Google, for example, allows redirection through the HTTP host header from to. However, most of them only allow it for domains that belong to their customers, so one must become a customer in order to use this technique.
Their research revealed that many cloud service providers and content delivery networks allow HTTP host header redirection, including Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly and Akamai. In a domain-fronted request, however, the DNS query and SNI carry one name (the “front domain”), while the HTTP Host header, hidden from the censor by HTTPS encryption, carries another (the covert, forbidden destination)." "Ordinarily, the same domain name appears in all three places. "In an HTTPS request, the destination domain name appears in three relevant places: in the DNS query, in the TLS Server Name Indication (SNI) extension and in the HTTP Host header," the researchers said in their paper. If done over HTTPS, such redirection would be invisible to someone monitoring the traffic, because the HTTP Host header is sent after the HTTPS connection is negotiated and is therefore part of the encrypted traffic.
:max_bytes(150000):strip_icc()/how-to-use-the-signal-app-50953231-e7e50e9e888a422da9ce0106032f7340.jpg "use signal app")
The technique involves sending requests to a "front domain" and using the HTTP Host header to trigger a redirect to a different domain.
The solution from Signal's developers was to implement a censorship circumvention technique known as domain fronting that was described in a 2015 paper by researchers from University of California, Berkeley, the Brave New Software project and Psiphon.
0 kommentar(er)
