[HN Gopher] Domain Shadowing: Leveraging CDNs for Robust Blockin...
___________________________________________________________________
Domain Shadowing: Leveraging CDNs for Robust Blocking-Resistant
Communications
Author : Sami_Lehtinen
Score : 21 points
Date : 2021-04-24 18:45 UTC (4 hours ago)
(HTM) web link (blog.torproject.org)
(TXT) w3m dump (blog.torproject.org)
| thitcanh wrote:
| Just as a side-note since their example uses CloudFlare: I
| _think_ that host-rewriting is disabled on CloudFlare as a
| security or spam-avoidance feature.
|
| If you want to have CF change the host to something else, like
| censored.com, this domain must also be part of your controlled
| domains, which means CF can't be used for this purpose.
|
| This at least was the case last time I looked into this (12
| months ago)
|
| It's also possible that this feature is enabled for paying users,
| which I wasn't.
| luckylion wrote:
| You can do it with a Worker, it'll do completely independent
| requests to the backend and you can then rewrite them (e.g.
| change headers, content) and relay them to the client.
| VWWHFSfQ wrote:
| I found this to be the case on CloudFront as well. As far as
| I can tell, it's not possible to direct the request to a
| different, custom origin based on the Host header. Only the
| URL path.
|
| The recommendation is to use a Lambda@Edge worker to do it. I
| find this very annoying.
| arkadiyt wrote:
| This also has interesting implications for website operators who
| use ip allowlists to ensure they "only" receive incoming traffic
| from their own CDN account. For instance:
|
| - if you have corp-domain.com on Cloudflare with http basic auth
| enabled at the edge, which then proxies to your origin server
| which has an allowlist of Cloudflare ips, I can make my own
| account and configure it to point at your origin server, granting
| me access
|
| - if you depend on the cloudflare WAF to block certain attacks to
| your origin, I can bypass the WAF by configuring a cloudflare
| worker in my own account to send traffic to your origin
|
| - etc
| tgsovlerkhgsel wrote:
| Cloudflare also supports Authenticated Origin Pull, where the
| request from Cloudflare to the origin server will be
| authenticated with a client certificate.
|
| IIRC the same client cert was used for all customers, so the
| same method allowed you to bypass WAF/access rules etc. even if
| the victim had authenticated origin pull enabled, as long as
| the victim didn't validate the host header (which they would't
| if they used the default setup from the official setup guide).
|
| Cloudflare knew about this for many months, possibly a year or
| multiple years, and I'm not sure if it's fixed or not.
|
| I'm not sure CF allows host-rewriting in this scenario.
|
| Edit: At least the authenticated origin pull setup guide is
| unchanged. Not going to verify the entire chain again.
| EE84M3i wrote:
| Allowing only IPs over your vendor of choice has never been
| secure. You need to additionally ensure the request is hitting
| your configuration, not someone else's.
| cortesoft wrote:
| I am not authorized to view this page?
| RcouF1uZ4gsC wrote:
| > The user registers a random domain as the "shadow" domain, for
| example: shadow.com. We assume the censor won't block this newly
| registered domain.
|
| Can't the censor get a list of all registered domains and check
| if they end up serving the same content as a censored site. This
| seems like something that a dedicated censored should be able to
| pretty easily.
|
| In addition, don't most domain registrars require some sort of
| payment and thus some type of identifying information? For those
| ones, the censoring authority can use that to track down who
| registered this shadow domain. The censoring authority can also
| block domains from registrars that allow anonymous/pseudonymous
| registration.
___________________________________________________________________
(page generated 2021-04-24 23:01 UTC)