuit if it shows up 'Forbidden')

comment:12 Changed 4 weeks ago by cypherpunks

By the way it seems users should be aware that meek-amazon will stop working so that they switch to something else, maybe some tweet and/or a blog post?

comment:13 Changed 4 weeks ago by cypherpunks

"muh malware uses domain fronting!1!!"

RedTeamers around net(s) (very isolated really soon) are happy now, they said.

Really good move. We should be happy as an industry.

comment:14 in reply to:  13 Changed 3 weeks ago by cypherpunks

Replying to cypherpunks:

"muh malware uses domain fronting!1!!"

RedTeamers around net(s) (very isolated really soon) are happy now, they said.

Really good move. We should be happy as an industry.

DevOps joins to happiness

We were happy to see the changes from AWS.

comment:15 Changed 3 weeks ago by dcf

I made a ticket to have Tor Browser use Azure in #26010.

comment:16 Changed 3 weeks ago by arlolra

Cc: arlolra added

comment:17 in reply to:  7 ; Changed 3 weeks ago by arlolra

Status: needs_reviewmerge_ready

Replying to dcf:

The Azure CDn configuration started working today. I attached a revised patch. Because of Amazon's recent blog post hostile to domain fronting, I propose we go with the Azure configuration as the default.

Please test: tor -f torrc SocksPort auto

LGTM

Any particular justification for the specific choice of front? Just curious.

comment:18 in reply to:  17 Changed 3 weeks ago by dcf

Resolution: fixed
Status: merge_readyclosed

Replying to arlolra:

LGTM

Thanks, merged in 88ea7a5083.

I'm going to close this ticket, though of course it is still possible to set up other fronts (Fastly?). And there's #25985 that is similar.

Any particular justification for the specific choice of front? Just curious.

Not really; it's the same as we have been using for meek. Someone did a blog post last year on finding other compatible domains; there are a few other candidates that look good.

https://theobsidiantower.com/2017/07/24/d0a7cfceedc42bdf3a36f2926bd52863ef28befc.html
https://theobsidiantower.com/assets/known-good.txt

Note: See TracTickets for help on using tickets.