Is there a better moat/snowflake SNI than cdn.sstatic.net?
(@cohosh asked me to file this ticket after a bit of discussion)
In Tor Browser, we launch Snowflake with
snowflake-client \ -url https://snowflake-broker.torproject.net.global.prod.fastly.net/ \ -front cdn.sstatic.net \ -ice [...]
That cdn.sstatic.net is the SNI that we write on the outside of the TLS connection to fastly. That is, Tor Browser Snowflake users try to look like people reaching for a piece of stackexchange, when they reach out to the broker to ask for a connect-back.
Similarly, for Moat, in about:config we see
extensions.torlauncher.bridgedb_front : cdn.sstatic.net
So Tor Browser users who are fetching a new set of bridges inside Tor Browser also look like people reaching for a piece of stackexchange.
(a) Is this site a particularly robust example in the context of collateral freedom? Are there better ones we might pick? Should we add some variety? Or maybe variety just makes for an even more unusual fingerprint?
(b) We should probably set up some sort of automation to make sure stackexchange stays on fastly, since if they leave, our Snowflake and Moat will suddenly and strangely break.
(c) We should also be aware that these connections aren't "invisible" -- making a connection out of the blue to a piece of stackexchange, but not to other pieces of it, is a recognizable signature if people on the local network are looking for it.