<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>So I've spent some time today trying to understand the various
hoopla around "domain fronting". And it's a TOCTOU bug that cloud
providers could fix, but hopefully won't. Previous state of the
art in bypassing WebSense and Cisco's proxy and FortiGate and the
rest was just to hack some random PHP website. This never gets
old, and is a good warm-up for real hacking. <br>
</p>
<p>The basic understanding is that when you make an HTTPS request,
the server presents to you the SSL cert for the website you've
requested in your SNI extension header (which is essentially any
server set up with Cloudfront or any CDN). Then once your
connection is established, you request a different virtual host
using the Host header.</p>
<p>You can see why AV's that inject into browsers and network proxy
appliances want to do MITM on every SSL connection, despite it
annoying <a href="http://infiltratecon.com/speakers.html">INFILTRATE's
keynote speaker</a>. :)</p>
<p>-dave<br>
</p>
<ul>
<li> <a class="moz-txt-link-freetext" href="https://www.mdsec.co.uk/2017/02/domain-fronting-via-cloudfront-alternate-domains/">https://www.mdsec.co.uk/2017/02/domain-fronting-via-cloudfront-alternate-domains/</a></li>
<li><a class="moz-txt-link-freetext" href="http://blog.attackzero.net/2015/11/domain-fronting-and-you.html?m=1">http://blog.attackzero.net/2015/11/domain-fronting-and-you.html?m=1</a>
(SNI Explanation)<br>
</li>
<li><a class="moz-txt-link-freetext" href="https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/">https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/</a></li>
<li><a class="moz-txt-link-freetext" href="https://www.youtube.com/watch?v=IKO1ovl7Ky4">https://www.youtube.com/watch?v=IKO1ovl7Ky4</a> (CS, HTTP)<br>
</li>
<li><a class="moz-txt-link-freetext" href="https://www.youtube.com/watch?v=WowECw4YePU">https://www.youtube.com/watch?v=WowECw4YePU</a> (CS, HTTPS)<br>
</li>
<li><a class="moz-txt-link-freetext" href="http://www.icir.org/vern/papers/meek-PETS-2015.pdf">http://www.icir.org/vern/papers/meek-PETS-2015.pdf</a></li>
<li><a class="moz-txt-link-freetext" href="https://vimeo.com/202836537">https://vimeo.com/202836537</a> (INNUENDO)<br>
</li>
</ul>
</body>
</html>