[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] FortiGuard firewall blocks meek by TLS signature
That’s not surprising. Wonder if we’ll see other filtering companies start blocking Meek this way.
> On Jul 24, 2016, at 3:04 AM, David Fifield <david@xxxxxxxxxxxxxxx> wrote:
> Recently, we had reports of Cyberoam firewalls blocking meek by TLS
> I got a similar report, this time for a FortiGuard firewall.
> The story is basically the same as last time: the firewall looks for TLS
> that has the signature of a specific version of Firefox and is also
> destined to one of the default front domains. This time it is the
> signature of Firefox 45 they're looking for. They also were not blocking
> the domain www.google.com, so meek-google would work if it hadn't been
> shut down recently.
> Here are workarounds to try if you find yourself in this situation. See
> also: What to do if meek gets blocked.
> First try changing the front domain. This is easy to do; you don't have
> to edit any files.
> These alternative bridge lines worked in this case:
> Bridge meek 0.0.2.0:2 url=https://d2zfqthxsdq309.cloudfront.net/ front=d2ko15wevu3ps3.cloudfront.net
> Bridge meek 0.0.2.0:3 url=https://az786092.vo.msecnd.net/ front=ajax.microsoft.com
> The second workaround is to disable the Firefox TLS camouflage and use
> naked Golang TLS. To do that, edit the file
> Browser/TorBrowser/Data/Tor/torrc-defaults and change the line
> ClientTransportPlugin meek exec TorBrowser\Tor\PluggableTransports\terminateprocess-buffer TorBrowser\Tor\PluggableTransports\meek-client-torbrowser -- TorBrowser\Tor\PluggableTransports\meek-client
> ClientTransportPlugin meek exec TorBrowser\Tor\PluggableTransports\terminateprocess-buffer TorBrowser\Tor\PluggableTransports\meek-client
> I.e., remove the meek-client-torbrowser wrapper program. The format of
> the line will differ slightly depending on your operating system, but it
> should be pretty easy to figure out.
> The third workaround is to set up your own App Engine app. This isn't
> very hard to do. Instructions are here:
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to