[Dailydave] Confusion and hosts and reputation

dave aitel dave at immunityinc.com
Tue Feb 7 15:32:02 EST 2017

So I've spent some time today trying to understand the various hoopla
around "domain fronting". And it's a TOCTOU bug that cloud providers
could fix, but hopefully won't. Previous state of the art in bypassing
WebSense and Cisco's proxy and FortiGate and the rest was just to hack
some random PHP website. This never gets old, and is a good warm-up for
real hacking.

The basic understanding is that when you make an HTTPS request, the
server presents to you the SSL cert for the website you've requested in
your SNI extension header (which is essentially any server set up with
Cloudfront or any CDN). Then once your connection is established, you
request a different virtual host using the Host header.

You can see why AV's that inject into browsers and network proxy
appliances want to do MITM on every SSL connection, despite it annoying
INFILTRATE's keynote speaker <http://infiltratecon.com/speakers.html>. :)


  *  https://www.mdsec.co.uk/2017/02/domain-fronting-via-cloudfront-alternate-domains/
  * http://blog.attackzero.net/2015/11/domain-fronting-and-you.html?m=1
    (SNI Explanation)
  * https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/
  * https://www.youtube.com/watch?v=IKO1ovl7Ky4 (CS, HTTP)
  * https://www.youtube.com/watch?v=WowECw4YePU (CS, HTTPS)
  * http://www.icir.org/vern/papers/meek-PETS-2015.pdf
  * https://vimeo.com/202836537 (INNUENDO)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170207/1670a0c9/attachment.html>

More information about the Dailydave mailing list