undefined | Better HN

0 pointsBuge9y ago0 comments

Well there's ALPN/NPN, but you could lie about those.

I would indeed find it surprising if any commercial firewalls distinguish websockets over TLS versus raw bytes over TLS. Not that it's impossible, but I wouldn't think it would be done commercially.

0 comments

3 comments · 1 top-level

peterwwillis9y ago· 2 in thread

Firewall packet inspection is basically just unpacking protocols layer by layer. Once you find the TCP or HTTP layer, you see if what follows looks like a WebSocket, which has a unique fingerprint and predictable elements. You can also look at streams and find patterns, like how one packet looks like HTTP, and then the following ones on the same stream don't look like HTTP. Initial versions may not be very accurate, but on "extremely paranoid" settings you can simply reject traffic that seems suspicious.

Also, having the DoD as a client will buy you some serious R&D time.

BugeOP9y ago

You can't unpack protocols layer by layer when they're encrypted.

peterwwillis9y ago

True, you would typically use machine learning, which can be used to identify and separate layers in protocols.

1 more reply

j / k navigate · click thread line to collapse