Hello all, I just tagged obfs4proxy-0.0.9. The main features of this release are primarily related to improving the behavior of the `meek_lite` transport. Since some of the changes are major, I will expand on them separately from the brief summary given in the ChangeLog. * A forked version[0] of https://github.com/refraction-networking/utls is now used to mask the TLS signature. This results in a ClientHello that should resemble modern versions of Firefox by default. While the utls profile is named `HelloFirefox_63`, a cursory examination leads me to believe that there are no differences in FF 65. The bridge line option `utls=<fingerprint>` will allow specifying the behavior, with (case-insenstive) string representations of the utls fingerprint names. `none` will revert to the previous behavior. Not all fingerprints were tested and or are guaranteed to work. Development was primarily done with `HelloChrome_70, `HelloFirefox_63`, and `HelloChrome_71` (experimental). While I can not vouch for the mimicry accuracy of every single profile, all of the profiles that attempt to mimic browsers should function fairly well[1], though this partially depends on the the configuration of the host doing the fronting. * meek_lite now has HPKP[2] style public key pins for all of the Microsoft CA certs that are used to sign Azure leaf certificates. This is only enabled when `utls` is being used, because I'm lazy. If Microsoft happens to change their CA certificates prior to the next release, 2024-05-20, or you are ok with being actively man-in-the- middled for some reason, adding `disableHPKP=true` to the bridge line will disable certificate pin validation. HPKP headers in HTTP responses are ignored, only the static pin list is consulted. * Due to a shift in my philosophy, portions of the new code are released under the GNU General Public License v3. Exceptions to the viral nature of the license will be considered on a case-by-case basis. Contact me for more details. Tarball/Signature: https://people.torproject.org/~yawning/releases/obfs4proxy/obfs4proxy-0.0.9.tar.xz https://people.torproject.org/~yawning/releases/obfs4proxy/obfs4proxy-0.0.9.tar.xz.asc Changes in version 0.0.9 - 2019-02-05: - Various meek_lite code cleanups and bug fixes. - Bug 29077: uTLS for ClientHello camouflage (meek_lite). - More fixes to HTTP Basic auth. - (meek_lite) Pin the certificate chain public keys for the default Tor Browser Azure bridge (meek_lite). Regards, -- Yawning Angel [0]: obfs4proxy WILL NOT build with the upstream version of the library, and the Firefox fingerprint will not function with Azure using the upstream version. [1]: For "I can watch Eluveitie music videos on youtube over it" definitions of "fairly well". [2]: Yes, the HPKP spec is rather dead in the wild with a lot of people giving up on it. It is my opinion that in this context having such a mechanism makes sense.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev