Domain fronting/hiding

Hi there!
I received a report that my proxied site can be used to bypass some barriers by using a different HTTP HOST header than the SNI header, like in the picture:

This is the technique known as domain hiding/fronting:

In a domain-fronted HTTPS request, one domain appears on the “outside” of an HTTPS request in plain text-in the DNS request and SNI extention-which will be what the client wants to pretend they are targeting in the connection establishment and is the one that is visible to censors, while a different domain appears on the “inside”-in the HTTP Host header, invisible to the censor under HTTPS encryption-which would be the actual target of the connection.
from: zdnet: DEF CON: New tool brings back ‘domain fronting’ as ‘domain hiding’

How can I block these types of requests? Is there a simple configuration?

Thanks in advance!

Install a deep packet inspection tool on your end user’s desktops such as Cloudflare Warp or ZScaler and apply https policies to block sites you don’t wish for them to visit.

thank you for your response, but that`s not a solution for me because I don’t have access to the clients.
The problem is that anyone with internet access can do that on my domain and I do not want that.

You don’t want visitors to your website if a country such as China or an ISP chooses to block your website for it’s users?

You’d need to “upgrade” to a certificate which doesn’t support SNI to block the type of requests you are asking about. It’s not a security risk or attack vector for your website though so personally I wouldn’t bother.

Thanks for the reply, still investigating that solution to change the certificate.
But it’s kind of my problem. Lets say I have a deal with a telecom that do 0 rating for my site, with this trick you can access any site with 0 rating that’s the problem. The 0 rating is based on the SNI of the request
Is there a product from Cloudflare that guarantee the request is going to my site?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.