Our (Obscura’s) users are reporting that obscura.net and subdomains are being blocked. See end of message for why we think it’s SNI-based. They’ve observed this on at least Spectrum, Comcast, and United Airlines (whatever their upstream is). We are losing users as I write this, which is why I’m asking (read: pleading) for NANOG’s help. On Spectrum, the user notes that they see from their Spectrum portal that “Secure Browsing” was the culprit. Specifically, they see that pkgs.obscura.net is blocked with the following detail:
Secure Browsing prevents you from visiting potentially harmful websites. These may include sites that spread malware or use phishing attacks to steal your data. When a website is blocked, you may see the Security Shield icon appear on your browser.
We are a new VPN service, and definitely not a phishing site. More details: https://obscura.net/blog/bootstrapping-trust/ We’d love any help in any and all of the below: 1. If you operate an ISP, especially Spectrum or Comcast, please unblock us. 2. If you know how I can get into contact with Spectrum or Comcast and not have to wait for 5 business days, we’d love to know. 2. It seems like we were put on some kind of list, if you have suspicions for what list that could be, we'd love to know. 3. If you have any ideas for how we could resolve this ASAP, we’re open to any and all suggestions. We’re already looking into getting rid of SNI and using http3 for even our API calls, and will aim to deploy a hotfix soon. –Carl Dong On a technical level, this seems to be SNI-blocking, see the following curl outputs. DNS resolved correctly, but TLS problems: curl --verbose --insecure --location 'https://v1.api.prod.obscura.net/api/ping’ * Host v1.api.prod.obscura.net:443 was resolved. * IPv6: (none) * IPv4: 66.42.95.12 * Trying 66.42.95.12:443... * Connected to v1.api.prod.obscura.net (66.42.95.12) port 443 * ALPN: curl offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version * Closing connection curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version This one is essentially doing an SNI spoof, and succeeds: curl --connect-to 'google.com::66.42.95.12:' -H "Host: v1.api.prod.obscura.net" --verbose --insecure --location 'https://google.com/api/ping’ * Connecting to hostname: 66.42.95.12 * Trying 66.42.95.12:443... * Connected to 66.42.95.12 (66.42.95.12) port 443 * ALPN: curl offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF * ALPN: server accepted h2 * Server certificate: * subject: CN=v1.api.prod.obscura.net * start date: May 4 22:38:20 2025 GMT * expire date: Aug 2 22:38:19 2025 GMT * issuer: C=US; O=Let's Encrypt; CN=E6 * SSL certificate verify ok. * using HTTP/2 * [HTTP/2] [1] OPENED stream for https://google.com/api/ping * [HTTP/2] [1] [:method: GET] * [HTTP/2] [1] [:scheme: https] * [HTTP/2] [1] [:authority: v1.api.prod.obscura.net] * [HTTP/2] [1] [:path: /api/ping] * [HTTP/2] [1] [user-agent: curl/8.7.1] * [HTTP/2] [1] [accept: */*] > GET /api/ping HTTP/2 > Host: v1.api.prod.obscura.net > User-Agent: curl/8.7.1 > Accept: */* > * Request completely sent off < HTTP/2 200 < date: Wed, 28 May 2025 23:50:28 GMT < content-type: application/json < content-length: 67 < vary: origin, access-control-request-method, access-control-request-headers < access-control-allow-origin: * < strict-transport-security: max-age=63072000 < * Connection #0 to host 66.42.95.12 left intact {"env":"prod","version":"3a91af31b3b75b6fd8d8acfefb53d812e601749e"}