What does HackerNews think of utls?
Fork of the Go standard TLS library, providing low-level access to the ClientHello for mimicry purposes.
There was also a prelude to all of this that I think made things stickier and bizarrely personal. Prince and I share a mutual friend who introduced us just a few weeks prior. Prince said he supported what we were doing, but asked that I not talk about it publicly, presumably because of the pending China deal. The problem was that literally moments after our friend had introduced us via email, and before he made that request, I had a call with the WSJ where I talked about precisely this. I did everything I could to walk back the article, but Prince didn't buy it and seemed to go ballistic over it. After the WSJ piece, we pulled back from talking more publicly in general.
Oh, I forgot! We also partly stayed silent because they didn't actually shut down what we were doing at all =). They matched the SNI to the Host header, sure, but they missed a little detail: we weren't using SNI. Hehe. Lantern worked for another six months or so, and then, through a similarly bizarre sequence of events, we essentially tipped them/you off to what was happening. We remained a customer throughout, and we're a customer to this day.
Either way, though, Cloudflare does great work, and everyone has their faults, so I'm generally sympathetic over the whole thing with the one caveat that I am truly unclear how much ultimately did relate to China, most clearly in terms of any public support for these internet freedom techniques.
Oh, and I've wanted you to work on Lantern forever btw. Oooh actually if you're not aware of it, the uTLS Go TLS fork is a hugely impactful project that's in widespread use (I would guess maybe 50 million monthly active users rely on it in censored regions via various projects) but needs updating - https://github.com/refraction-networking/utls
Oh, and if you think we were effective in China then, you should see what we're doing in Russia and especially Iran now!
There is a way.^1 One might need to copy the static elements of the TLS Client Hello in addition to certain HTTP headers.
1. https://blog.squarelemon.com/tls-fingerprinting/
See, e.g., https://github.com/refraction-networking/utls
"problem 1: expiring session cookies
One big problem here is that I'm using my Google session cookie for authentication, so this script will stop working whenever my browser session expires.
That means that this approach wouldn't work for a long running program (I'd want to use a real API), but if I just need to quickly grab a little bit of data as a 1-time thing, it can work great!"
Sometimes Google keeps users logged in. For example, session cookies in Gmail will last for months or more. This makes it easy to check Gmail from the command line without a browser. It also means if someone steals a session cookie and the user never logs out, e.g., she closes the browser without logging out first,^2 then the thief can access the account for months, or longer.
2. Of course, it is also possible to logout and disable specific session cookies from the command line, without a browser.
> Cloudflare's bot protection mostly makes use of TLS fingerprinting, and thus pretty easy to bypass.
https://news.ycombinator.com/item?id=28251700 -> https://github.com/refraction-networking/utls
Disclaimer: haven't tried it.