[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] FortiGuard firewall blocks meek by TLS signature

Recently, we had reports of Cyberoam firewalls blocking meek by TLS
I got a similar report, this time for a FortiGuard firewall.

The story is basically the same as last time: the firewall looks for TLS
that has the signature of a specific version of Firefox and is also
destined to one of the default front domains. This time it is the
signature of Firefox 45 they're looking for. They also were not blocking
the domain www.google.com, so meek-google would work if it hadn't been
shut down recently.

Here are workarounds to try if you find yourself in this situation. See
also: What to do if meek gets blocked.

First try changing the front domain. This is easy to do; you don't have
to edit any files.
These alternative bridge lines worked in this case:
	Bridge meek url=https://d2zfqthxsdq309.cloudfront.net/ front=d2ko15wevu3ps3.cloudfront.net
	Bridge meek url=https://az786092.vo.msecnd.net/ front=ajax.microsoft.com

The second workaround is to disable the Firefox TLS camouflage and use
naked Golang TLS. To do that, edit the file
Browser/TorBrowser/Data/Tor/torrc-defaults and change the line
	ClientTransportPlugin meek exec TorBrowser\Tor\PluggableTransports\terminateprocess-buffer TorBrowser\Tor\PluggableTransports\meek-client-torbrowser -- TorBrowser\Tor\PluggableTransports\meek-client
	ClientTransportPlugin meek exec TorBrowser\Tor\PluggableTransports\terminateprocess-buffer TorBrowser\Tor\PluggableTransports\meek-client
I.e., remove the meek-client-torbrowser wrapper program. The format of
the line will differ slightly depending on your operating system, but it
should be pretty easy to figure out.

The third workaround is to set up your own App Engine app. This isn't
very hard to do. Instructions are here:
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to