[anti-censorship-team] Azure domain fronting, meek ESNI

Roger Dingledine arma at torproject.org
Fri Apr 2 03:15:47 UTC 2021


On Mon, Mar 29, 2021 at 01:19:33PM -0600, David Fifield wrote:
> One possible alternative is ESNI with Cloudflare, using the mainline
> meek code and its support for a headless (ESNI-supporting) Firefox.
> However, this will require a lot of Tor Browser work to swap meek
> implementations and re-wire the headless browser support files.

One huge advantage of routing via Cloudflare is that it's free (gratis),
right? That is, we could move the (currently hugely rate limited and
thus very slow) meek-azure traffic over to this future meek-cloudflare
service, and open up the rate limits a lot more?

> One problem with the headless Firefox model is that the TLS fingerprint
> of the ESR release used by Tor Browser would rapidly become uncommon
> (because most people don't run ESRs). See Section V of
> https://tlsfingerprint.io/static/frolov2019.pdf. But we currently have
> that problem anyway, as the version of uTLS we are using is two years
> old (Chrome 72, Firefox 65, and even the dev branch is 9 months old).

How far is the current utls from being able to do ESNI? That approach
might be more work in the short term, but provide the "easier to maintain"
feature in the long term?

I hear ESNI won't work so well in China, but there are plenty of other
censored situations where it would be really useful to offer users a
higher-bandwidth domain-fronted option.

--Roger




More information about the anti-censorship-team mailing list