[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] FortiGuard firewall blocks meek by TLS signature



Hi,
That’s not surprising.  Wonder if we’ll see other filtering companies start blocking Meek this way.

> On Jul 24, 2016, at 3:04 AM, David Fifield <david@xxxxxxxxxxxxxxx> wrote:
> 
> Recently, we had reports of Cyberoam firewalls blocking meek by TLS
> signature:
> https://lists.torproject.org/pipermail/tor-talk/2016-May/040923.html
> I got a similar report, this time for a FortiGuard firewall.
> 
> The story is basically the same as last time: the firewall looks for TLS
> that has the signature of a specific version of Firefox and is also
> destined to one of the default front domains. This time it is the
> signature of Firefox 45 they're looking for. They also were not blocking
> the domain www.google.com, so meek-google would work if it hadn't been
> shut down recently.
> 
> Here are workarounds to try if you find yourself in this situation. See
> also: What to do if meek gets blocked.
> https://lists.torproject.org/pipermail/tor-talk/2015-January/036410.html
> 
> First try changing the front domain. This is easy to do; you don't have
> to edit any files.
> https://trac.torproject.org/projects/tor/wiki/doc/meek#Howtochangethefrontdomain).
> These alternative bridge lines worked in this case:
> 	Bridge meek 0.0.2.0:2 url=https://d2zfqthxsdq309.cloudfront.net/ front=d2ko15wevu3ps3.cloudfront.net
> 	Bridge meek 0.0.2.0:3 url=https://az786092.vo.msecnd.net/ front=ajax.microsoft.com
> 
> The second workaround is to disable the Firefox TLS camouflage and use
> naked Golang TLS. To do that, edit the file
> Browser/TorBrowser/Data/Tor/torrc-defaults and change the line
> 	ClientTransportPlugin meek exec TorBrowser\Tor\PluggableTransports\terminateprocess-buffer TorBrowser\Tor\PluggableTransports\meek-client-torbrowser -- TorBrowser\Tor\PluggableTransports\meek-client
> to
> 	ClientTransportPlugin meek exec TorBrowser\Tor\PluggableTransports\terminateprocess-buffer TorBrowser\Tor\PluggableTransports\meek-client
> I.e., remove the meek-client-torbrowser wrapper program. The format of
> the line will differ slightly depending on your operating system, but it
> should be pretty easy to figure out.
> 
> The third workaround is to set up your own App Engine app. This isn't
> very hard to do. Instructions are here:
> https://lists.torproject.org/pipermail/tor-talk/2016-June/041699.html
> -- 
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk