Фильтр TLS на домены youtube

zhenyolka · September 16, 2021, 2:02pm

Раз уже понятна схема блокировки, остался один вопрос: зачем так геморно и с таким паттерно? Почему нельзя просто заблочить по SNI? Или это специально для андроид клиента?

ValdikSS · September 16, 2021, 2:03pm

Right now it seems like a TLS Fingerprinting to block an Android application which uses www.youtube.com as a domain fronting (wild guess: Navalny Android/iOS app?).

darkk · September 16, 2021, 2:06pm

Seems, NewPipe’s fingerprint is quite unique. https://tlsfingerprint.io/ does not parse Client Hello from aforementioned pcaps as known fingerprint that was already observed in the campus traffic.

zhenyolka · September 16, 2021, 2:11pm

Its really useless to block NewPipe. Best candidate to block is Google’s Youtube app. Can it be something like tests or preparations for whole youtube block?

darkk · September 16, 2021, 2:36pm

I have no iOS devices, but Navalny’s app (ver. 2.0, one from Google Play Market) gives a different fingerprint on my Android:

Fingerprints https://tlsfingerprint.io/id/f0b2b996867b6380 and https://tlsfingerprint.io/id/f278257cdf4a43aa seem to be related, cetpmhjmdf-vizskfsved.global.ssl.fastly.net is Navalny-related domain (see https://archive.md/xgT57 for archived content).

ValdikSS · September 16, 2021, 2:43pm

They use okhttp3 library with ConnectionSpec.MODERN_TLS.cipherSuites() and 2 additional ones click

// This will try to enable all modern CipherSuites(+2 more)
// that are supported on the device.
// Necessary because some servers (e.g. Framatube.org)
// don't support the old cipher suites.
// https://github.com/square/okhttp/issues/4053#issuecomment-402579554
final List<CipherSuite> cipherSuites =
        new ArrayList<>(ConnectionSpec.MODERN_TLS.cipherSuites());
cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
final ConnectionSpec legacyTLS = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
        .cipherSuites(cipherSuites.toArray(new CipherSuite[0]))
        .build();

builder.connectionSpecs(Arrays.asList(legacyTLS, ConnectionSpec.CLEARTEXT));

UPD

UPD: no, they use this cipher set only in this exact case, but in general they have a common okhttp3 cipher list (without 3DES, it is probably filtered by the tls library): okhttp/okhttp/src/main/java/okhttp3/ConnectionSpec.java at 06644bb0507873e9a3b89d9107da537f1b140e91 · square/okhttp · GitHub

ValdikSS · September 16, 2021, 3:28pm

I’ve made a small modification in NewPipe by replacing TLS_RSA_WITH_AES_256_CBC_SHA with TLS_RSA_WITH_AES_128_CBC_SHA in the library cipher list, and the application is now working again.

github.com/TeamNewPipe/NewPipe

NewPipe can't load anything

opened 08:54PM - 15 Sep 21 UTC

azat11

### Checklist - [x] I am using the latest version - 0.21.9 - [x] I checked, but didn't find any duplicates (open OR closed) of this issue in the repo. - [x] I have read the contribution guidelines given at https://github.com/TeamNewPipe/NewPipe/blob/HEAD/.github/CONTRIBUTING.md. - [x] This issue contains only one bug. I will open one issue for every bug report I want to file. ### Steps to reproduce the bug  1. Open app 2. Try to search or open anything from history, and it's loading endlessly ### Actual behavior Nothing loads. Tried reinstalling, nothing changes. ### Expected behavior Everytrhing should load. ### Screenshots/Screen recordings https://ibb.co/d29FXVt ### Logs ## Exception * __User Action:__ searched * __Request:__ lemmino * __Content Country:__ US * __Content Language:__ en-US * __App Language:__ en_US * __Service:__ YouTube * __Version:__ 0.21.9 * __OS:__ Linux Android 6.0.1 - 23 <details><summary><b>Crash log </b></summary><p> ``` java.net.ConnectException: Failed to connect to www.youtube.com/2a00:1450:4010:c05::c6:443 at okhttp3.internal.connection.RealConnection.connectSocket(RealConnection.java:249) at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:167) at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:258) at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135) at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:127) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:257) at okhttp3.RealCall.execute(RealCall.java:93) at org.schabi.newpipe.DownloaderImpl.execute(DownloaderImpl.java:264) at org.schabi.newpipe.extractor.downloader.Downloader.post(Downloader.java:131) at org.schabi.newpipe.extractor.downloader.Downloader.post(Downloader.java:114) at org.schabi.newpipe.extractor.services.youtube.YoutubeParsingHelper.areHardcodedClientVersionAndKeyValid(YoutubeParsingHelper.java:342) at org.schabi.newpipe.extractor.services.youtube.YoutubeParsingHelper.getClientVersion(YoutubeParsingHelper.java:429) at org.schabi.newpipe.extractor.services.youtube.YoutubeParsingHelper.prepareDesktopJsonBuilder(YoutubeParsingHelper.java:814) at org.schabi.newpipe.extractor.services.youtube.extractors.YoutubeSearchExtractor.onFetchPage(YoutubeSearchExtractor.java:73) at org.schabi.newpipe.extractor.Extractor.fetchPage(Extractor.java:54) at org.schabi.newpipe.extractor.search.SearchInfo.getInfo(SearchInfo.java:29) at org.schabi.newpipe.util.ExtractorHelper.lambda$searchFor$0(ExtractorHelper.java:81) at org.schabi.newpipe.util.-$$Lambda$ExtractorHelper$qyxpuXgomWa-cbONQns-pd7zxm0.call(lambda) at io.reactivex.rxjava3.internal.operators.single.SingleFromCallable.subscribeActual(SingleFromCallable.java:43) at io.reactivex.rxjava3.core.Single.subscribe(Single.java:4813) at io.reactivex.rxjava3.internal.operators.single.SingleSubscribeOn$SubscribeOnObserver.run(SingleSubscribeOn.java:89) at io.reactivex.rxjava3.core.Scheduler$DisposeTask.run(Scheduler.java:614) at io.reactivex.rxjava3.internal.schedulers.ScheduledRunnable.run(ScheduledRunnable.java:65) at io.reactivex.rxjava3.internal.schedulers.ScheduledRunnable.call(ScheduledRunnable.java:56) at java.util.concurrent.FutureTask.run(FutureTask.java:237) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:269) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588) at java.lang.Thread.run(Thread.java:818) Caused by: java.net.ConnectException: failed to connect to www.youtube.com/2a00:1450:4010:c05::c6 (port 443) after 10000ms: isConnected failed: ENETUNREACH (Network is unreachable) at libcore.io.IoBridge.isConnected(IoBridge.java:234) at libcore.io.IoBridge.connectErrno(IoBridge.java:171) at libcore.io.IoBridge.connect(IoBridge.java:122) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:183) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:452) at java.net.Socket.connect(Socket.java:884) at okhttp3.internal.platform.AndroidPlatform.connectSocket(AndroidPlatform.java:73) at okhttp3.internal.connection.RealConnection.connectSocket(RealConnection.java:247) ... 39 more Caused by: android.system.ErrnoException: isConnected failed: ENETUNREACH (Network is unreachable) at libcore.io.IoBridge.isConnected(IoBridge.java:223) ... 46 more ``` </details> <hr> ### Device info - Android version/Custom ROM version: CyanogenMod 13.1 - Device model: OnePlus One

Alex01d · September 16, 2021, 3:32pm

SmartTubeNext тоже перестал работать, по крайней мере, с теле2.

ValdikSS · September 16, 2021, 3:47pm

UPD: no, they use this cipher set only in this exact case, but in general they have a common okhttp3 cipher list (without 3DES, it is probably filtered by the tls library): okhttp/okhttp/src/main/java/okhttp3/ConnectionSpec.java at 06644bb0507873e9a3b89d9107da537f1b140e91 · square/okhttp · GitHub

So they block HTTPS requests to www.youtube.com via okhttp library.

