nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Misblock (via SNI) of obscura.net on various ISPs

From: Carl Dong via NANOG <nanog () lists nanog org>
Date: Wed, 28 May 2025 18:49:28 -0700
Our (Obscura’s) users are reporting that obscura.net and subdomains are being blocked. See end of message for why we 
think it’s SNI-based.

They’ve observed this on at least Spectrum, Comcast, and United Airlines (whatever their upstream is).

We are losing users as I write this, which is why I’m asking (read: pleading) for NANOG’s help.

On Spectrum, the user notes that they see from their Spectrum portal that “Secure Browsing” was the culprit. 
Specifically, they see that pkgs.obscura.net is blocked with the following detail:


Secure Browsing prevents you from visiting potentially harmful websites. These may include sites that spread malware 
or use phishing attacks to steal your data. When a website is blocked, you may see the Security Shield icon appear on 
your browser.


We are a new VPN service, and definitely not a phishing site. More details: 
https://obscura.net/blog/bootstrapping-trust/

We’d love any help in any and all of the below:

1. If you operate an ISP, especially Spectrum or Comcast, please unblock us.
2. If you know how I can get into contact with Spectrum or Comcast and not have to wait for 5 business days, we’d love 
to know.
2. It seems like we were put on some kind of list, if you have suspicions for what list that could be, we'd love to 
know.
3. If you have any ideas for how we could resolve this ASAP, we’re open to any and all suggestions. We’re already 
looking into getting rid of SNI and using http3 for even our API calls, and will aim to deploy a hotfix soon.

–Carl Dong


On a technical level, this seems to be SNI-blocking, see the following curl outputs.

DNS resolved correctly, but TLS problems:

    curl --verbose --insecure --location 'https://v1.api.prod.obscura.net/api/ping’

    * Host v1.api.prod.obscura.net:443 was resolved.
    * IPv6: (none)
    * IPv4: 66.42.95.12
    *   Trying 66.42.95.12:443...
    * Connected to v1.api.prod.obscura.net (66.42.95.12) port 443
    * ALPN: curl offers h2,http/1.1
    * (304) (OUT), TLS handshake, Client hello (1):
    * LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
    * Closing connection
    curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

This one is essentially doing an SNI spoof, and succeeds:

    curl --connect-to 'google.com::66.42.95.12:' -H "Host: v1.api.prod.obscura.net" --verbose --insecure --location 
'https://google.com/api/ping’

    * Connecting to hostname: 66.42.95.12
    *   Trying 66.42.95.12:443...
    * Connected to 66.42.95.12 (66.42.95.12) port 443
    * ALPN: curl offers h2,http/1.1
    * (304) (OUT), TLS handshake, Client hello (1):
    * (304) (IN), TLS handshake, Server hello (2):
    * (304) (IN), TLS handshake, Unknown (8):
    * (304) (IN), TLS handshake, Certificate (11):
    * (304) (IN), TLS handshake, CERT verify (15):
    * (304) (IN), TLS handshake, Finished (20):
    * (304) (OUT), TLS handshake, Finished (20):
    * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
    * ALPN: server accepted h2
    * Server certificate:
    *  subject: CN=v1.api.prod.obscura.net
    *  start date: May  4 22:38:20 2025 GMT
    *  expire date: Aug  2 22:38:19 2025 GMT
    *  issuer: C=US; O=Let's Encrypt; CN=E6
    *  SSL certificate verify ok.
    * using HTTP/2
    * [HTTP/2] [1] OPENED stream for https://google.com/api/ping
    * [HTTP/2] [1] [:method: GET]
    * [HTTP/2] [1] [:scheme: https]
    * [HTTP/2] [1] [:authority: v1.api.prod.obscura.net]
    * [HTTP/2] [1] [:path: /api/ping]
    * [HTTP/2] [1] [user-agent: curl/8.7.1]
    * [HTTP/2] [1] [accept: */*]
    > GET /api/ping HTTP/2
    > Host: v1.api.prod.obscura.net
    > User-Agent: curl/8.7.1
    > Accept: */*
    > * Request completely sent off
    < HTTP/2 200 < date: Wed, 28 May 2025 23:50:28 GMT
    < content-type: application/json
    < content-length: 67
    < vary: origin, access-control-request-method, access-control-request-headers
    < access-control-allow-origin: *
    < strict-transport-security: max-age=63072000
    < * Connection #0 to host 66.42.95.12 left intact
    {"env":"prod","version":"3a91af31b3b75b6fd8d8acfefb53d812e601749e"}
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HAFATLJQDBTQANYKK27DCHJHOENVPADJ/
Previous By Date Next
Previous By Thread Next

Current thread: