Skip to content

add in-country-validated Akamai SNIs (IR)#70

Closed
myleshorton wants to merge 1 commit into
mainfrom
fisk/akamai-snis-ir
Closed

add in-country-validated Akamai SNIs (IR)#70
myleshorton wants to merge 1 commit into
mainfrom
fisk/akamai-snis-ir

Conversation

@myleshorton
Copy link
Copy Markdown
Contributor

@myleshorton myleshorton commented May 25, 2026

Summary

Adds 14 in-country-validated SNIs to the Akamai provider's masquerade pool. Source: Keith (Psiphon ops, 2026-05-24), based on aggregated client telemetry from Iran.

Akamai serves the same default cert (a248.e.akamai.net) regardless of incoming SNI, so these names are pure DPI cover — the inner Host header drives property routing as before. The Iranian domestic names (snapp.ir, varzesh3.com, aparat.com, bmi.ir, digikala.com) are particularly resilient cover — IR can't block these without breaking core domestic services.

SNIs added

Category SNI
Python ecosystem python.org, pypi.org, www.python.org, www.pypi.org, files.pythonhosted.org, registry.npmjs.org
US tech giants google.com, www.google.com, go.microsoft.com
Iranian domestic snapp.ir (ride-hailing), varzesh3.com (sports), aparat.com (video), bmi.ir (Bank Melli), digikala.com (e-commerce)

Consumer

radiance#488 extends AkamaiCandidates to consume SNIsForProvider(cfg, "akamai") and mix named SNIs alongside the existing bare-SNI strategy. Each Akamai IP gets:

  • 1 bare-SNI candidate (current strategy — confirmed dominant in IR telemetry)
  • Up to 3 named-SNI candidates drawn at random (without replacement) from the pool — DPI fallback for periods when bare gets blocked

Why entries have empty ipaddress

SNIsForProvider only consumes the Domain field. The empty ipaddress reflects that these are SNI-pool-only entries; the scanner pairs them with Akamai IPs discovered at probe time. The other path that uses ipaddressCandidatesFromConfig via KnownSample > 0 — is off by default in radiance's pool config.

Verification

Smoke test (radiance ./cmd/meek-client-smoke/) against the deployed meek server confirms named-SNI candidates round-trip end-to-end:

INFO got fronts count=3 first_ip=184.28.105.132 first_sni=a248.e.akamai.net
...
{
  "origin": "139.162.181.47"
}
✅ end-to-end meek client smoke test PASSED

🤖 Generated with Claude Code

@myleshorton
add in-country-validated Akamai SNIs (IR)
f5ec864 
Adds 14 SNIs to the akamai provider's masquerade pool. Source: Keith
(Psiphon ops, 2026-05-24), based on aggregated client telemetry from
Iran. These are SNIs that, when sent in the TLS ClientHello against
an Akamai edge, currently pass the censor's DPI fingerprinting in IR.

Akamai serves the same default cert (a248.e.akamai.net) regardless
of incoming SNI, so these names are pure DPI cover — the inner Host
header drives property routing as before.

  python.org           pypi.org             www.python.org
  www.pypi.org         files.pythonhosted.org    registry.npmjs.org
  google.com           www.google.com       go.microsoft.com
  snapp.ir             varzesh3.com         aparat.com
  bmi.ir               digikala.com

The Iranian domestic names (snapp.ir, varzesh3.com, aparat.com,
bmi.ir, digikala.com) are particularly resilient cover — IR can't
block these without breaking core domestic services.

Consumed by radiance/fronted/scanner via SNIsForProvider(cfg,
"akamai"), which feeds AkamaiCandidates (radiance#488) to mix named
SNIs alongside the existing bare-SNI strategy. Entries use empty
ipaddress because they are SNI-pool-only: the scanner pairs them
with discovered Akamai IPs at probe time. CandidatesFromConfig
(KnownSample > 0) is the only path that would use the ipaddress, and
the default sampling has KnownSample = 0.
Copilot AI review requested due to automatic review settings May 25, 2026 23:12
Copilot AI reviewed May 25, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@myleshorton
Copy link
Copy Markdown
Contributor Author

myleshorton commented May 26, 2026

Closing — landed on the correct repo at getlantern/domainfront. getlantern/fronted is deprecated; the kindling path uses domainfront for fronted config now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@myleshorton