最近发现一个现象。只要我访问任意新域名,该域名的 HTTPS 服务会收到 / /favicon.ico /home/favicon.ico 三个来自全国各地的访问。

已观察到的 UA 为 Firefox/45.0 或者 Firefox/6.0 或者 Chrome/55.*。这三个请求可能来自同一IP也可能不一样。

域名是通过 SNI 泄漏的。对其进行 DNS 查询并不会触发。使用 curl 访问即可触发。使用同样的 SNI 连接到不正确的 IP 并不会触发(SNI 已发但 TLS 握手未完成)。

我是在玩 Cloudflare 新推出的免费 Argo 隧道服务时注意到这个现象的。


Show thread

@lilydjwg @lilydjwg 随便试了一下没有复现成功……
SNI 不正确如果本地忽略证书错误通常也能完成 TLS 握手的?但不知道那边会不会自己再解析一遍域名 🤔

@w27 嗯,后来我也发现如果它不自己解析域名的话,我还是收不到请求的。

@lilydjwg Sorry I can't do Chinese but this is fascinating (from what I was able to Google Translate).

Have you tried to WHOIS the IPs? Were there any headers with the requests? (Like, did they look like actual requests from Chrome or Firefox or spoofed?)

Does anything happen if they fail to download the content because of a connection error? (Maybe they retry with another IP?)

Do they also try after an unencrypted HTTP request?

You said it only did it when you tried a new domain name, do they "forget" the domains you've visited after a while? Does it do it if you visit a domain someone else has already visited? (May be hard to test as you would need multiple people)

Sorry if these questions are annoying I just find this so weird and interesting!

I hope you can still reproduce it though as this post is a bit old :x

Sign in to participate in the conversation

Welcome to your niu world ! We are a cute and loving international community O(≧▽≦)O !