Efficiently Bypassing SNI-based HTTPS Filtering

[HLFH]

I precise I am using the Quad9 public DNS resolver to bypass DNS filtering issues.

Use case: In UK, London, the ISP TalkTalk is proceeding to HTTPS traffic filtering based on SNI. When you launch https://thepiratebay.org, the firewall of TalkTalk inspects:

the SNI within the Client-Hello message to check if the ”server name” is in a black/white list or not, and according to the response, the firewall resets the connection or allows the
Client-Hello message to pass toward the destination server, and further complete the TLS handshake.

Here see comparison of Brave and Firefox 32 with Escape extension

Workaround solutions:

1. Use Firefox browser with the Escape extension compatible up to Firefox 32.
2. Use a browser that is not compatible with SNI like Firefox 1.
3. Use Tor Browser
4. Implement Tor Private Browsing tabs within Brave
5. Use a VPN
6. Implement opt-in feature to enable override of the "server name" field of the SNI extension
7. Wait for implementation of SNI encryption within TLS 1.3 or TLS 1.4

In France, they may implement the same Internet censorship as UK in the next three years. Considering the fact in the West, you have a New Democrats political agenda, that is enforcing measures of censorships of political dissidents or in general, counter-cultures opposed to neoliberalism and societal collapse, I would advise Brave to add the possibility to bypass SNI-based HTTPS filtering, for example, by overriding the ”server name” field of the SNI extension.

In the base specification of TLS 1.3, there is still no plan to implement SNI encryption, even if there are an interesting IETF Internet-Draft and slides that promote it wisely.

Research paper source

[diracdeltas]

I think disabling SNI generally is a non-starter. Opt-in override might be doable. Most likely our short-term fix is going to be Tor private tabs and the longer-term fix is pushing for SNI encryption in future TLS specs.

[diracdeltas]

closed by tor/0.23.x branch

[aaomidi]

Can we change the SNI value without using tor?

[mrsylerpowers]

@aaomidi I was also wondering that. Like even if it is possible to create an extension like escape.

[diracdeltas]

Extensions in Chrome/Brave can't modify TLS info

[aaomidi]

Is it possible to add support to brave just for this?

This would literally bypass Iran, China, and Russia's internet blocking without the speed loss that comes with Tor/VPN.

[diracdeltas]

that's an interesting idea. do you know how servers generally respond to a spoofed SNI value (say for a hostname that doesn't exist on that server)?

[aaomidi]

It depends on the service, for example Google/Facebook/Other major sites with SAN certificates don't care at all whats in there.