hufrea/byedpi

:warning: Full stream desync support will soon be required!

Opened this issue · 4 comments

Since yesterday (for me, at least) DPI starts to randomly block ALL SSL/TLS traffic to googlevideo.com:
Wireshark image
Very soon this change will be the default (multi-packet Client Hello analysis was rolled out like that before) and this proxy will be defeated!

TLS 1.2 has been in TSPU collection since August, use TLS 1.3 instead

You're missing my point:

  1. RTFM:

    In TLS 1.3, the client indicates its version preferences in the "supported_versions" extension (Section 4.2.1) and the legacy_version field MUST be set to 0x0303, which is the version number for TLS 1.2. TLS 1.3 ClientHellos are identified as having a legacy_version of 0x0303 and a supported_versions extension present with 0x0304 as the highest version indicated therein.

    But I have an old version of Wireshark, so it doesn't know of TLS 1.3;

  2. TLS 1.3 is the default version in all modern browsers;

  3. In fact, according to my tests for googlevideo.com it currently blocks ALL SSL/TLS versions: SSL 3.0 - TLS 1.3 (didn't check SSL 2.0), without even checking SNI!;

  4. The point:
    All connections you see on a screenshot are to googlevideo.com, with bypass applied! Connections from (random) ports 10733-34 successfully passed through, but from port 10737 it was blocked!
    The first TLS data packet is Client Hello. As you can see, the connection was blocked AFTER the Client Hello, on Change Cipher Spec, because there is no bypass applied to it!

You can dislike me as much as you want until it will stop working. There are other people already seeing issues with video preload.

  1. But I have an old version of Wireshark, so it doesn't know of TLS 1.3;

Why you are not specified this details in first post?

Because I just wanted to warn as soon as possible and didn't want to spend much time on this report.
In general, I expect developers to be at least on the same level of competence with their users. I also expect people to either believe in original statement or prove it is wrong.

Also when you say that you have something old, the general answer is "update and test again because we don't want to even do the testing"...