惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cyberwarzone
Cyberwarzone
F
Full Disclosure
V
Visual Studio Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
有赞技术团队
有赞技术团队
J
Java Code Geeks
博客园 - 【当耐特】
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 叶小钗
L
LINUX DO - 最新话题
T
Threatpost
S
SegmentFault 最新的问题
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
C
Cyber Attacks, Cyber Crime and Cyber Security
Google DeepMind News
Google DeepMind News
Know Your Adversary
Know Your Adversary
S
Schneier on Security
V
Vulnerabilities – Threatpost
D
DataBreaches.Net
G
GRAHAM CLULEY
Latest news
Latest news
P
Privacy International News Feed
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
Scott Helme
Scott Helme
L
Lohrmann on Cybersecurity
T
The Exploit Database - CXSecurity.com
Security Latest
Security Latest
G
Google Developers Blog
L
LangChain Blog
MyScale Blog
MyScale Blog
Project Zero
Project Zero
N
News and Events Feed by Topic
Hacker News - Newest:
Hacker News - Newest: "LLM"
大猫的无限游戏
大猫的无限游戏
P
Proofpoint News Feed
Blog — PlanetScale
Blog — PlanetScale
阮一峰的网络日志
阮一峰的网络日志
N
News | PayPal Newsroom
www.infosecurity-magazine.com
www.infosecurity-magazine.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
SecWiki News
SecWiki News
T
Tor Project blog
C
Check Point Blog
Google Online Security Blog
Google Online Security Blog
GbyAI
GbyAI
The Last Watchdog
The Last Watchdog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Why Your HTTPS Traffic Still Gets Blocked (and How DPI Evasion Works)
Alan West · 2026-04-25 · via DEV Community

You've set up your development environment, configured your proxy, everything is running over HTTPS — and your traffic still gets dropped. No error message, no timeout, just... nothing. If you've ever worked behind a restrictive corporate firewall or tried to reach package registries from a locked-down network, you know this pain.

The culprit is usually Deep Packet Inspection (DPI), and understanding how it works will save you hours of debugging.

The Problem: HTTPS Isn't as Opaque as You Think

Here's the thing most developers don't realize: even though HTTPS encrypts your payload, there's metadata leaking everywhere. The biggest offender is the SNI (Server Name Indication) field in the TLS handshake. SNI is sent in plaintext before encryption is established, which means any middlebox sitting on the network can read exactly which domain you're connecting to.

# Simplified TLS handshake — notice SNI is plaintext
Client → Server: ClientHello
  - SNI: api.npmjs.org        ← visible to any network observer
  - Supported cipher suites
  - TLS version

Server → Client: ServerHello
  - Selected cipher suite
  - Certificate
  # Encrypted tunnel established AFTER this point

Enter fullscreen mode Exit fullscreen mode

DPI appliances exploit this. They inspect the SNI field, match it against blocklists, and drop the connection before TLS even completes. Your payload is encrypted, sure — but the destination is announced in the clear.

Other metadata that DPI can use:

  • DNS queries (unless you're using DoH/DoT)
  • Packet sizes and timing patterns (traffic fingerprinting)
  • TLS certificate fingerprints (JA3/JA4 hashing)
  • IP address reputation from threat intelligence feeds

Root Cause: How DPI Actually Inspects Your Connections

DPI doesn't just look at IP headers. Modern DPI engines reconstruct entire TCP streams and apply pattern matching at the application layer. Here's a rough breakdown of what happens:

  1. Layer 3/4 inspection: Source/destination IP, port numbers, protocol detection
  2. TLS fingerprinting: The ClientHello message has a unique structure per application — cipher suites, extensions, and their ordering create a fingerprint (this is what JA3 hashing captures)
  3. SNI matching: Domain-level blocking without needing to decrypt anything
  4. Statistical analysis: Machine learning models that classify traffic patterns even when the content is encrypted

The key insight is that encryption protects content, not metadata. And metadata is often enough to block you.

The Domain Fronting Technique

Domain fronting is a technique that exploits a gap between the SNI field and the HTTP Host header. It works like this:

import ssl
import socket

# The SNI shows a high-reputation domain (e.g., a CDN)
context = ssl.create_default_context()
conn = context.wrap_socket(
    socket.socket(),
    server_hostname="cdn.googleapis.com"  # SNI: looks legitimate to DPI
)
conn.connect(("cdn.googleapis.com", 443))

# But the HTTP Host header points to the actual destination
request = (
    "GET / HTTP/1.1\r\n"
    "Host: your-actual-backend.example.com\r\n"  # real destination, inside encrypted tunnel
    "\r\n"
)
conn.send(request.encode())

Enter fullscreen mode Exit fullscreen mode

The DPI appliance sees traffic going to cdn.googleapis.com — a major CDN it can't afford to block. But inside the encrypted tunnel, the Host header routes the request to a completely different backend. The CDN (or shared infrastructure) forwards the request based on the Host header.

