Domain fronting to App Engine has stopped working
334 views
Skip to first unread message
David Fifield
Apr 17, 2018, 10:16:59 PM4/17/18
to traff...@googlegroups.com
I've seen this being dicussed in a few places, so I thought we should
have a thread here. Since last Friday (2018-04-13), domain-fronted
requests to *.appspot.com fail with status 502:
> $ wget --content-on-error --save-header -q -O- https://www.google.com/ --header 'Host: test.appspot.com'
> HTTP/1.1 502 Bad Gateway
> Date: Wed, 18 Apr 2018 01:58:14 GMT
> Content-Type: text/html
> Server: HTTP server (unknown)
> Content-Length: 209
> X-XSS-Protection: 1; mode=block
> X-Frame-Options: SAMEORIGIN
> Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431; quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"
>
> <html><body><h1>502 Bad Gateway</h1><p>This HTTP request has a Host header that is not covered by the TLS certificate used. Due to an infrastructure change, this request cannot be processed.</p></body></html>
I happened to notice because traffic to the Snowflake bridge went to
zero. Snowflake uses a domain-fronted request to bootstrap a connection.
https://bugs.torproject.org/25804
For us, losing App Engine isn't a major problem: we can switch to
alternate domain fronts pretty easily, or use other techniques that
don't relay on fronting (like the DNS-over-HTTPS idea I posted about a
little while ago). Also, there are not very many Snowflake users yet 😀
On the Tor ticket, an anonymous user noticed that you can still reach
*.appspot.com if you make the TLS request without SNI. There are a bunch
of caveats there: it may not remain that way long-term; SNI-less
connections are probably more conspicuous; and you have to do extra work
in your code to verify the certificate properly. But it may be useful
information, depending on your situation.
have a thread here. Since last Friday (2018-04-13), domain-fronted
requests to *.appspot.com fail with status 502:
> $ wget --content-on-error --save-header -q -O- https://www.google.com/ --header 'Host: test.appspot.com'
> HTTP/1.1 502 Bad Gateway
> Date: Wed, 18 Apr 2018 01:58:14 GMT
> Content-Type: text/html
> Server: HTTP server (unknown)
> Content-Length: 209
> X-XSS-Protection: 1; mode=block
> X-Frame-Options: SAMEORIGIN
> Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431; quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"
>
> <html><body><h1>502 Bad Gateway</h1><p>This HTTP request has a Host header that is not covered by the TLS certificate used. Due to an infrastructure change, this request cannot be processed.</p></body></html>
I happened to notice because traffic to the Snowflake bridge went to
zero. Snowflake uses a domain-fronted request to bootstrap a connection.
https://bugs.torproject.org/25804
For us, losing App Engine isn't a major problem: we can switch to
alternate domain fronts pretty easily, or use other techniques that
don't relay on fronting (like the DNS-over-HTTPS idea I posted about a
little while ago). Also, there are not very many Snowflake users yet 😀
On the Tor ticket, an anonymous user noticed that you can still reach
*.appspot.com if you make the TLS request without SNI. There are a bunch
of caveats there: it may not remain that way long-term; SNI-less
connections are probably more conspicuous; and you have to do extra work
in your code to verify the certificate properly. But it may be useful
information, depending on your situation.
Adam Fisk
Apr 18, 2018, 1:08:11 AM4/18/18
to traff...@googlegroups.com
Interesting David. At Lantern we’ve primarily not used SNI really from the beginning in our domain fronting implementation, and it’s worked fine. Advertising any domain that may or may not be blocked at some future time is itself a liability. The percentage of connections not using SNI has dropped considerably over the past 4 years, however, so it’s certainly more conspicuous now.
Interestingly CloudFlare initially did exactly what Google has done here before at some point realizing that DF without SNI still worked and killing that too (about a 6 month gap IIRC).
I’m still highly skeptical any DNS over HTTPS approach would work certainly in China but you never know maybe they magically wouldn’t block it for some reason I’m missing.
-Adam
--
You received this message because you are subscribed to the Google Groups "Network Traffic Obfuscation" group.
To unsubscribe from this group and stop receiving emails from it, send an email to traffic-obf...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89
![Vinicius Fortuna [vee-NEE-see.oos]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjUdMlv5CXZBzwzNk4KWic5mfObQ32UL0JJ3KF3DDXeXhoc3jWBK6w=s40-c)
Vinicius Fortuna [vee-NEE-see.oos]
Apr 26, 2018, 1:23:08 PM4/26/18
to af...@getlantern.org, Network Traffic Obfuscation
FYI, domain fronting among Google properties still work:
curl https://www.gmail.com -H "Host: www.youtube.com" | grep 'title>'
As well as domain fronting within Google Cloud:
What you can't do anymore is cross the Google properties-Google Cloud boundary:
curl-v https://www.snapchat.com -H "Host: www.youtube.com" | grep 'title
Nathan Freitas
Apr 26, 2018, 11:42:28 PM4/26/18
to Vinicius Fortuna [vee-NEE-see.oos], Adam Fisk, Network Traffic Obfuscation
Interesting.... Snowflake via Snapchat!
Reply all
Reply to author
Forward
0 new messages