Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>GFW has been able to filter SNI to block https traffic for a few years now.

SNI isn't really the threat here, because any commercial VPN is going to be blocked by IP, no need for SNI. The bigger threat is tell-tale patterns of VPN use because of TLS-in-TLS, TLS-in-SSH, or even TLS-in-any-high-entropy-stream (eg. shadowsocks).



> because any commercial VPN is going to be blocked by IP, no need for SNI.

Proxy server can hide behind CDN like Cloudflare via websocket tunnel.

This is why GFW develops SNI filter, Cloudflare is too big to block.


>Proxy server can hide behind CDN like Cloudflare via websocket tunnel.

cloudflare doesn't support domain fronting so any SNI spoofing won't work.


CDN traffic is quite expensive, don’t believe it would be feasible to provide a VPN product for that. But for individuals, sure.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: