Add risk flag about suspicious ESNI usage

In a Client Hello, the presence of both SNI and ESNI may obfuscate the real domain of an HTTPS connection, fooling DPI engines and firewalls, similarly to Domain Fronting. Such technique is reported in a presentation at DEF CON 28: "Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise" Full credit for the idea must go the original author At the moment, the only way to get the pdf presention and related video is via https://forum.defcon.org/node/234492 Hopefully a direct link (and an example pcap) will be available soon
author: Nardi Ivan <nardi.ivan@gmail.com> 2020-08-05 17:13:23 +0200
committer: Nardi Ivan <nardi.ivan@gmail.com> 2020-08-05 17:13:23 +0200
commit: 79b89d286605635f15edfe3c21297aaa3b5f3acf (patch)
tree: e5640eed13e298de4d3ecbaf66587ac61cacdd80 /src/lib/protocols/tls.c
parent: 07d9fa7f96d50aea4a1d8ed40330afa7d4944151 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index ec267ba5e..5cf2cac19 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1432,6 +1432,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	      NDPI_SET_BIT(flow->risk, NDPI_TLS_NOT_CARRYING_HTTPS);
 	    }
 
+	    if(flow->protos.stun_ssl.ssl.encrypted_sni.esni &&
+	       flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0') {
+	      NDPI_SET_BIT(flow->risk, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
+	    }
+
 	    return(2 /* Client Certificate */);
 	  } else {
 #ifdef DEBUG_TLS
author	Nardi Ivan <nardi.ivan@gmail.com>	2020-08-05 17:13:23 +0200
committer	Nardi Ivan <nardi.ivan@gmail.com>	2020-08-05 17:13:23 +0200
commit	79b89d286605635f15edfe3c21297aaa3b5f3acf (patch)
tree	e5640eed13e298de4d3ecbaf66587ac61cacdd80 /src/lib/protocols/tls.c
parent	07d9fa7f96d50aea4a1d8ed40330afa7d4944151 (diff)