Hacker News new | ask | show | jobs
by KayEss 2591 days ago
I was wondering what happens if you skip the SNI bit and just rely on the Host header in the data. Does that work?
2 comments
andreareina 2591 days ago
That's called "domain fronting", the major cloud providers disallow it and enforce that the Host header must match the SNI.
link
yardstick 2591 days ago
This is likely the major reason why China has not yet blocked the major cloud providers. As soon as they allow ESNI/domain fronting, all bets are off as to what China will block.
link
lostmsu 2590 days ago
They explicitly started doing this after Telegram used domain fronting to work around Russian censorship, which caused large chunks of AWS and GCP addresses to be blocked in Russia.
link
richardwhiuk 2591 days ago
You can only do that if you can present a single valid certificate for all of the hosts behind the IP address.
link