Hacker News new | ask | show | jobs
by gruez 155 days ago
>GFW has been able to filter SNI to block https traffic for a few years now.

SNI isn't really the threat here, because any commercial VPN is going to be blocked by IP, no need for SNI. The bigger threat is tell-tale patterns of VPN use because of TLS-in-TLS, TLS-in-SSH, or even TLS-in-any-high-entropy-stream (eg. shadowsocks).
1 comments
rfv6723 155 days ago
> because any commercial VPN is going to be blocked by IP, no need for SNI.

Proxy server can hide behind CDN like Cloudflare via websocket tunnel.

This is why GFW develops SNI filter, Cloudflare is too big to block.

link
gruez 155 days ago
>Proxy server can hide behind CDN like Cloudflare via websocket tunnel.

cloudflare doesn't support domain fronting so any SNI spoofing won't work.

link
eptcyka 155 days ago
CDN traffic is quite expensive, don’t believe it would be feasible to provide a VPN product for that. But for individuals, sure.
link