diff options
| author | Nardi Ivan <nardi.ivan@gmail.com> | 2020-08-05 17:13:23 +0200 |
|---|---|---|
| committer | Nardi Ivan <nardi.ivan@gmail.com> | 2020-08-05 17:13:23 +0200 |
| commit | 79b89d286605635f15edfe3c21297aaa3b5f3acf (patch) | |
| tree | e5640eed13e298de4d3ecbaf66587ac61cacdd80 /src | |
| parent | 07d9fa7f96d50aea4a1d8ed40330afa7d4944151 (diff) | |
Add risk flag about suspicious ESNI usage
In a Client Hello, the presence of both SNI and ESNI may obfuscate the real
domain of an HTTPS connection, fooling DPI engines and firewalls, similarly
to Domain Fronting.
Such technique is reported in a presentation at DEF CON 28:
"Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade
censors, bypass network defenses, and blend in with the noise"
Full credit for the idea must go the original author
At the moment, the only way to get the pdf presention and related video is via
https://forum.defcon.org/node/234492
Hopefully a direct link (and an example pcap) will be available soon
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 5 |
3 files changed, 10 insertions, 1 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 66fac35af..53d143327 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -79,6 +79,7 @@ typedef enum { NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER, NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER, NDPI_SMB_INSECURE_VERSION, + NDPI_TLS_SUSPICIOUS_ESNI_USAGE, /* Leave this as last member */ NDPI_MAX_RISK diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 347e65d52..9fc5d2d7f 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1532,7 +1532,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_SMB_INSECURE_VERSION: return("SMB Insecure Version"); - + + case NDPI_TLS_SUSPICIOUS_ESNI_USAGE: + return("TLS Suspicious ESNI Usage"); + default: snprintf(buf, sizeof(buf), "%d", (int)risk); return(buf); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index ec267ba5e..5cf2cac19 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1432,6 +1432,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, NDPI_SET_BIT(flow->risk, NDPI_TLS_NOT_CARRYING_HTTPS); } + if(flow->protos.stun_ssl.ssl.encrypted_sni.esni && + flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0') { + NDPI_SET_BIT(flow->risk, NDPI_TLS_SUSPICIOUS_ESNI_USAGE); + } + return(2 /* Client Certificate */); } else { #ifdef DEBUG_TLS |