undefined | Better HN

0 pointsmikecb9y ago0 comments

Parent suggested deploying TLS from origin to Cloudflare would resolve this. Simply pointing out that it will not.

0 comments

4 comments · 1 top-level

aptwebapps9y ago· 3 in thread

The post said that Cloudfare communicates with TPB via its IP address, not its host name, and that Airtel must be sniffing the hostname out of the header. So if they went full TLS Airtel would have to block the relevant IPs, which can be a little harder to find out, instead of the host.

scurvy9y ago

Most layer 7 blocking mechanisms look for the SNI header in a TLS datagram or the host header. It's not complicated and trivial to do. Only looking at the host header would be quite amateurish. I'm not a security expert, and even I know this.

CF could use some sort of IPSec or SSL tunnel back to another datacenter to make the origin request. It would add a lot of latency, but it would ensure that local authorities don't mess with the traffic. This was a popular way for CDN's to get around China for a while. I believe one CDN provider billed it as "Secure origin routing." I doubt that they still offer it, as everyone wants to play ball and make money in the end.

astrange9y ago

Cloudflare does use SNI to talk to origin servers.

captn3m09y ago

only if the origin server uses HTTPS and SNI.

j / k navigate · click thread line to collapse