[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Easy(?) adaptation of meek-client for ESNI

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Easy(?) adaptation of meek-client for ESNI
From: Hans-Christoph Steiner <hans@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 7 Dec 2018 15:55:42 +0100
Autocrypt: addr=hans@xxxxxxxxxxxxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFY1RO0BEAC94s679hO9oxi2h1GF0hN7xCXxeIyJp58rA2QxuMJ/NvMhrfBGVqhkolUb 7IqvHy8n7jvTCCAJOHP6ZAtUUwV20ZpUa2Mfp0/6dbGkvXcXwGlU9ShpBiXnDsKvgRRX5gOO /WeWLe8x8HRcFfcJVXS9pHRw2bxjrbs3zKlf7yBACcSt6ZSgPsqHuUQSUs4Qo0E0/H14uJiD k32qQ1YicVrE1r2pFe9iZpxBMGTwgZyNUEUYDeVfTDubL7Jc1MUpgotNTxbJ3jVxt0uHn20l hNXG6ybaYK3MhIHIEp9Nbd4l6+Y81ZgIQbs4jAbAPcy+qY3GT2uQfbFb2UK8+hnDotGmejgo YuDZGBaAukiELIKxrsNCvaSg5DI/yrH6Vx6ZceHpitrer6yOwZescc5SGud3btU4Iktfw7w+ 5pxmyypUazaltibSd13o56n/aKrQZw098bhqnh9xTbPVK14t4wTdsJKyZmJv8oKCqppEuhTc q8kur0PWOM85NSBl0igSfj8/CR8CbzgasMPNQVVwUA0Ody0s8wO13+WVaLq7y6Xpy9t6jSVv S8KLgmJ/wTJimHb2cctHNBSQEwnJtRyy/o7kKnge6HPzOprjPAlv6okA2XQaLTxyjW1YCRwN GatNAJ2WnJx3m89WGRONN6qQ3RFX59kbyzR1uL6D3Z6ts7bTmwARAQABzTJIYW5zLUNocmlz dG9waCBTdGVpbmVyIDxoYW5zQGd1YXJkaWFucHJvamVjdC5pbmZvPsLBvgQTAQoAaAIbAQUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAIZAQUCVjdjhUMYaHR0cHM6Ly9wZ3AubWl0LmVkdS9w a3MvbG9va3VwP29wPXZpbmRleCZzZWFyY2g9MHhFOUUyOERFQTAwQUE1NTU2AAoJEOnijeoA qlVW/IwP/0Uq8896f4NJPv9m5xKZnpCErXhvGU8b4gwH5EXaw66Z/0Zp56zF+J0rLdQZ9FoL HmShM8ZIEHmbNs/NTxqJ5qR0QDKJl8kJW7P/yfNjYOHtBCxPOS5LcapGtUT9jx7GAPU+oJ7z RC0nF8eot97Ds797n139BSbabZ74j0mfwKdGFxRaZVAfhzOD3tevyxUGMwj3w+zRpSXrDHc+ mZa9oHVE6J632rKMUTyDH/7kjzqN54l+dW29SK2NCfC79jfjDcO+ldbUV0lDz+HcLAiEYY1U ucuGVYgL0s/blCqw8YBmwBFdzYYwL6JXiK0KO+eukEZZl9nAWb0CUtuq/8dqkB5VKE39sBjZ pADf8xknMXJVTN1NlMUv6ZDKgRByL0gWdxmSaLLcjBliieXsDvMDHZnwhVsXeoPB1o6PaNLr Ho6ohf8vUrpVzDt6jwEydKBjJiykoSae4Gb7zgVx2/jvHZG3TrMqwktmPQKc+mS/WQBVMfUm ay3EYuIXRFhh2l4czMxFPWpan0nxV3QSpjPYJFOcKm0fPOLBAfe5WnatO8RGtL/quOdpOhMi rfzZKb0I4CiLGmyUHhewCGcggejqrBNDsip4RE4XwEYbH/VjWs0g5VVodSLUm0aC/98eG+XR 0bV/v0urdHFedFOVbkTBYYYJWNzRxvv2paJVoUzxWn5GzsBNBFY1RikBCAC2ZLMA4e7v4nZL 4Fy5X5vfaZ5pGHuh/8i34V4geqbMgWKnTgi2CJkAzglVDkbhpyk/Q8hCj4DdiRMsK4+TpLmp sbCYVGBeoaB/zkhZdjHksymED7V5sUim1BV418JXk19bnrDNFvfyhy8fer8FoDKeT0HJNdab lTt5NJrVFIVmglOZFIF+dSbz+HoH15bbwUDoedM63Q9ChQ5RsPKxiKHbwsYQ6zAJb+f/xLsG RUSzg6q6GPwX0A0P6QMkl2a/OXZhk+LGmzvldg4M0roWr6ohH+4iiBxttId4VACNPjQR7UME c8E6GZTRpviaMTTioXHY2wxkjcD6LmdjZ7Hm7F2NABEBAAHCwWUEGAEKAA8FAlY1RikCGwwF CQlmAYAACgkQ6eKN6gCqVVZbvxAAk1RTjZ017OWt/Tpm7Wa1VprbNPSFmDjzXSjIM2ut7E5B iScJLRy4sl7Fl5GcwS8lWkfIz2n8R7zn0Xj4T91dKZZ4J9m+Mf37cHGBBn5Hp2E6gqoClqbN CNLpWeHtwbLf7p9e513yRZwIdwAC4sHCGSzT6ZpFNhOhTqSj4nllfpbkSSjac5KaeV7oRQXI fE8BvwH02sGM5LpsoifhShrdcoEZe3GjyERbf3oh3cqYnr9pR64DnO8IMc+RL2c+sGPoirVS d/kBCIA8vEABZzpHeoNN4DNu3ykg0d0Knn/2CoMY92w4UGrdDRc++uMOawXtI9aGdtt4AIMy YvHfSO5KtZr+U9sViMhSXiiJ1Ofl46C9nZwjyZ5t5NnwfVh3Am79uhDHrckxJ/2aWOt9KOdY H8QqxovWCCq9esUgV+Q0SXow8zdkBa8lKR2H9xbI4frKULnu29iyIv4CbWOZE8QbjKoBcThA XesRjmVb5bvAYx+t5UMyQKaaH7dVTzvdFiIRM3zm0Hxrpxn3muaGk9WRTzKi+cYlAcT3o2ES mlWXkYGArbRoOtnQ1aXbySkF/+veMptetrZ8nyAZJ5oZmjDJ70EBGHEbEhMhNhYXlua4QIiV HdBRZ93PQnQA5j8JcYkeY8g977F9I/Cjk4xSmEuPZ/rmXci54nqnT4tGKQsdnsU=
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 07 Dec 2018 09:56:14 -0500
In-reply-to: <dae06407-f683-4f25-e02f-db472282a94f@guardianproject.info>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Openpgp: preference=signencrypt
Organization: Guardian Project
