Why can’t they use raw HTTP vs HTTPS and use an encrypted payload? That handles the SNI front as they outlined as the detection mechanism hindering them. I’m sure there’s more to it because this seems pretty basic, but curious the reason why this was ruled out.
> That occurred to me too. But HTTP/1.1 requires a Host: header.
Yes, but that’s easily forgeable as long as the servers in between allow it.
> It also brings a problem of key distribution.
Not really, you can still do chain of trust SSL validation on a payload in the body of HTTP as you could to encrypt the entire HTTP connection as in the case of HTTPS.
The issue here isn't that the content can be read, it's that oppressive regimes can censor content from apps like Signal completely. It's a question of hiding the source/destination, not the contents.
1) they already said they can rotate IPs just by using a cloud service
2) I have to assume they aren’t relying on traditional dns alone because that’s the first thing countries like the UAE filter on, so if dns blocking was an issue, they’d be dead before domain fronting would be needed.
3) the mechanism claimed for detection now is TLS SNI. So my point is remove that part and secure contents otherwise thus moving the cat and mouse game further!
