undefined | Better HN

0 pointsretrodaredevil9mo ago0 comments

It seems that the list of destination IPs would then be determined by whatever the domains listed resolve to (I assume). Since it's trivial to update DNS records, I wonder if they could lead to automated blocking of whatever IP those domains point to.

With that in place, I wonder if that could ever be abused by these pirate sites. Imagine temporarily pointing your pirate site domain name at a valid IP address. When you do that, in theory ISPs (and now VPNs) would automatically block perfectly valid IPs.

This would only happen if the owners of the pirate site domains actually try to do something malicious like that, but I know there are instances in the past of ISPs blocking cloudflare IPs (which is a separate issue, but the scenario I just made up reminds me of it).

0 comments

numpad09mo ago

That's called domain fronting. CDNs already switch between virtual hosts with headers on HTTP requests and HTTPS TLS SNI, so this even passively happen sometimes.

Now, HTTP headers and SNI are both unencrypted, so oppressive governments abuse these. Obvious fix is to make'em encrypted by enforcing HTTPS everywhere and upgrading SNI to ESNI with DoH-obtained per-server public keys.

Some of offensive side fixes to the defensive side fix are: blocking ESNI, blocking DoH, forcing use of MITM proxy, just blaming strawman terrorist groups for having to block affected IPs. etc.

sidewndr469mo ago

Couldn't a VPN provider just start updating their DNS entries to respond with IPs of the French government around the time the block goes into place? So the ISPs would be forced to block access to the French government websites?

AnthonyMouse9mo ago

If they wanted to troll better they'd point them at the websites of the official streaming service.

sidewndr469mo ago

Yeah, good point. That could work as well.

j / k navigate · click thread line to collapse

0 pointsretrodaredevil9mo ago0 comments

0 comments

numpad09mo ago

That's called domain fronting. CDNs already switch between virtual hosts with headers on HTTP requests and HTTPS TLS SNI, so this even passively happen sometimes.

Some of offensive side fixes to the defensive side fix are: blocking ESNI, blocking DoH, forcing use of MITM proxy, just blaming strawman terrorist groups for having to block affected IPs. etc.

sidewndr469mo ago

AnthonyMouse9mo ago

If they wanted to troll better they'd point them at the websites of the official streaming service.

sidewndr469mo ago

Yeah, good point. That could work as well.

j / k navigate · click thread line to collapse