Add risk flag about suspicious ESNI usage

In a Client Hello, the presence of both SNI and ESNI may obfuscate the real domain of an HTTPS connection, fooling DPI engines and firewalls, similarly to Domain Fronting. Such technique is reported in a presentation at DEF CON 28: "Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise" Full credit for the idea must go the original author At the moment, the only way to get the pdf presention and related video is via https://forum.defcon.org/node/234492 Hopefully a direct link (and an example pcap) will be available soon
author: Nardi Ivan <nardi.ivan@gmail.com> 2020-08-05 17:13:23 +0200
committer: Nardi Ivan <nardi.ivan@gmail.com> 2020-08-05 17:13:23 +0200
commit: 79b89d286605635f15edfe3c21297aaa3b5f3acf (patch)
tree: e5640eed13e298de4d3ecbaf66587ac61cacdd80 /src/lib/ndpi_utils.c
parent: 07d9fa7f96d50aea4a1d8ed40330afa7d4944151 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 347e65d52..9fc5d2d7f 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1532,7 +1532,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
     
   case NDPI_SMB_INSECURE_VERSION:
     return("SMB Insecure Version");
-    
+
+  case NDPI_TLS_SUSPICIOUS_ESNI_USAGE:
+    return("TLS Suspicious ESNI Usage");
+
   default:
     snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
author	Nardi Ivan <nardi.ivan@gmail.com>	2020-08-05 17:13:23 +0200
committer	Nardi Ivan <nardi.ivan@gmail.com>	2020-08-05 17:13:23 +0200
commit	79b89d286605635f15edfe3c21297aaa3b5f3acf (patch)
tree	e5640eed13e298de4d3ecbaf66587ac61cacdd80 /src/lib/ndpi_utils.c
parent	07d9fa7f96d50aea4a1d8ed40330afa7d4944151 (diff)