this post was submitted on 19 Oct 2023
386 points (95.3% liked)
Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ
54788 readers
802 users here now
⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.
Rules • Full Version
1. Posts must be related to the discussion of digital piracy
2. Don't request invites, trade, sell, or self-promote
3. Don't request or link to specific pirated titles, including DMs
4. Don't submit low-quality posts, be entitled, or harass others
Loot, Pillage, & Plunder
📜 c/Piracy Wiki (Community Edition):
💰 Please help cover server costs.
Ko-fi | Liberapay |
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Sadly doesn't work for gov level blocks that look at the SNI rather than blocking at DNS level
Edit: correction from ESNI to SNI
You mean SNI, not ESNI. ESNI is the Encrypted Server Name Indication that gets around that, though the newer ECH (Encrypted Client Hello) is better in many ways. Not all sites support either though.
If I utilise a DNS provider who supports ECH (mullvad) with a browser that supports ECH (Librewolf) will I still not be able to access certain websites? I haven't come across a website blocked by my ISP yet so don't know
Most ISP blocking is pretty superficial, usually just at the DNS level, you should be fine in the vast majority of cases. While parsing for the SNI flag on the client hello is technically possible, it's computationally expensive at scale, and generally avoided outside of enterprise networks.
With that siad, When in doubt, VPN out. ;)
They won't be able to get to my SNI if I'm using ECH, yes? I just assumed ECH was secure enough but I don't know much
You are absolutely correct, I should have lead with that. Encrypted client handshake means no one can see what certificate you are trying to request from the remote end of your connection, even your ISP.
However, It's worth noting though that if I am your ISP and I see you connecting to say public IP 8.8.8.8 over https (443) I don't need to see the SNI flag to know you're accessing something at Google.
First, I have a list of IP addresses of known blocked sites, I will just drop any traffic destined to that address, no other magic needed.
Second, if you target an IP that isn't blocked outright, and I can't see your SNI flag, I can still try to reverse lookup the IP myself and perform a block on your connection if the returned record matches a restricted pattern, say google.com.
VPN gets around all of these problems, provided you egress somewhere less restrictive.
Hope that helps clarify.
This is only effective when the host is the only one using that IP. Anything that uses Cloudflares WAF or similar services will just be a shared IP that responds for hundreds of hosts like one of Cloudflares Reverse Proxies.
Ah, that clears it up! I feel silly that the idea of the ISP doing a reverse-lookup on my traffic didn't occur to me, thanks.
If it's IP blocked it still won't work, but most aren't
Ah yes, forgot about that. Thanks
Bring free on cloudflare makes it widely adopted quickly likely.
It's also going to break all the firewalls at work which will no longer be able to do dns and http filtering based on set categories like phishing, malware, gore, and porn. I wish I didn't need to block these things, but users can't be trusted and not everyone is happy seeing porn and gore on their co-workers screens!
The malware and other malicious site blocking though is me. At every turn users will click the google prompted ad sites, just like the keepass one this week.
Anyway all that's likely to not work now! I guess all that's left is to break encryption by adding true mitm with installing certificates on everyone's machines and making it a proxy. Something I was loathe to do.
It's still require DoH, right? Not sure what my ISP does, but DoH has very high latency and often timeout on my end, probably to discourage their customers to turn on DoH.
DoH looks identical to normal website traffic. If it's slow, it's probably the DoH provider and not the ISP.
Hmm, kinda doubt it's the DoH provider's fault (cloudflare). On the other hand, my ISP already transparently redirecting plain DNS requests to their own DNS server, so it's not a stretch to think they found a way to degrade DoH experience (at least for well known endpoint like 1.1.1.1).
Corrected, thanks!
I'm looking forward to ECH, if i'm not mistaken that relies on DoH which has pretty widespread adoption in browsers at the mo
https://github.com/ValdikSS/GoodbyeDPI, https://www.f-droid.org/packages/ru.evgeniy.dpitunnelcli/ these do :)
You can try the new ECH feature, in the FF browser for example. It encrypts the SNI on compatible websites