Most active commenters

    Doxx/Darkflare: DarkFlare TCPoCDN (TCP over CDN)

    (github.com)
    70 points josephscott | 16 comments | 20 Nov 24 22:49 UTC | HN request time: 1.235s | source | bottom
    1. tomsonj ◴[21 Nov 24 02:46 UTC] No.42200584[source]
    chisel is a similar tool in this space https://github.com/jpillora/chisel

    I don’t get why headers and requests need to be spoofed if all traffic is over https?

    replies(4): >>42200669 #>>42200828 #>>42201273 #>>42201386 #
    2. Titan2189 ◴[21 Nov 24 03:01 UTC] No.42200669[source]
    > I don’t get why headers and requests need to be spoofed if all traffic is over https?

    https://en.wikipedia.org/wiki/Deep_packet_inspection

    replies(1): >>42200815 #
    3. fragmede ◴[21 Nov 24 03:28 UTC] No.42200815{3}[source]
    how are they looking inside the packet if it's encrypted?
    replies(1): >>42200924 #
    4. mhio ◴[21 Nov 24 03:30 UTC] No.42200828[source]
    The headers are seen by the monster-in-the-middle CDN.

    It's obfuscation at best. I'm not sure the encrypted traffic will look particularly php-ish for example. Compressed formats might look vaguely passable.

    I can't see any stenography code or libraries in the repo.

    5. sodality2 ◴[21 Nov 24 03:51 UTC] No.42200924{4}[source]
    DPI doesn't have to decrypt it to make certain guesses about its content. For example, timing information, packet sizes, routing info, etc could lead you to believe it's certain kinds of things (SSH, VPN, etc).
    6. ignoramous ◴[21 Nov 24 04:23 UTC] No.42201093[source]
    You could straight up connect to the destination (over TCP) from Cloudflare without needing relays; a project I wrote demonstrates TCP over HTTP (for Deno Deploy) and TCP over WebSockets (for Workers): https://github.com/serverless-proxy/serverless-proxy

    Proxying projects utilising HTTP/TLS are popular in the anti-censorship community (discussion board: https://github.com/net4people/bbs) and there are many variants of it; ex:

    - KCP (over UDP): https://github.com/xtaci/kcp-go

    - Bepass: https://github.com/bepass-org/bepass-worker

    7. coretx ◴[21 Nov 24 04:58 UTC] No.42201273[source]
    Because SNI. Also, State (sponsored) Actors are certificate authorities. HTTPS is the biggest scam in internet history. https://en.wikipedia.org/wiki/Server_Name_Indication
    replies(1): >>42201851 #
    8. a-ve ◴[21 Nov 24 05:06 UTC] No.42201313[source]
    Is this something like WebTunnel from the Tor Project?

    https://gitlab.torproject.org/tpo/anti-censorship/pluggable-...

    9. est ◴[21 Nov 24 05:12 UTC] No.42201341[source]
    > Services like Cloudflare, Akamai Technologies, Fastly, and Amazon CloudFront ... support millions of websites across critical sectors, including government and healthcare, making them indispensable

    The author is pretty naive. There is a reason why Google was left out of the list, in the 2010s people argue "Google is too important and China never dare to block it" then google's whole IP range is blocked.

    Amazon Cloudfront, Akmai, Fastly are also (partially) blocked and barely working.

    IMHO cleve tricks like "domain fronting" is just freebooting

    replies(1): >>42201606 #
    10. duskwuff ◴[21 Nov 24 05:22 UTC] No.42201386[source]
    > I don’t get why headers and requests need to be spoofed if all traffic is over https?

    Because the traffic is to a CDN endpoint (like Cloudflare) which expects it to be a HTTP message.

    11. novakwok ◴[21 Nov 24 05:36 UTC] No.42201446[source]
    There seems another way to achieve this, using Cloudflare's own cloudflared tunnel.

    Install a cloudflared tunnel on your remote server, configure it to forward traffic to that server's hosts proxy server(maybe Shadowsocks) using Zero Trust dashboard, and run the following command on your local computer:

    cloudflared access tcp --hostname some.your-domain.tld --url localhost:8080

    Then localhost:8080's traffic will be forwarded to cloudflareds' host, the whole traffic is using HTTP2 so might look legitimate to Firewall.

    For example if using Shadowsocks on server, your Shadowsocks's local client can connect to localhost:8080 as server to forward traffic.

    12. dlenski ◴[21 Nov 24 06:13 UTC] No.42201606[source]
    > IMHO cleve tricks like "domain fronting" is just freebooting

    What do you mean by "freebooting"?

    We added domain fronting support to the OpenConnect TLS-VPN client _in 2022_ because it is still working and useful for many people working in censored countries and environments. https://gitlab.com/openconnect/openconnect/-/merge_requests/...

    replies(1): >>42201756 #
    13. est ◴[21 Nov 24 06:41 UTC] No.42201756{3}[source]
    > because it is still working

    That's a big "still" and you don't loose anything in case the real owner of the "fronted" domain suffers loss.

    replies(1): >>42201990 #
    14. astrange ◴[21 Nov 24 07:04 UTC] No.42201851{3}[source]
    This certainly was an issue but it's solved by ECH/DoH. As long as they aren't blocked on your network anyway.

    > Also, State (sponsored) Actors are certificate authorities.

    To generate a fake certificate as a CA you have to either put it in the Certificate Transparency log, in which case everyone will notice, or don't, in which case browsers will notice (they know what top sites' certificates are supposed to look like) and your CA will get shut down.

    15. notpushkin ◴[21 Nov 24 07:35 UTC] No.42201990{4}[source]
    I don't think it's right to assign blame here to any party other than the authoritarian regime that decides to block the whole CDN.