search

net4people / bbs

Forum for discussing Internet censorship circumvention
3.43k stars 81 forks source link

dpi bypassing idea #412

Open dragonbreath2000 opened 2 days ago

dragonbreath2000 commented 2 days ago

A dpi bypassing strategy

This idea came to my brain some time ago this idea works by letting the client browser do pretty much everything (instead of a tls tunnel)so there will be almost no characteristics explaining it is a little hard for me but i'll do my best Imagine we want to access youtube.com, well the sni is blocked, we usually use TLS tunnels to encrypt the entire connection,but encrypting the entire connection is not needed since browsers uses tls anyway,instead of encrypting,we change sni of the browser initiated tls handshake to trick gfw

This is how it goes:

browser will send client hello with sni of blocked.com, proxy client will change this to whitelisted.com and send it to proxy server , proxy server will change sni back to original one and just forward the connection to target website You might ask how will the server know what the target website sni is, I was thinking of a post request through a cdn(or basically another route or channel outside this tcp connection)

The flow will be like this:

browser client hello(sni=blocked.com) -->(the original sni value and some auth password will be sent through a post request with a cdn) -->proxy server(after authentication, change sni back to whitelisted.com)-->target website if the browser uses tls1.3 changing the sni is enough but for tls1.2 we have to fake the server certificate as well in this strategy,the tls fingerprint will be the initiator of the connection There is no tls tunnel so there is no tls in tls characteristics I have some experience with Go,think I can write it some time later but I am super busy right now ,I posted this issue so I could get some feedback or suggestion from experts, Thanks for reading this

underdog-03 commented 1 day ago

Hey, your idea of bypassing Deep Packet Inspection (DPI) by playing around with the TLS handshake instead of wrapping everything up in an encrypted tunnel is super clever! Definitely a creative approach.

wkrp commented 1 day ago

@underdog-03, it looks like you have given the topic of this thread to a generative text algorithm and asked it to generate a reply for you. Please don't do that.

@dragonbreath2000 I am planning to reply with some pointers to existing research along the lines of what you have proposed, but it takes some time to gather that information. For one idea that is similar to what you are thinking of, see BlindTLS in #86, which "does the TLS handshake—and only the handshake—over an encrypted, unblockable proxy".