Open wkrp opened 2 years ago
ValdikSS
commented
2 years ago NewPipe uses OkHttp with a custom TLS configuration, leading to a distinctive TLS fingerprint.
It turned out that no, it doesn't. It uses this hack only on older Android devices (KitKat 4.4), but modern devices uses stock okhttp "modern cipher" configuration. That's why SmartTubeNext is also affected, as well as any application which use okhttp to access youtube I guess.
wkrp
commented
2 years ago NewPipe uses OkHttp with a custom TLS configuration, leading to a distinctive TLS fingerprint.
It turned out that no, it doesn't. It uses this hack only on older Android devices (KitKat 4.4), but modern devices uses stock okhttp "modern cipher" configuration. That's why SmartTubeNext is also affected, as well as any application which use okhttp to access youtube I guess.
Oh, I see. There must be many apps that use OkHttp in that configuration, but I guess only a few of them access www.youtube.com specifically.
Thanks for your quick action in diagnosing the characteristics of the detection rule.
wkrp
commented
2 years ago The block was removed on 2021-09-18.
https://github.com/TeamNewPipe/NewPipe/issues/7114#issuecomment-922355438
Rather, the suspicion is that it's meant to block an app that does domain fronting using www.youtube.com as a front domain. (Possibly the Smart Voting app already mentioned at https://github.com/net4people/bbs/issues/81#issuecomment-918391462).)
The hypothesis that the Smart Voting app was the target of the block is likely false. I did some light reverse engineering of the app, and although it uses the same OkHttp as NewPipe, I did not find the string "youtube". (The app does contain, however, domain names of Google, Cloudflare, and OpenDNS encrypted DNS resolvers.)
wkrp
commented
2 years ago The hypothesis that the Smart Voting app was the target of the block is likely false. I did some light reverse engineering of the app, and although it uses the same OkHttp as NewPipe, I did not find the string "youtube".
The version I tested was version 2.0, dated 2021-08-15. @darkk found a newer version, version 2.2, which does contain the string "www.youtube.com". So the domain-fronting hypothesis is again a possibility, though @darkk says that the TLS fingerprint of version 2.2 of the app still differs from the TLS fingerprint of NewPipe.
There is no source code, but at least two sources for binary packages.
For me, both downloads are identical, sha256sum 58913378ea52b6effa28117f201ae73f4ae473fd2aa965627f7b1c07b4350c20.
This is information from https://ntc.party/t/tls-youtube/1311. Since 2021-09-15, some users in Russia of NewPipe, a video stream app for Android, have not been able to load contents from YouTube.
https://github.com/TeamNewPipe/NewPipe/issues/7114
Another app called SmartTubeNext is also reportedly affected. @ValdikSS and others did some quick research and found that TLS connections are blocked under very specific conditions, a combination of TLS fingerprinting and SNI matching. Some of their observations:
NewPipe uses OkHttp with a custom TLS configuration, leading to a distinctive TLS fingerprint.
Because the detection rule is so narrowly focused, the evident intent of the block is not actually to block YouTube or NewPipe. Rather, the suspicion is that it's meant to block an app that does domain fronting using www.youtube.com as a front domain. (Possibly the Smart Voting app already mentioned at https://github.com/net4people/bbs/issues/81#issuecomment-918391462.)
Besides the NewPipe issue, in the last 24 hours there have also been reported blocks of docs.google.com:
and telegra.ph: