
<html>

  <head>


    <meta http-equiv="content-type" content="text/html; charset=utf-8">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <p>So I've spent some time today trying to understand the various

      hoopla around "domain fronting". And it's a TOCTOU bug that cloud

      providers could fix, but hopefully won't. Previous state of the

      art in bypassing WebSense and Cisco's proxy and FortiGate and the

      rest was just to hack some random PHP website. This never gets

      old, and is a good warm-up for real hacking. <br>

    </p>

    <p>The basic understanding is that when you make an HTTPS request,

      the server presents to you the SSL cert for the website you've

      requested in your SNI extension header (which is essentially any

      server set up with Cloudfront or any CDN). Then once your

      connection is established, you request a different virtual host

      using the Host header.</p>

    <p>You can see why AV's that inject into browsers and network proxy

      appliances want to do MITM on every SSL connection, despite it

      annoying <a href="http://infiltratecon.com/speakers.html">INFILTRATE's

        keynote speaker</a>. :)</p>

    <p>-dave<br>

    </p>

    <ul>

      <li> <a class="moz-txt-link-freetext" href="https://www.mdsec.co.uk/2017/02/domain-fronting-via-cloudfront-alternate-domains/">https://www.mdsec.co.uk/2017/02/domain-fronting-via-cloudfront-alternate-domains/</a></li>

      <li><a class="moz-txt-link-freetext" href="http://blog.attackzero.net/2015/11/domain-fronting-and-you.html?m=1">http://blog.attackzero.net/2015/11/domain-fronting-and-you.html?m=1</a>

        (SNI Explanation)<br>

      </li>

      <li><a class="moz-txt-link-freetext" href="https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/">https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/</a></li>

      <li><a class="moz-txt-link-freetext" href="https://www.youtube.com/watch?v=IKO1ovl7Ky4">https://www.youtube.com/watch?v=IKO1ovl7Ky4</a> (CS, HTTP)<br>

      </li>

      <li><a class="moz-txt-link-freetext" href="https://www.youtube.com/watch?v=WowECw4YePU">https://www.youtube.com/watch?v=WowECw4YePU</a> (CS, HTTPS)<br>

      </li>

      <li><a class="moz-txt-link-freetext" href="http://www.icir.org/vern/papers/meek-PETS-2015.pdf">http://www.icir.org/vern/papers/meek-PETS-2015.pdf</a></li>

      <li><a class="moz-txt-link-freetext" href="https://vimeo.com/202836537">https://vimeo.com/202836537</a> (INNUENDO)<br>

      </li>

    </ul>

  </body>

</html>