[tor-bugs] #28168 [Obfuscation/meek]: Use ESNI via Firefox HTTPS helper
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Oct 23 22:33:18 UTC 2018
#28168: Use ESNI via Firefox HTTPS helper
------------------------------+---------------------
Reporter: dcf | Owner: dcf
Type: project | Status: new
Priority: Medium | Milestone:
Component: Obfuscation/meek | Version:
Severity: Normal | Resolution:
Keywords: easy | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------+---------------------
Description changed by dcf:
Old description:
> As of 2018-10-18, [https://blog.mozilla.org/security/2018/10/18
> /encrypted-sni-comes-to-firefox-nightly/ Firefox Nightly supports]
> encrypted SNI, and [https://blog.cloudflare.com/esni/ Cloudflare supports
> it] on the server side. Because meek supports using Firefox as a channel
> for issuing HTTPS requests, it ought to be pretty easy to adapt the meek
> client software to use ESNI rather than domain fronting. The server
> software doesn't need any change.
>
> These steps are untested:
> 1. Download Tor Browser and Firefox Nightly.
> 1. Set network.trr.mode=3 and network.security.esni.enabled=true in
> Firefox Nightly.
> 1. Copy the !meek-http-helper at bamsoftware.com.xpi from Tor Browser to
> Firefox Nightly.
> 1. Hack meek-client-torbrowser/{mac,linux,windows}.go to point
> `firefoxPath` at the copy of Firefox Nightly and disable the custom
> profile. (Additional hacks to remove hardcoded Tor Browser assumptions
> may be required.)
> 1. Set up a Cloudflare instance pointing to
> !https://meek.bamsoftware.com/, call it !https://meek.example.com/.
> 1. Set up a [[doc/meek#Howtochangethefrontdomain|custom bridge]] in Tor
> Browser, using `url=` without `front=` (because we're no longer domain
> fronting).\\{{{bridge meek 0.0.2.0:3 url=https://meek.example.com/}}}
>
> Of course, once ESNI support makes it into the version of Firefox used by
> Tor Browser, this will be even easier, not requiring a separate Firefox
> Nightly.
New description:
As of 2018-10-18, [https://blog.mozilla.org/security/2018/10/18/encrypted-
sni-comes-to-firefox-nightly/ Firefox Nightly supports] encrypted SNI, and
[https://blog.cloudflare.com/esni/ Cloudflare supports it] on the server
side. Because meek supports using Firefox as a channel for issuing HTTPS
requests, it ought to be pretty easy to adapt the meek client software to
use ESNI rather than domain fronting. The server software doesn't need any
change.
These steps are untested:
1. Download Tor Browser and Firefox Nightly.
1. Go to about:config in Firefox Nightly and set
* network.trr.mode=3
* network.trr.uri=!https://1.1.1.1/dns-query
* network.security.esni.enabled=true
1. Copy the !meek-http-helper at bamsoftware.com.xpi from Tor Browser to
Firefox Nightly.
1. Hack meek-client-torbrowser/{mac,linux,windows}.go to point
`firefoxPath` at the copy of Firefox Nightly and disable the custom
profile. (Additional hacks to remove hardcoded Tor Browser assumptions may
be required.)
1. Set up a Cloudflare instance pointing to
!https://meek.bamsoftware.com/, call it !https://meek.example.com/.
1. Set up a [[doc/meek#Howtochangethefrontdomain|custom bridge]] in Tor
Browser, using `url=` without `front=` (because we're no longer domain
fronting).\\{{{bridge meek 0.0.2.0:3 url=https://meek.example.com/}}}
Of course, once ESNI support makes it into the version of Firefox used by
Tor Browser, this will be even easier, not requiring a separate Firefox
Nightly.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28168#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list