Hi everyone,
Cloudflare has added support to TLS 1.3 for encrypted server name indication (SNI). This mailing list post is a high level overview of how meek could take advantage of this in relation to Cloudflare who until just now wasn’t an option for domain fronting.
What this means:
Effectively domain fronting works by sending a different SNI and host header. CDN providers like Cloudflare started double checking to make governments happy, scratch that line, I mean to protect their customers from fraud and abuse. They seem to of backtracked now. Encrypted SNI means that a firewall or coffee shop owner won’t be able to use SNI to see the real origin of TLS traffic.
Why this matters:
With the right adjustments for TLS 1.3 and Encrypted SNI support, Cloudflare may be a viable option for Meek.
Risks:
* Firewall products could always use DPI and block TLS 1.3 altogether.
* Firewall products could block all requests with encrypted SNI.
Thoughts anyone?