In order to make it easier to deal with blocking of domain fronting domains that is being observed in Iran, Russia, and possibly China, a script was written to automate the screening of domain name for domain fronting.
The following domain name was evaluated to be potentially useable for domain fronting. We should try to reduce solo reliance on cdn.sstatic.net with a fronting domain rotation system to reduce the chance any of them get blocked.
Roger Dingledinechanged title from Automated Testing Script for Protential Domain Fronting Domains to Automated Testing Script for Potential Domain Fronting Domains
changed title from Automated Testing Script for Protential Domain Fronting Domains to Automated Testing Script for Potential Domain Fronting Domains
One feature of choosing randomly from a pool each time is that we would (most of the time) get around the two-connections-to-the-same-suspect-SNI filtering attack we talked about recently. Even a pool of five or ten addresses would be enough to help most of the time.
One drawback of choosing randomly from a pool each time is that we produce an even clearer signature of "Snowflake trying to domain front" -- in the past you could maybe plausibly think you were trying to reach stackexchange's page, but fewer people will reach for the combination of cdn pages. But that said, I suspect we are already very much on the losing side of this signature arms race currently, since we reach only the cdn site, talk to it only a little bit, then launch a webrtc connection, had previously connected to one of a handful of stun servers, etc. That is, tl;dr if we wanted to do better against signatures we have a lot more work to do, starting with some research questions.
In summary, I think the idea of choosing randomly from a pool each time is a net win.