ValdikSS · September 16, 2021, 3:54pm

Hint: this block could be circumvented by changing SNI case. wWw.youtube.com works.
Hint: other domains, such as docs.google.com, are not blocked with this TLS fingerprint.

ValdikSS · September 18, 2021, 6:53pm

Фильтр убран. Что это такое было — непонятно, у меня нет даже предположений.

zhenyolka · September 18, 2021, 7:48pm

Я тут на днях поизучал последнюю версию приложения Навальный. Okhttp обнаружить не смог. Более того, оно максимуи, что пытается сделать, так это обратится к DnS.GooGle и, вроде как, не использует домены youtube. Блокировки пытается обойти через newnode, а это битторенты и прочие данные по udp протоколу. Соответственно, эта приложуха тут не причем.
При всем при этом, очевидно, это не случайный фильтр и для чего-то он тестировался. Осталось понять, зачем? Другой вопрос, что фильтр убрали, когда гугл согласился сотрудничать и удалить видео с канала Навального, только причем тут newpipe, который, так и так, мало кто использует, а те, кто используют, знают про VPN?

ValdikSS · September 18, 2021, 8:08pm

У меня два предположения, высосанных из пальца:

Проводилась демонстрация возможности блокировки конкретной программы, а не сервиса: «Смотрите, в браузере работает, в официальной программе работает, а в NewPipe — не работает».
Перепутали NewNode и NewPipe.

tango · September 18, 2021, 9:17pm

I had a quick look at an APK I found at https://www.apkmonk.com/download-app/com.navalny.blog/4_com.navalny.blog_2021-08-15.apk/ (version 2.0, dated 2021-08-14).

There are many references to “OkHttp” in the code. I see okhttp3. which matches the major version reported earlier; however there is also okhttp/4.6.0. (Well, looking at the changelog, it seems these numbers do not have to match and okhttp3 is the correct package name even for later versions.)
In the disassembled code (smali/s/k.smali), there is a list of 4 strings:
```
{"dns.google", "1.1.1.1", "1.0.0.1", "doh.opendns.com"}
```
The string youtube does not appear.

$ apktool d com.navalny.blog_2021-08-15.apk
$ cd com.navalny.blog_2021-08-15

$ grep -ir okhttp
smali/io/ktor/client/engine/okhttp/OkHttpEngineContainer.smali:.class public final Lio/ktor/client/engine/okhttp/OkHttpEngineContainer;
smali/io/ktor/client/engine/okhttp/OkHttpEngineContainer.smali:    const-string v0, "OkHttp"
smali/n/b/k/a.smali:    const-string v4, "OkHttp"
smali/o/y.smali:    const-string v0, "null cannot be cast to non-null type kotlin.collections.List<okhttp3.Interceptor?>"
smali/o/y.smali:    const-string v1, "okHttpClient"
smali/o/i0/c.smali:    const-string v2, "OkHttpClient::class.java.name"
smali/o/i0/c.smali:    const-string v2, "okhttp3."
smali/o/i0/h/e.smali:    sget-object v2, Lokhttp3/internal/publicsuffix/PublicSuffixDatabase;->d:Lokhttp3/internal/publicsuffix/PublicSuffixDatabase$a;
smali/o/i0/h/e.smali:    sget-object v2, Lokhttp3/internal/publicsuffix/PublicSuffixDatabase;->c:Lokhttp3/internal/publicsuffix/PublicSuffixDatabase;
smali/o/i0/h/e.smali:    invoke-virtual {v2, v5}, Lokhttp3/internal/publicsuffix/PublicSuffixDatabase;->a(Ljava/lang/String;)Ljava/lang/String;
smali/o/i0/h/a.smali:    const-string v11, "okhttp/4.6.0"
... many more ...

