[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges



On Thu, Oct 04, 2018 at 06:23:32AM +0000, ithor wrote:
> Ok, correct me if I'm wrong. Is this what happens in a meek request :
> 1. unencrypted http request with the hostname I want to connect to in cleartext.
> 2. encrypted https connection to the hostname.
> 3. encrypted (http?) relay connection to the Tor entry node.

Completely wrong.

Please read the docs: 
https://trac.torproject.org/projects/tor/wiki/doc/meek#Overview
https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports#meek

Encrypted HTTPS connection with a false SNI (ajax.aspnetcdn.com) readable for 
the censor, but the actual destination hostname (meek.azureedge.net) in the 
HTTP "Host" header. This way there's an encrypted connection to the CDN which 
looks like a browser's HTTPS connection to "ajax.aspnetcdn.com" from the 
outside. Once connected to the CDN, the meek client can talk to whatever app 
within the CDN it wants to. It will talk to the meek server 
(meek.azureedge.net), which IS a Tor bridge and as such acts as the entry 
guard of the circuit.
-- 
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
             https://www.parckwart.de/pgp_key

Attachment: signature.asc
Description: PGP signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk