-
-
Notifications
You must be signed in to change notification settings - Fork 103
Spoof SNI
We can use SNI spoofing when the Tor connection is blocked. You can add sites that are not blocked as SNIs. And you can connect to the Tor network using vanilla bridges or without bridges at all. There is no point in using SNI with other types of bridges, as it will have no effect.
Imagine you’re sending a letter to a big building with many companies inside. Without SNI, it’s like addressing the letter only to the building itself, not to a specific company. But with SNI, you can specify the exact company you’re sending the letter to.
Similarly, when you visit a website hosted on a server that hosts multiple websites, SNI allows your web browser to tell the server which website you want to visit, so it can serve you the correct one. It’s like giving the server the name of the specific website you’re interested in, instead of just asking for the general server. This helps in situations where multiple websites share the same IP address, making sure you get to the right one.
The problem with SNI, HTTPS encryption and censorship is like trying to hide a book by simply not letting it to be opened. Even if you securely lock the cover of a book (encrypt the data), anyone can still see the title of the book because it’s not hidden. Similarly, HTTPS encryption encrypts the content but leaves the “title” (SNI) of the site visible.
In countries where internet censorship is strict, governments often block access to certain websites by monitoring the server names users are trying to connect to. Since SNI isn't encrypted, it’s easy for censors to see which websites users are trying to visit and block them accordingly. This undermines efforts to bypass censorship because even if the content of the website is encrypted, the censor can still identify and block access to it based on the visible server name.
Bypassing censorship with spoofing SNI is like disguising the title of a book so it appears to be something else. In this case, when your browser communicates with a server using SNI, it sends a message saying, “Hey, I want to visit website X.” But with SNI spoofing, your browser sends a different message, saying, “I want to visit website Y,” even though you actually want to visit website X.
Censors block access to websites by monitoring these messages. If they see a request to visit a banned website (website X), they block it. However, if the SNI is spoofed to say you’re visiting a different, allowed website (website Y), the censor might not recognize it and let the connection through.
So, by spoofing the SNI, you trick the censor into allowing access to the website you want to visit, even though it’s supposed to be blocked. It’s like sneaking past a guard by wearing a disguise.