[tor-dev] [PATCH] Add some words about meek in proposal 203
Lunar
lunar at torproject.org
Wed Jun 25 10:05:33 UTC 2014
This is mostly David Fifield's words from an email exchange.
---
I re-read proposal 203 the other day and wondered how it was related to
the meek pluggable transport. As I might not be the only one, I thought
it could be worthwhile to share David's answer. Feel free to improve!
proposals/203-https-frontend.txt | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/proposals/203-https-frontend.txt b/proposals/203-https-frontend.txt
index 26101b3..df30cd5 100644
--- a/proposals/203-https-frontend.txt
+++ b/proposals/203-https-frontend.txt
@@ -245,3 +245,31 @@ Side note: What to put on the webserver?
"Something to add to your HTTPS website" rather than as a standalone
installation.
+Related work:
+
+ meek [1] is a pluggable transport that uses HTTP for carrying bytes
+ and TLS for obfuscation. Traffic is relayed through a third-party
+ server (Google App Engine). It uses a trick to talk to the third
+ party so that it looks like it is talking to an unblocked server.
+
+ meek itself is not really about HTTP at all. It uses HTTP only
+ because it's convenient and the big Internet services we use as cover
+ also use HTTP. meek uses HTTP as a transport, and TLS for
+ obfuscation, but the key idea is really "domain fronting," where it
+ appears to the censor you are talking to one domain (www.google.com),
+ but behind the scenes you are talking to another
+ (meek-reflect.appspot.com). The meek-server program is an ordinary
+ HTTP (not necessarily even HTTPS!) server, whose communication is
+ easily fingerprintable; but that doesn't matter because the censor
+ never sees that part of the communication, only the communication
+ between the client and CDN.
+
+ One way to think about the difference: if a censor (somehow) learns
+ the IP address of a bridge as described in this proposal, it's easy
+ and low-cost for the censor to block that bridge by IP address. meek
+ aims to make it much more expensive: even if you know a domain is
+ being used (in part) for circumvention, in order to block it have to
+ block something important like the Google frontend or CloudFlare
+ (high collateral damage).
+
+1. https://trac.torproject.org/projects/tor/wiki/doc/meek
--
1.7.10.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140625/75d5691c/attachment.sig>
More information about the tor-dev
mailing list