[Cryptography] Apple's iCloud+ "VPN"
Christian Huitema
huitema at huitema.net
Fri Jun 25 00:07:10 EDT 2021
On 6/24/2021 3:26 PM, Jeremy Stanley wrote:
> On 2021-06-24 15:14:39 -0700 (-0700), Christian Huitema wrote:
> [...]
>> Can users evade that by running their own DNS resolvers? Maybe,
>> but they have better be smart about it because ISPs could also
>> block port 53, the same way they blocked home SMTP servers on port
>> 25.
> Users can also get around it the old-fashioned way. In the days
> before DNS we just copied a hosts file from machine to machine in
> order to share which addresses corresponded to which systems. That
> was abandoned because the list got too long and was a pain to keep
> centrally updated, but if all you need to augment your name
> resolution is a handful of entries, that's pretty trivial for people
> to distribute. Update mechanisms could easily be baked into tools
> built on top of popular P2P file sharing networks to get around
> governments shutting down some specific site hosting the index.
Cat, meet mouse. Mole, meet whack. I am not as optimistic as you are.
Distribute lists of IP addresses, and see them blocked. Use TLS, and see
blocking by SNI. Maybe using ESNI might work, if users can obtain the
ESNI data without passing through the DNS filters. In fact, it might be
possible to refashion the "host file" approach, and instead pass an
"ESNI file", containing the public facing name behind which hosts are
hiding, and the corresponding public keys.
-- Christian Huitema
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210624/57ac6104/attachment.htm>
More information about the cryptography
mailing list