| ▲ | rfv6723 14 hours ago |
| Does your team have Chinese memebers? GFW has been able to filter SNI to block https traffic for a few years now. |
|
| ▲ | ameshkov 9 hours ago | parent | next [-] |
| We do, and from what we know a bigger problem in China is detecting traffic patterns. SNI filtering is not that big of a deal, in order to block your domain it needs to first learn which one you’re using. What for the traffic patterns, people in China prefer to selectively route traffic to the tunnel. For instance, the client apps allow you to route *.cn domains (or any other domains) directly. It makes it harder to detect that you’re using a VPN. |
| |
| ▲ | rfv6723 7 hours ago | parent | next [-] | | In Fujian province, all foreign domains which aren't in white list are blocked. This results that proxy server needs to use a fake sni in white list or ditch https. | | |
| ▲ | ameshkov 4 hours ago | parent [-] | | This is actually supported by both the client and the server. To use it in mobile clients you need to specify two domain names like that: fake-sni.com|domain.com where “fake-sni.com” is the domain thay will be in the SNI and “domain.com” is the domain in your TLS certificate (used to check the server’s authenticity) |
| |
| ▲ | eptcyka 8 hours ago | parent | prev [-] | | How do you do this on iOS? | | |
| ▲ | ameshkov 8 hours ago | parent [-] | | You mean in TrustTunnel apps? You can create a routing profile there and select which domains/ips are bypassed, and then select that routing profile in the vpn connection settings. |
|
|
|
| ▲ | gruez 12 hours ago | parent | prev [-] |
| >GFW has been able to filter SNI to block https traffic for a few years now. SNI isn't really the threat here, because any commercial VPN is going to be blocked by IP, no need for SNI. The bigger threat is tell-tale patterns of VPN use because of TLS-in-TLS, TLS-in-SSH, or even TLS-in-any-high-entropy-stream (eg. shadowsocks). |
| |
| ▲ | rfv6723 12 hours ago | parent [-] | | > because any commercial VPN is going to be blocked by IP, no need for SNI. Proxy server can hide behind CDN like Cloudflare via websocket tunnel. This is why GFW develops SNI filter, Cloudflare is too big to block. | | |
| ▲ | eptcyka 8 hours ago | parent | next [-] | | CDN traffic is quite expensive, don’t believe it would be feasible to provide a VPN product for that. But for individuals, sure. | |
| ▲ | gruez 11 hours ago | parent | prev [-] | | >Proxy server can hide behind CDN like Cloudflare via websocket tunnel. cloudflare doesn't support domain fronting so any SNI spoofing won't work. |
|
|
