[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #29077 [Obfuscation/meek]: uTLS for meek-client camouflage



#29077: uTLS for meek-client camouflage
------------------------------+------------------------------
 Reporter:  dcf               |          Owner:  dcf
     Type:  enhancement       |         Status:  needs_review
 Priority:  Medium            |      Milestone:
Component:  Obfuscation/meek  |        Version:
 Severity:  Normal            |     Resolution:
 Keywords:  moat utls         |  Actual Points:
Parent ID:                    |         Points:
 Reviewer:                    |        Sponsor:
------------------------------+------------------------------
Changes (by dcf):

 * status:  new => needs_review


Comment:

 Here is a new candidate: meek branch [https://gitweb.torproject.org
 /pluggable-
 transports/meek.git/log/?h=utls_2&id=6c2cad6ce0e1d0d23ec88edb7942362de2552b0e
 utls_2]

 This is a rewrite using the obfs4proxy-inspired technique (comment:4),
 with a few implementation differences. Instead of `dialTLS` being attached
 to the `RoundTripper` wrapper with a distinguised error code, use a
 standalone `dialUTLS` function. Store the state for the dynamically
 created `Transport` in a closure rather than in the parent struct. Raise
 an error if the ALPN changes.

 You control which fingerprint to use with a SOCKS arg, like
 `utls=HelloChrome_Auto`. With the SOCKS arg, it uses the stdlib net/http
 as before. Using `utls=` with `--helper` is an error.

 Currently this breaks proxy support, because previously we were using the
 built-in proxy support of net/http, and we can't do that anymore with
 uTLS; we'll have to make our own proxy connections. I'll restore proxy
 support separately.

 I've removed HelloRandomized and HelloGolang from the table of allowed TLS
 fingerprints. HelloRandomized because
 [https://lists.torproject.org/pipermail/tor-dev/2019-January/013639.html
 it can negotiate different ALPN], and HelloGolang because that's ideally
 equivalent to omitting the `utls=` arg. I'm open to having it recognize
 `utls=HelloGolang` as an alias for omitting the `utls=` arg, because
 compatibility with meek_lite is the most important thing here.

 When creating the internal `http.Transport`, I think I'd like to make it
 have the same default settings as `http.DefaultTransport` with respect to
 timeouts, idle connections, etc. So I'm thinking of cloning the public
 fields of `http.DefaultTransport` using the reflection trick from
 comment:11:ticket:12208. Unfortunately `http2.Transport`
 [https://github.com/golang/go/issues/16581 doesn't expose configuration
 options] in the same way. Maybe it doesn't matter much? My main concern
 here is not having infinite timeouts.

 I tested the TLS fingerprint with a few different configurations.
 ||=configuration =||=fingerprint =||=  seen (all time)=||
 ||no camouflage ||[https://tlsfingerprint.io/id/c4b0fe116abff001
 c4b0fe116abff001]
 [https://web.archive.org/web/20190125221734/https://tlsfingerprint.io/id/c4b0fe116abff001
 archive] ||  0.01%||
 ||`--helper` (Tor Browser 8.0.4 / Firefox 60.4.0esr)
 ||[https://tlsfingerprint.io/id/bb94e801f7aee52b bb94e801f7aee52b]
 [https://web.archive.org/web/20190125221851/https://tlsfingerprint.io/id/bb94e801f7aee52b
 archive] ||  0.58%||
 ||`utls=HelloChrome_70` ||[https://tlsfingerprint.io/id/bc4c7e42f4961cd7
 bc4c7e42f4961cd7]
 [https://web.archive.org/web/20190125222100/https://tlsfingerprint.io/id/bc4c7e42f4961cd7
 archive] ||  3.54%||
 ||`utls=HelloFirefox_63` ||[https://tlsfingerprint.io/id/6bfedc5d5c740d58
 6bfedc5d5c740d58]
 [https://web.archive.org/web/20190125222153/https://tlsfingerprint.io/id/6bfedc5d5c740d58
 archive] ||  1.66%||

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29077#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs