[tor-dev] [PATCH] Add some words about meek in proposal 203

Lunar lunar at torproject.org
Wed Jun 25 10:05:33 UTC 2014


This is mostly David Fifield's words from an email exchange.
---

I re-read proposal 203 the other day and wondered how it was related to
the meek pluggable transport. As I might not be the only one, I thought
it could be worthwhile to share David's answer. Feel free to improve!

 proposals/203-https-frontend.txt |   28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/proposals/203-https-frontend.txt b/proposals/203-https-frontend.txt
index 26101b3..df30cd5 100644
--- a/proposals/203-https-frontend.txt
+++ b/proposals/203-https-frontend.txt
@@ -245,3 +245,31 @@ Side note: What to put on the webserver?
    "Something to add to your HTTPS website" rather than as a standalone
    installation.
 
+Related work:
+
+   meek [1] is a pluggable transport that uses HTTP for carrying bytes
+   and TLS for obfuscation. Traffic is relayed through a third-party
+   server (Google App Engine). It uses a trick to talk to the third
+   party so that it looks like it is talking to an unblocked server.
+
+   meek itself is not really about HTTP at all. It uses HTTP only
+   because it's convenient and the big Internet services we use as cover
+   also use HTTP. meek uses HTTP as a transport, and TLS for
+   obfuscation, but the key idea is really "domain fronting," where it
+   appears to the censor you are talking to one domain (www.google.com),
+   but behind the scenes you are talking to another
+   (meek-reflect.appspot.com). The meek-server program is an ordinary
+   HTTP (not necessarily even HTTPS!) server, whose communication is
+   easily fingerprintable; but that doesn't matter because the censor
+   never sees that part of the communication, only the communication
+   between the client and CDN.
+
+   One way to think about the difference: if a censor (somehow) learns
+   the IP address of a bridge as described in this proposal, it's easy
+   and low-cost for the censor to block that bridge by IP address. meek
+   aims to make it much more expensive: even if you know a domain is
+   being used (in part) for circumvention, in order to block it have to
+   block something important like the Google frontend or CloudFlare
+   (high collateral damage).
+
+1. https://trac.torproject.org/projects/tor/wiki/doc/meek
-- 
1.7.10.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140625/75d5691c/attachment.sig>


More information about the tor-dev mailing list