This technique gained attention when it was used as a censorship circumvention method. Most major cloud providers have since patched this by validating that SNI and Host headers match, but the concept illustrates something important about how layered protocols can create inspection gaps.

HTTP Tunneling Through Serverless Functions

A more modern approach uses serverless platforms as relay points. The idea: deploy a lightweight function on a trusted cloud platform, then route your traffic through it. The project MasterHttpRelayVPN on GitHub demonstrates this pattern using Google Apps Script as the relay layer.

The architecture looks roughly like this:

┌──────────┐    HTTPS     ┌──────────────────┐    HTTPS     ┌─────────────┐
│  Client  │ ──────────►  │  Google Apps      │ ──────────►  │ Destination │
│  (local  │  SNI:        │  Script (relay)   │              │  Server     │
│  proxy)  │  script.     │                   │              │             │
│          │  google.com  │  Forwards request │              │             │
└──────────┘              └──────────────────┘              └─────────────┘
     ▲                                                            │
     └────────────────── Response relayed back ───────────────────┘

Enter fullscreen mode Exit fullscreen mode

From the network's perspective, all traffic goes to script.google.com — a Google domain that virtually no firewall blocks. The serverless function acts as a proxy, forwarding requests to the actual destination and relaying responses back.

This approach supports both HTTP and SOCKS5 proxy protocols, and can multiplex multiple streams over a single connection using HTTP/2 framing. The multiplexing is critical for performance — without it, each proxied request would need its own round-trip through the relay.

The MITM TLS Consideration

To proxy HTTPS traffic through this kind of relay, the local proxy component needs to terminate TLS locally. This means it generates certificates on the fly for each destination domain, signed by a local CA that the client trusts. This is the same technique that tools like mitmproxy, Charles Proxy, and corporate SSL inspection appliances use.

# Generate a local CA (same concept used by mitmproxy, Charles, etc.)
openssl genrsa -out ca-key.pem 2048
openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 365 \
    -subj "/CN=Local Development CA"

# The local proxy uses this CA to sign per-domain certificates
# so it can decrypt, relay through the tunnel, and re-encrypt

Enter fullscreen mode Exit fullscreen mode

This is standard practice for debugging tools but comes with obvious security implications. You're trusting the local proxy with all your decrypted traffic. Only use this pattern with tools you've audited, and never install a third-party root CA on a machine you use for anything sensitive.

DPI Evasion Techniques Worth Understanding

Beyond domain fronting, there are several techniques that DPI evasion tools use. Understanding them helps you debug why traffic behaves differently across networks:

  • TLS record fragmentation: Splitting the ClientHello across multiple TCP segments so pattern-matching engines fail to reassemble it
  • TCP segmentation tricks: Sending the SNI field split across packet boundaries
  • Padding and timing manipulation: Altering packet sizes and inter-arrival times to defeat statistical classifiers
  • ECH (Encrypted Client Hello): The proper, standards-track solution — encrypts the SNI field using a key published in DNS. This is the "right" way to solve the problem, and it's gaining browser support

What You Should Actually Do

If you're dealing with restrictive networks in a development context, here's the practical advice:

  1. Start with ECH: If your target servers support it and your client stack is recent enough, Encrypted Client Hello solves the SNI leak problem at the protocol level. Check the Cloudflare ECH docs for the current state of support.

  2. Use DoH/DoT for DNS: Tools like dnscrypt-proxy or systemd-resolved with DoT prevent DNS-level blocking. This is the lowest-hanging fruit.

  3. WireGuard or SSH tunnels: For development access, a simple WireGuard tunnel to a cloud VM is far more reliable and secure than HTTP relay tricks. It's also easier to audit.

  4. Understand your network's policies: If you're on a corporate network, talk to your IT team. Most of the time, they can allowlist the domains you need for development tools.

  5. Reserve relay techniques for when you need them: HTTP relay approaches through serverless platforms are clever, but they add latency, complexity, and a trust dependency on the relay code. Use them as a last resort, not a first choice.

Prevention: Building Applications That Handle Restrictive Networks

If you're building tools that developers use, design for hostile network conditions:

  • Support HTTP proxy configuration via environment variables (HTTP_PROXY, HTTPS_PROXY)
  • Implement connection fallback — try direct, then proxy, then alternative ports
  • Use standard ports (443) for all traffic. Non-standard ports are blocked by default on most managed networks
  • Support certificate pinning bypass for development environments (with clear warnings)
  • Log connection failures with enough detail to diagnose DPI interference

The networking stack between your code and the internet is more complex than most developers realize. Understanding how DPI works, why HTTPS doesn't hide everything, and what techniques exist to work around network restrictions will save you from those mysterious "it works on my machine but not on the office network" debugging sessions.