Open wkrp opened 7 months ago
Do i get it right that "grandfathered in" domain fronting will stop working on 2023-02-27 and new domain fronting will stop working immediately? What is the significance of the cert expiry then, is it "feb 27 or that, whichever comes first"? Very confusing, I am also currently using domain fronting and have not received such an email, despite being affected.
Do i get it right that "grandfathered in" domain fronting will stop working on 2023-02-27 and new domain fronting will stop working immediately? What is the significance of the cert expiry then, is it "feb 27 or that, whichever comes first"?
My read of this is that "new" domain fronting requests will stop working on 2023-02-27, where new here means that they do not have a record of any requests with the same Host header and front domain mismatch. The report they sent us contains a record of all such requests, so presumably any requests that have a different combination of Host header and front domain than those listed will be blocked after February 27th.
I can't speak for Fastly on the significance of the front domain certificate expiry, but if I had to guess, I would say that their implementation includes an exception for enforcing the match between the host and TLS certificate SAN entries if the certificate is older than February 27th (or some other date) in order to give their customers time to "correct" their requests. Once the certificates are renewed or updated, the timestamp would be newer than the cutoff date and requests to that front with mismatched hosts would begin to be blocked.
I am not sure how this will affect customers who have not received a report from them.
Sorry to correct you all, but 2024 Feb 27. As of Jan 19, fronted requests still work.
Если я правильно понял,то перестанут работать бесплатнные аккаунты для фронтинга.
If I understand correctly, free accounts will stop working for fronting.
Today is the day. Fronting still works as for 06:11 EST.
@ValdikSS Same here. But I think this still tracks with @cohosh's explanation. Existing pairings of SNI to Host header still work but new deployments of domain fronting may not. It may also be that they are starting with only a few customers and will get to other accounts later. That would explain why only some customers have received emails.
Well, now it stopped working. Fronting no longer works for me on Fastly.
Requested host does not match any Subject Alternative Names (SANs) on TLS certificate [e0b1ad3a7e7c0dccfce6f444920b7f483938b31f652d030b6f2291e01ba34da7] in use with this connection.
Visit https://docs.fastly.com/en/guides/common-400-errors#error-421-misdirected-request for more information.
it still works here (using the same fronting domain i've been using for months though)
Fronting works.... Try changing the address if it doesn't work.
I'm testing on www.techradar.com
and www.wikihow.com
as a fronted domain. It used to work all these months, today it doesn't.
However cdn.yelp.com
, www.cosmopolitan.com
, www.esquire.com
, www.shazam.com
still work.
It will work for front domains that have been used for domain fronting before and whose certificates have not been renewed since before February 27th, 2024. I just took a look at foursquare.com
, which is the front used for the snowflake builtin bridge lines and for Tor Browser's moat settings. Their certificate renewed today at 12:21:56 UTC
: https://crt.sh/?id=12239699880
Sure enough, neither Connect Assist or the builtin Snowflake bridges are currently working.
Some Fastly users got an email saying that Fastly intends to stop allowing domain fronting on 2023-02-27.
https://lists.torproject.org/pipermail/anti-censorship-team/2023-October/000328.html
Previously: #67