[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #28168 [Obfuscation/meek]: Use ESNI via Firefox HTTPS helper
#28168: Use ESNI via Firefox HTTPS helper
------------------------------+---------------------
Reporter: dcf | Owner: dcf
Type: project | Status: new
Priority: Medium | Milestone:
Component: Obfuscation/meek | Version:
Severity: Normal | Resolution:
Keywords: easy | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------+---------------------
Description changed by dcf:
Old description:
> As of 2018-10-18, [https://blog.mozilla.org/security/2018/10/18
> /encrypted-sni-comes-to-firefox-nightly/ Firefox Nightly supports]
> encrypted SNI, and [https://blog.cloudflare.com/esni/ Cloudflare supports
> it] on the server side. Because meek supports using Firefox as a channel
> for issuing HTTPS requests, it ought to be pretty easy to adapt the meek
> client software to use ESNI rather than domain fronting. The server
> software doesn't need any change.
>
> These steps are untested:
> 1. Download Tor Browser and Firefox Nightly.
> 1. Set network.trr.mode=3 and network.security.esni.enabled=true in
> Firefox Nightly.
> 1. Copy the !meek-http-helper@xxxxxxxxxxxxxxxxxxx from Tor Browser to
> Firefox Nightly.
> 1. Hack meek-client-torbrowser/{mac,linux,windows}.go to point
> `firefoxPath` at the copy of Firefox Nightly and disable the custom
> profile. (Additional hacks to remove hardcoded Tor Browser assumptions
> may be required.)
> 1. Set up a Cloudflare instance pointing to
> !https://meek.bamsoftware.com/, call it !https://meek.example.com/.
> 1. Set up a [[doc/meek#Howtochangethefrontdomain|custom bridge]] in Tor
> Browser, using `url=` without `front=` (because we're no longer domain
> fronting).\\{{{bridge meek 0.0.2.0:3 url=https://meek.example.com/}}}
>
> Of course, once ESNI support makes it into the version of Firefox used by
> Tor Browser, this will be even easier, not requiring a separate Firefox
> Nightly.
New description:
As of 2018-10-18, [https://blog.mozilla.org/security/2018/10/18/encrypted-
sni-comes-to-firefox-nightly/ Firefox Nightly supports] encrypted SNI, and
[https://blog.cloudflare.com/esni/ Cloudflare supports it] on the server
side. Because meek supports using Firefox as a channel for issuing HTTPS
requests, it ought to be pretty easy to adapt the meek client software to
use ESNI rather than domain fronting. The server software doesn't need any
change.
These steps are untested:
1. Download Tor Browser and Firefox Nightly.
1. Go to about:config in Firefox Nightly and set
* network.trr.mode=3
* network.trr.uri=!https://1.1.1.1/dns-query
* network.security.esni.enabled=true
1. Copy the !meek-http-helper@xxxxxxxxxxxxxxxxxxx from Tor Browser to
Firefox Nightly.
1. Hack meek-client-torbrowser/{mac,linux,windows}.go to point
`firefoxPath` at the copy of Firefox Nightly and disable the custom
profile. (Additional hacks to remove hardcoded Tor Browser assumptions may
be required.)
1. Set up a Cloudflare instance pointing to
!https://meek.bamsoftware.com/, call it !https://meek.example.com/.
1. Set up a [[doc/meek#Howtochangethefrontdomain|custom bridge]] in Tor
Browser, using `url=` without `front=` (because we're no longer domain
fronting).\\{{{bridge meek 0.0.2.0:3 url=https://meek.example.com/}}}
Of course, once ESNI support makes it into the version of Firefox used by
Tor Browser, this will be even easier, not requiring a separate Firefox
Nightly.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28168#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs