undefined | Better HN

0 pointspilif9y ago0 comments

And this is why we want HTTPS everywhere. Yes. It would probably mean that the site is completely not reachable, but I prefer that to an altered response.

0 comments

4 comments · 2 top-level

apeace9y ago· 2 in thread

Unless I'm mistaken, the site could be made reachable if only TPB would enable SSL between Cloudflare and their origin.

Currently, Airtel is blocking based on the Host header. If they can't see the Host header, they'd have to instead know TPB's origin IP, which they wouldn't.

mikecb9y ago

TLS transmits the host in cleartext.

theandrewbailey9y ago

Completely beside the point. Airtel is obviously looking at the HTTP host header.

1 more reply

mschuster919y ago

It is still possible, it needs three things to work:

1) SNI indicators on the HTTPS handshake deliver the hostname to the DPI processor, be it on the connection Consumer => CF or CF => TPB.

2) Most likely the provider has a trusted CA... and CF => TPB connection does not support pinning.

3) Provider redirects to interceptor, which serves a "blocked" notice page, with a trusted HTTPS cert.

Alternative to 2 & 3 in case provider doesn't want to risk his CA: simply drop the connection by injecting a FIN packet once TPB is seen in the SNI headers.

j / k navigate · click thread line to collapse