Nathan of Guardian: > On Mon, Sep 24, 2018 at 08:23:58PM -0600, David Fifield wrote: >> What we would need in order for meek to used encrypted SNI would be >> either: >> 1) support for encrypted SNI in Go's crypto/tls package; or >> 2) support for encrypted SNI in the Firefox that ships with Tor >> Browser, which meek-client could use through its TLS camouflage >> helper support. >> >> IMO (2) is less desirable because I'd like to get rid of the TLS >> camouflage helper support and replace it with a Go-level TLS camouflage >> library: https://github.com/refraction-networking/utls. The TLS helper >> works, but its complexity is a pain to deal with and leads to problems >> like https://bugs.torproject.org/12774 https://bugs.torproject.org/25405. > > I wrote an untested overview of how to adapt meek to use ESNI, using an > external copy of Firefox Nightly rather than Tor Browser's built-in copy > of Firefox. Testing this out to see if it works would be a good task for > someone who wants to get involved with pluggable transports. > > Use ESNI via Firefox HTTPS helper > https://bugs.torproject.org/28168 > > 1. Download Tor Browser and Firefox Nightly. > 2. Go to about:config in Firefox nightly and set > network.trr.mode=3 > network.trr.uri=https://1.1.1.1/dns-query > network.security.esni.enabled=true > 3. Copy the meek-http-hel...@bamsoftware.com.xpi from Tor Browser to > Firefox Nightly. > 4. Hack meek-client-torbrowser/{mac,linux,windows}.go to point > firefoxPath at the copy of Firefox Nightly and disable the custom > profile. (Additional hacks to remove hardcoded Tor Browser > assumptions may be required.) > 5. Set up a Cloudflare instance pointing to https://meek.bamsoftware.com/, > call it https://meek.example.com/. > 6. Set up a custom bridge in Tor Browser, using url= without front= > (because we're no longer domain fronting). > bridge meek 0.0.2.0:3 url=https://meek.example.com/ > > The only slightly weird part I foresee is hacking > meek-client-torbrowser; it has some internal hardcoded paths and > profiles that are specific to the Tor Browser directory layout, and > you'll have to point those to an external Firefox Nightly. Of course, > once ESNI support makes its way into Tor Browser itself, there won't be > a need for another external copy of Firefox.
Two things to follow up on this thread: 1) I believe ESNI support is now in the Firefox betas, so that approach is looking like an option 2) Guardian Project got a grant to work on a full stack prototype of using Pluggable Transports. We're going to try to do it with ESNI using Stephen Farrell's patches to openssl. My last thought on this topic for today: we should be careful about making it too easy to use ESNI for circumvention before its gained any server side implementers. If it gets branded a activist tool, I could see many orgs failing to adopt ESNI. I think Cloudflare is the only active provider offering it. .hc -- PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556 _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev