• DUN 的资料图片

    DUN 已发布 在群组 DUN.IM

    8个月, 2周前

    GFW 于 7 月 30 日开始封锁 加密服务器名称指示(ESNI),这是 TLS 1.3 协议的扩展,用以提高目标与用户之间的隐私和安全。
    经过测试发现,当使用带有 ESNI 扩展名的 TLS 客户端连接到 Cloudflare 的 CDN 的服务器时,防火墙通过丢弃从客户端到服务器的数据包来阻止 ESNI 连接。此外,ESNI 封锁不仅会发生在 443 端口,也会发生在 1 到 65535 的所有端口。在阻断 ESNI 握手后,防火墙会继续阻断与(源IP,目标IP,目标端口) 3 元组相关的任何连接一段时间。

    The Great Firewall of China may have identified and blocked Cloudflare’s ESNI implementation.

    We have found that when using a TLS client hello with ESNI extension to connect to servers behind Cloudflare’s CDN, the connection will be cut off after the whole TLS handshake is done. And then that IP address will be blocked at the TCP level for several minutes.

    Encrypt it or lose it: how encrypted SNI works

    Today we announced support for encrypted SNI, an extension to the TLS 1.3 protocol that improves privacy of Internet users by preventing on-path observers, including ISPs, coffee shop owners and firewalls, from intercepting the TLS Server Name Indication (SNI) extension and using it to determine which websites users are visiting.



DUN.IM 的群组图标
分享发现 的群组图标