[tor-bugs] #22871 [Obfuscation/BridgeDB]: Implement backend for moat
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Sep 13 19:20:39 UTC 2017
#22871: Implement backend for moat
----------------------------------------+----------------------
Reporter: isis | Owner: isis
Type: enhancement | Status: new
Priority: High | Milestone:
Component: Obfuscation/BridgeDB | Version:
Severity: Normal | Resolution:
Keywords: SponsorM, bridgedb-captcha | Actual Points:
Parent ID: | Points: 3
Reviewer: | Sponsor:
----------------------------------------+----------------------
Comment (by isis):
Replying to [comment:4 iry]:
> Hi isis!
>
> I am posting the reply in this ticket since it seems to be more related
to the topic:
>
> isis:
> >This API won't be publicly accessible though, it'll be reachable
through the API for #22871, and even then it's only reachable through a
special meek reflector as part of #16650.
> I love the idea to "Set up domain fronting for BridgeDB:. The benefits
are huge as described in #16650.
>
> However, meek has not been supported neither by Whonix nor by Tails so
far. It is very likely because meek has not been packaged in to Debian as
a standalone client because of its increasingly high-coupling with TBB:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764007
That makes sense, although it's unfortunate. There is a `meek-client`
program included in meek, however, as I understand it, the TLS is more
fingerprintable which is why dcf went the route of instrumenting a
browser. It would be better to ask dcf about this.
I also just remembered that you actually ''can't'' do a `POST /meek/*` to
BridgeDB unless you go through the meek reflector, because of the way the
TLS termination is handled. Also FYI, this distributor relies on getting
the client's IP address in an `X-Forwarded-For` header from the meek
reflector. We could consider setting up the same moat API as its own
separate distributor for clients which can't use meek, but that should be
a new ticket. (Also, I'd prefer that they be separate distributors, since
there's a possibility that we may need to allocate differently, or treat
different automated bridge distribution clients differently, e.g.
different rate limiting, in the future.)
> I will also ask Tails about why meek is not available in Tails, given
that Tails does ship a Tor Browser (unlike Whonix-gateway).
Thanks! I'd be curious to hear why.
> > Is anon-connection-wizard what Tails uses now? I'd be happy to support
Tails as well (but I'd strongly prefer the connection to go through the
meek reflector).
>
> anon-connection-wizard has not been used by Tails so far. But some quick
and dirty test on integrating anon-connection-wizard has been done by
anonym from Tails. Some details can be found here:
> https://mailman.boum.org/pipermail/tails-dev/2017-September/011638.html
That's great! Is it being considered because Firefox is removing support
for extensions? (Wasn't Tails doing something special to run Tor Launcher
as a desktop app?)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22871#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list