On Mon, Oct 01, 2018 at 07:55:31PM +0200, Andreas Krey wrote:
On Mon, 24 Sep 2018 20:23:58 +0000, David Fifield wrote: ...
"encrypted SNI" part. But it's possible to do better: if you're willing to abandon HTTP/1.1 compatibility and require HTTP/2, you can use the "server push" feature to implement a serialization that's much more efficient than the current one in meek.
How about websockets instead of trying to cram this into HTTP/2?
And for that matter, why not a plain old HTTP CONNECT proxy? That would be even more efficient. But we're limited to what the CDN supports. Most CDNs only support basic methods like GET and POST, not CONNECT or the special headers needed by WebSocket.
Cloudflare does support WebSocket, though: https://www.cloudflare.com/website-optimization/web-sockets/ https://blog.cloudflare.com/cloudflare-now-supports-websockets/ So this, combined with encrypted SNI, could be a viable technique when tunneling through Cloudflare--it just wouldn't be portable to other services. We even already have an existing WebSocket-based pluggable transport implementation--it would need changes to the client to support encrypted SNI. https://gitweb.torproject.org/pluggable-transports/websocket.git/