[apendleton]

Are you? It looks like the Amazon load balancers don't actually care what your SNI domain is when routing traffic. They terminate your TLS connection, and then use the domain in your actual HTTP request to route it, which is not Amazon's domain. Amazon's ability to allow these two domains to differ, and to mostly ignore the former, is the crux of this whole trick.

[textmode]

Does this mean that Cloudfront does not actually require (correct) SNI?

Example: Sending HTTP request for signal.org over TLS to Cloudfront IP address with SNI as "allergan.com" returns signal.org web page, not allergan.com web page.

[computerfriend]

Yes, this is the premise of domain fronting.

[bitCromwell]

still lying though and it seems like that’s a foundational problem. it’s reasonable for a machine to refuse connections from a machine that has lied.