$ grep -ir -F -A 32 dns.google
smali/s/k.smali:    const-string v7, "dns.google"
smali/s/k.smali-
smali/s/k.smali-    invoke-direct {v6, v7, v4}, Li/g;-><init>(Ljava/lang/String;Lb/a/a/e;)V
smali/s/k.smali-
smali/s/k.smali-    aput-object v6, v5, v21
smali/s/k.smali-
smali/s/k.smali-    new-instance v6, Li/g;
smali/s/k.smali-
smali/s/k.smali-    const-string v7, "1.1.1.1"
smali/s/k.smali-
smali/s/k.smali-    invoke-direct {v6, v7, v4}, Li/g;-><init>(Ljava/lang/String;Lb/a/a/e;)V
smali/s/k.smali-
smali/s/k.smali-    aput-object v6, v5, v20
smali/s/k.smali-
smali/s/k.smali-    new-instance v6, Li/g;
smali/s/k.smali-
smali/s/k.smali-    const-string v7, "1.0.0.1"
smali/s/k.smali-
smali/s/k.smali-    invoke-direct {v6, v7, v4}, Li/g;-><init>(Ljava/lang/String;Lb/a/a/e;)V
smali/s/k.smali-
smali/s/k.smali-    const/4 v7, 0x2
smali/s/k.smali-
smali/s/k.smali-    aput-object v6, v5, v7
smali/s/k.smali-
smali/s/k.smali-    new-instance v6, Li/g;
smali/s/k.smali-
smali/s/k.smali-    const-string v7, "doh.opendns.com"
smali/s/k.smali-
smali/s/k.smali-    invoke-direct {v6, v7, v4}, Li/g;-><init>(Ljava/lang/String;Lb/a/a/e;)V
smali/s/k.smali-
smali/s/k.smali-    const/4 v4, 0x3
smali/s/k.smali-
smali/s/k.smali-    aput-object v6, v5, v4

$ grep -ir youtube

ValdikSS · September 18, 2021, 9:34pm

The filter was configured for SNI check. It wasn’t IP-bound.
I also edited SNI in the captured packet to docs.google.com, and it was delivered successfully. Haven’t tried other SNIs.

Neko · September 19, 2021, 12:33am

Проблема с NewPipe встречалась мне только один раз.

Регулярно встречаю ошибки буферизации при воспроизведении Ютуба с помощью mpv + youtube-dl со следующими ошибками в командной строке:

    ffmpeg: tls: Error in the pull function.
    ffmpeg: https: Will reconnect at 262144 in 0 second(s), error=Input/output error.

Получается, ffmpeg тоже блокируют.

Dredd · September 19, 2021, 4:34am

А патченная версия NewPipe от ValdikSS’a не пишет ли куда-либо обширные логи ? Смущает слово"debug" в названии. Отладка в данном вопросе дело конечно нужное, но для меня этот фикс проблему решил и хотелось бы обойтись без лишних логов, которые будут захламлять память.

darkk · September 24, 2021, 9:56pm

The APK at GitHub claims to be v2.2 and it mentions www.youtube.com. But the TLS fingerprint of the traffic produced by that APK is slightly different from NewPipe’s fingerprint as well. I take NewPipe’s fingerprint from the aforeposted pcaps.

v2.2 from apkmonk also mentions youtube, but the binary differs from GitHub release.

tango · September 25, 2021, 6:10pm

Thanks, great find. I confirm that I find “www.youtube.com” in the 2.2 APK.

smali/s/k.smali:    const-string v11, "www.youtube.com"

Also, the list of DNS resolver names removes “1.1.1.1”.

{"dns.google", "1.0.0.1", "doh.opendns.com"}

v2.2 from apkmonk also mentions youtube, but the binary differs from GitHub release.

For me, the two binaries are the same.

$ sha256sum *.apk
58913378ea52b6effa28117f201ae73f4ae473fd2aa965627f7b1c07b4350c20  androidApp-release-69_2-2.apk
58913378ea52b6effa28117f201ae73f4ae473fd2aa965627f7b1c07b4350c20  com.navalny.blog_2021-09-14.apk

darkk · September 25, 2021, 9:45pm

Indeed, my bad. Seems, I’ve confused the apk from apkmonk with the v2.2 apk from apkcombo.com having sha256 3a2dc36dcaac20e8d52ac91b6290508a3c3209dc4bd81f91b86924304122c699.