Skip to content

uTLS for broker negotiation

The connection from the snowflake client to the broker server currently uses go's net/http.DefaultTransport. That connection is optionally domain fronted, but the TLS handshake is easily fingerprintable as a go handshake, which might trigger additional scrutiny in regimes where that kind of TLS inspection is possible and actionable.

This paper, though a bit out of date now (2019) references meek and even snowflake:

Snowflake is under active development, and its authors were aware of potential TLS fingerprintability issues. Indeed,we find that Snowflake (built from git master branch on April17, 2018) generates a fingerprint that is close to, but not exactly the same as the default Golang TLS fingerprint. In particular,it diverges by including the NPN and ALPN extensions, and offers a different set of signature algorithms. As a result, this fingerprint is seen in fewer than 0.0008% of connections, making it susceptible to blocking.

The author of that paper, Sergey Frolov, maintains https://tlsfingerprint.io/ which is a list of the most popularly seen TLS fingerprints, and created https://github.com/refraction-networking/utls which is a library designed for creating TLS connections with various commonly witnessed TLS fingerprints.

There's a fork of that library, https://gitlab.com/yawning/utls which seems to be used in obfs4's meeklite implementation, and it looks like @dcf implemented a version of that in https://gitweb.torproject.org/pluggable-transports/meek.git/tree/meek-client/utls.go which actually implements a RoundTripper. It seems as though actually using that library could be a relatively painless way to adopt utls for the broker negotiation.

@cohosh @meskio and I discussed a little bit whether there would be a good way to identify whether snowflake is actually being identified and/or blocked due to TLS fingerprinting in the broker connection. I suggested that it seemed possible that higher connection error rates in China vs other countries as well as other protocols (such as meek) performing better than snowflake in China could be indicative of TLS fingerprinting blocking, though that's not particularly solid.

I'm sure @dcf would have much more context and information on this area and the relative usefulness of utls on the broker negotiation, but I thought I should throw this out there/open this issue in case it can be of some help.

Related: #40014 (DTLS)

Edited by max-b