Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudflare TLS fingerprinting #63

Open
Barre opened this issue Jan 12, 2023 · 8 comments
Open

Cloudflare TLS fingerprinting #63

Barre opened this issue Jan 12, 2023 · 8 comments

Comments

@Barre
Copy link
Owner

Barre commented Jan 12, 2023

I have the same experience with other websites managed by Cloudflare. I can't open the > pages as long as the proxy is enabled.
For example:
https://www.cloudflare.com/
https://community.cloudflare.com
https://chat.openai.com
The request for "Checking if the site connection is secure" is never completed.

Originally posted by @gitze in #62 (comment)
@Barre Barre changed the title I have the same experience with other websites managed by Cloudflare. I can't open the pages as long as the proxy is enabled. Cloudflare TLS fingerpriting Jan 12, 2023
@Barre
Copy link
Owner Author

Barre commented Jan 12, 2023
edited

@gitze I opened a new issue as what you experience is pretty different. Cloudflare uses TLS fingerprinting as part of their "bot detection" feature.

Privaxy's TLS fingerprint is not matching your browser user agent TLS fingerprint, which breaks cloudflare. They'd have the same issue with some non-transparent corporate proxies and several security products, which in essence are behaving the same way as Privaxy does.

It would be possible to make Privaxy to match common browsers fingerprints. Still, it would add a lot of complexity, be a maintenance burden and force Privaxy to switch to openssl instead of rustls which is an idea I'm not fond of.

The correct way of fixing this would be cloudflare to whitelist Privaxy. I don't think they'd do that as anyone using the same technical stack as Privaxy would then be able to very easily bypass their bot detection.

They have a form for this here https://forms.gle/dT9muX2aYRqFokkc8 I will still try that and post results here if I get any reply.

For now, as a workaround, you can add websites you cannot access to Privaxy's "exclusions". When a website is "excluded", it's transparently tunnelled.

@Barre Barre changed the title Cloudflare TLS fingerpriting Cloudflare TLS fingerprinting Jan 12, 2023
@maxcountryman
Copy link

It would be possible to make Privaxy to match common browsers fingerprints. Still, it would add a lot of complexity, be a maintenance burden and force Privaxy to switch to openssl instead of rustls which is an idea I'm not fond of.

Can you go into a little more detail? It sounds like rustls simply doesn't support this at the moment?

I'm also curious, would it be possibly to forward the client's user agent without requiring much maintenance overhead? I realize for the above reason that may be a moot point, but I wonder if that would be easier than trying to maintain a list of such things.

@Barre
Copy link
Owner Author

Barre commented Jan 14, 2023

It would be possible to make Privaxy to match common browsers fingerprints. Still, it would add a lot of complexity, be a maintenance burden and force Privaxy to switch to openssl instead of rustls which is an idea I'm not fond of.

Can you go into a little more detail? It sounds like rustls simply doesn't support this at the moment?

It's more that openssl supports more primitives and in general, would be more flexible for this kind of things. Rustls is designed to have fewer to no foot guns.

I'm also curious, would it be possibly to forward the client's user agent without requiring much maintenance overhead? I realize for the above reason that may be a moot point, but I wonder if that would be easier than trying to maintain a list of such things.

Privaxy does not change the user agent of requests. Privaxy's TLS fingerprint is not matching a known "good" TLS fingerprint + user-agent pair on Cloudflare's side.

@GunGunGun
Copy link

The correct way of fixing this would be cloudflare to whitelist Privaxy.

But no way Cloudflare would do that, because Python didn't get that treatment and still get bot blocked, so it's better to parrot popular browser fingerprints like this app TLS-Client: https://github.com/FlorianREGAZ/Python-Tls-Client

@GunGunGun
Copy link

GunGunGun commented Aug 14, 2023
edited

It would be possible to make Privaxy to match common browsers fingerprints. Still, it would add a lot of complexity, be a maintenance burden and force Privaxy to switch to openssl instead of rustls which is an idea I'm not fond of.

I actually want to say something about OpenSSL, OpenSSL is even harder to make that happen imo I tried to fake TLS Fingerprint with OpenSSL in Python and failed miserably, it can't change a lot of things about extensions and eliptic curve, so it's impossible to mimic real browser fingerprint anyways, Go actually has the best weapon to do that tho, it's: https://github.com/bogdanfinn/tls-client

Just let you know so you don't waste your time with it. Rather stick with rustls.

@brian6932
Copy link

brian6932 commented Aug 14, 2023
edited

^yep, openssl can't do it, know this firsthand.
your best bet is to either do it yourself with something like rustls, or use boringssl, which definitely simplifies what you have to do, since that's chromium's tls handling right there.
https://github.com/gssvv/rust-boring-ssl-client

@ajayyy
Copy link

ajayyy commented Aug 27, 2023

https://github.com/lwthiker/curl-impersonate has been very useful for this in my experience

@labac-p
Copy link

labac-p commented Oct 16, 2023

👀 any update here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@maxcountryman @GunGunGun @ajayyy @brian6932 @Barre @labac-p