[tor-bugs] #28168 [Obfuscation/meek]: Use ESNI via Firefox HTTPS helper
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Feb 27 21:17:17 UTC 2019
#28168: Use ESNI via Firefox HTTPS helper
------------------------------+---------------------
Reporter: dcf | Owner: dcf
Type: project | Status: new
Priority: Medium | Milestone:
Component: Obfuscation/meek | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------+---------------------
Comment (by dcf):
I set up a Cloudflare account and got this all working: meek with ESNI in
place of domain fronting, running in Tor Browser with an external Firefox
helper. When Tor Browser starts using a Firefox newer than 60 ESR, it
won't need an separate external Firefox.
=== Cloudflare setup ===
* Register a new domain name. I got rinsed-tinsel.site. (I initially
planned to use a subdomain of bamsoftware.com, but Cloudflare only allows
that on their paid plans—on the free plan the only option is to have
Cloudflare handle ''all'' the DNS for the domain.)
* Click "+ Add site", enter the domain name, and choose the free plan.
* At the DNS screen, add a new CNAME record for subdomain "meek" pointing
to "meek.bamsoftware.com". (How this works is when users query meek
.rinsed-tinsel.site, the Cloudflare DNS server will give them an A record
pointing at a Cloudflare edge server, and then the Cloudflare edge server
will fetch origin pages from meek.bamsoftware.com.)
* Go back to the name registrar and set the nameserver to the two
*.ns.cloudflare.com servers that it tells you to set.
* I then went and made the following configuration changes:
* Crypto tab
* SSL: Full (strict)
* Always Use HTTPS: On
* Minimum TLS Version: TLS 1.2
* Firewall tab
* Security Level: Essentially Off
* Web Application Firewall
* Browser Integrity Check: Off
* Caching tab
* Always Online™: Off
* Scrape Shield tab
* Email Address Obfuscation: Off
* Server-side Excludes: Off
* Hotlink Protection: Off
=== WebExtension build ===
Start with commit [https://gitweb.torproject.org/pluggable-
transports/meek.git/log/?h=webextension&id=9a822c9e99e0bf23c542427de4eae3493ebccbc3
9a822c9e99] in the [https://gitweb.torproject.org/pluggable-
transports/meek.git/log/?h=webextension webextension] branch.
1. Enter meek/webextension/native and run `go build`. This produces the
native component of the extension.
1. Enter meek/webextension and run `make`. This zips up the extension
files into an installable bundle, !meek-http-helper at bamsoftware.com.xpi.
=== Firefox setup ===
3. Download [https://www.mozilla.org/en-US/firefox/developer/ Firefox
Developer Edition]. You need the developer edition in order to install an
unsigned extension.
1. Run `firefox/firefox --ProfileManager` and create a new "esni" profile.
Go to `about:config` and set these prefs:
{{{
browser.dom.window.dump.enabled
network.trr.mode=3
network.trr.uri=https://1.1.1.1/dns-query
network.security.esni.enabled=true
toolkit.startup.max_resumed_crashes=-1
xpinstall.signatures.required=false
}}}
1. Go to `about:addons`. Click Extensions. Click ⚙️ and select "Install
Add-on From File...". Open meek/webextension/!meek-http-
helper at bamsoftware.com.xpi. Say yes to the permissions dialog.
1. Close Firefox.
=== meek-client-torbrowser build ===
7. Edit meek/meek-client-torbrowser/{linux,mac,windows}.go (whatever's
needed for your platform) and adjust the paths:
{{{
firefoxPath = "/path/to/firefox/firefox"
firefoxProfilePath =
"/home/user/.mozilla/firefox/<RANDCHARS>.esni"
helperNativeManifestDir = "/path/to/tor-browser_en-US/Browser/.mozilla
/native-messaging-hosts"
helperNativeExecutablePath = "/path/to/meek/webextension/native/native"
}}}
1. In meek/meek-client-torbrowser, run `go build`.
1. Copy the resulting meek-client-torbrowser binary to tor-browser_en-
US/Browser/TorBrowser/Tor/PluggableTransports/.
=== Tor Browser setup ===
10. Click the "Configure" button in Tor Launcher, or "Tor Network
Settings..." in the onion toolbar icon.
1. Click "Tor ic censored in my country" and "Provide a bridge I know".
Enter the bridge line:
{{{
meek 0.0.2.0:3 1922840D0D66CB82EACE4327F5001430227C0127 url=https://meek
.rinsed-tinsel.site/
}}}
1. Because of #12774, it may not work right away and you'll have to
restart.
----
This is a packet capture of bootstrapping and browsing to example.com:
attachment:meek-esni.pcap. Here's a summary of all the Client Hellos it
contains:
{{{
No. Time Source Destination Protocol Info
7 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
14 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
15 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
16 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1 Client
Hello
122 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
133 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
134 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
236 2019-02-27 12:24:39 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
237 2019-02-27 12:24:39 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
242 2019-02-27 12:24:39 192.168.111.2 1.1.1.1 TLSv1 Client
Hello
243 2019-02-27 12:24:39 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
348 2019-02-27 12:24:40 192.168.111.2 1.1.1.1 TLSv1.3 Client
Hello
351 2019-02-27 12:24:40 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
431 2019-02-27 12:24:41 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
432 2019-02-27 12:24:41 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
437 2019-02-27 12:24:41 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
438 2019-02-27 12:24:41 192.168.111.2 1.1.1.1 TLSv1.2 Client
Hello
550 2019-02-27 12:24:41 192.168.111.2 104.27.168.47 TLSv1.2 Client
Hello
}}}
All the handshakes with 1.1.1.1 are DNS-over-HTTPS name lookup—I'm
guessing some of them are Firefox's internal lookups, unrelated to the
meek tunnel. 104.27.168.47 is the Cloudflare edge server.
The TLS fingerprints are:
||1.1.1.1 ||[https://tlsfingerprint.io/id/8300bf0e26f2a109
8300bf0e26f2a109]
([https://web.archive.org/web/20190227210213/https://tlsfingerprint.io/id/8300bf0e26f2a109
archive]) rank 3620
||[https://tlsfingerprint.io/compare/bb94e801f7aee52b/8300bf0e26f2a109
comparison]
([https://web.archive.org/web/20190227210604/https://tlsfingerprint.io/compare/bb94e801f7aee52b/8300bf0e26f2a109
archive]) with ESR 60 rank 31 ||
||104.27.168.47 ||[https://tlsfingerprint.io/id/2dcbeba533890640
2dcbeba533890640]
([https://web.archive.org/web/20190227210126/https://tlsfingerprint.io/id/2dcbeba533890640
archive]) rank 6272
||[https://tlsfingerprint.io/compare/bb94e801f7aee52b/2dcbeba533890640
comparison]
([https://web.archive.org/web/20190227210435/https://tlsfingerprint.io/compare/bb94e801f7aee52b/2dcbeba533890640
archive]) with ESR 60 rank 31 ||
The differences against the currently ESR 60 fingerprint appear to be
partly from the lack of plaintext SNI, and partly from unrelated TLS
changes in Firefox.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28168#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list