References: <20181023223241.62ydqrwq3ohcvrr3@bamsoftware.com> <dae06407-f683-4f25-e02f-db472282a94f@guardianproject.info>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Nathan of Guardian:
> On Mon, Sep 24, 2018 at 08:23:58PM -0600, David Fifield wrote:
>> What we would need in order for meek to used encrypted SNI would be
>> either:
>>  1) support for encrypted SNI in Go's crypto/tls package; or
>>  2) support for encrypted SNI in the Firefox that ships with Tor
>>     Browser, which meek-client could use through its TLS camouflage
>>     helper support.
>>
>> IMO (2) is less desirable because I'd like to get rid of the TLS
>> camouflage helper support and replace it with a Go-level TLS camouflage
>> library: https://github.com/refraction-networking/utls. The TLS helper
>> works, but its complexity is a pain to deal with and leads to problems
>> like https://bugs.torproject.org/12774 https://bugs.torproject.org/25405.
> 
> I wrote an untested overview of how to adapt meek to use ESNI, using an
> external copy of Firefox Nightly rather than Tor Browser's built-in copy
> of Firefox. Testing this out to see if it works would be a good task for
> someone who wants to get involved with pluggable transports.
> 
> Use ESNI via Firefox HTTPS helper
> https://bugs.torproject.org/28168
> 
> 1. Download Tor Browser and Firefox Nightly.
> 2. Go to about:config in Firefox nightly and set
>      network.trr.mode=3
>      network.trr.uri=https://1.1.1.1/dns-query
>      network.security.esni.enabled=true
> 3. Copy the meek-http-helper@xxxxxxxxxxxxxxxxxxx from Tor Browser to
>    Firefox Nightly.
> 4. Hack meek-client-torbrowser/{mac,linux,windows}.go to point
>    firefoxPath at the copy of Firefox Nightly and disable the custom
>    profile. (Additional hacks to remove hardcoded Tor Browser
>    assumptions may be required.)
> 5. Set up a Cloudflare instance pointing to https://meek.bamsoftware.com/,
>    call it https://meek.example.com/.
> 6. Set up a custom bridge in Tor Browser, using url= without front=
>    (because we're no longer domain fronting).
>      bridge meek 0.0.2.0:3 url=https://meek.example.com/ 
> 
> The only slightly weird part I foresee is hacking
> meek-client-torbrowser; it has some internal hardcoded paths and
> profiles that are specific to the Tor Browser directory layout, and
> you'll have to point those to an external Firefox Nightly. Of course,
> once ESNI support makes its way into Tor Browser itself, there won't be
> a need for another external copy of Firefox.

Two things to follow up on this thread:

1) I believe ESNI support is now in the Firefox betas, so that approach
is looking like an option

2) Guardian Project got a grant to work on a full stack prototype of
using Pluggable Transports.  We're going to try to do it with ESNI using
Stephen Farrell's patches to openssl.

My last thought on this topic for today: we should be careful about
making it too easy to use ESNI for circumvention before its gained any
server side implementers.  If it gets branded a activist tool, I could
see many orgs failing to adopt ESNI.  I think Cloudflare is the only
active provider offering it.

.hc

-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Prev by Author: [tor-dev] Update on Guardian Project Pluggable Transport work
Next by Author: [tor-dev] Scheduled changes to Tor Metrics CSV files in the Performance and the Traffic category
Previous by thread: Re: [tor-dev] Failure to connect to a 0.3.4.9 bridge--downgrading to 0.2.9.17 fixes it
Next by thread: [tor-dev] Network team meeting Monday at 1800 UTC
Index(es):
- Author
- Thread