Hacker News new | ask | show | jobs
by aasasd 1893 days ago
The Great Firewall does probing for ages now. It pauses the connection and sends its own request, checking what kind of protocol the server returns. Nothing stops these firewalls from trying ‘connect-ip’. The path could be used as a secret ‘key’ to thwart too-curious firewalls (though the protocol probably won't do much against DPI anyway).
1 comments
shawnz 1893 days ago
Why not just require authentication?
link
tmp538394722 1893 days ago
The goal is to look like normal boring traffic.
link
shawnz 1893 days ago
The parent is talking about having the firewall attempt its own request, not some kind of sniffing (which shouldn't be possible with TLS)
link
saurik 1893 days ago
It would then be weirdly important that a mis-authenticated CONNECT-IP then look the same as if CONNECT-IP were not implemented, as opposed to returning an authorization error of some kind (which seems weirder than hiding the method via the path).
link
shawnz 1893 days ago
True. But the path method has issues too, like, how would you implement that with HTTP 1.1? The "path" field is actually part of the target, so you would have to send the request like `CONNECT-IP https://remote-server/mount-point` which seems backwards. (EDIT: and also you still need to make sure you don't give the wrong kind of error if the path is wrong, like a 404 instead of a 501 not implemented or whatever)

As a possible solution for the discovery by authorization error problem, maybe a convention could be established where an authorization error is returned by default if CONNECT-* isn't configured.

link
saurik 1893 days ago
Huh. It is possible that I simply didn't understand the spec, as I was (and am...) pretty sure that CONNECT-IP (at least at the HTTP semantics level) just takes a path (and only /)--like GET--without an associated "extra" authority, as it is creating an IP tunnel: there is no remote host (as there would be with an old-school CONNECT); like, what is the "target" here? I am just talking to the server and asking it to give me an IP bridge, right? What does "remote-server" represent to an IP tunnel?
link
aasasd 1893 days ago
I guess authentication via https before ‘connect-ip’ would work. Or, authenticating with headers in the same first ‘connect-ip’ request, if the server responds with ‘invalid method’ when not authenticated.
link
aasasd 1893 days ago
By the way, probing at connection time, that I mentioned in my original comment, isn't actually necessary. The GFW will just scan known popular-ish hosts, trying ‘connect-ip’ and banning everything that works as a proxy. (Connection-time probing would just make it easier to discover the hosts, such that collecting the IPs and stats separately is not needed.)
link