[tor-dev] Release: obfs4proxy-0.0.9
Yawning Angel
yawning at schwanenlied.me
Tue Feb 5 15:06:01 UTC 2019
Hello all,
I just tagged obfs4proxy-0.0.9. The main features of this release are
primarily related to improving the behavior of the `meek_lite` transport.
Since some of the changes are major, I will expand on them separately
from the brief summary given in the ChangeLog.
* A forked version[0] of https://github.com/refraction-networking/utls
is now used to mask the TLS signature. This results in a ClientHello
that should resemble modern versions of Firefox by default. While
the utls profile is named `HelloFirefox_63`, a cursory examination
leads me to believe that there are no differences in FF 65.
The bridge line option `utls=<fingerprint>` will allow specifying the
behavior, with (case-insenstive) string representations of the utls
fingerprint names. `none` will revert to the previous behavior.
Not all fingerprints were tested and or are guaranteed to work.
Development was primarily done with `HelloChrome_70,
`HelloFirefox_63`, and `HelloChrome_71` (experimental). While I can
not vouch for the mimicry accuracy of every single profile, all of
the profiles that attempt to mimic browsers should function fairly
well[1], though this partially depends on the the configuration of
the host doing the fronting.
* meek_lite now has HPKP[2] style public key pins for all of the
Microsoft CA certs that are used to sign Azure leaf certificates.
This is only enabled when `utls` is being used, because I'm lazy. If
Microsoft happens to change their CA certificates prior to the next
release, 2024-05-20, or you are ok with being actively man-in-the-
middled for some reason, adding `disableHPKP=true` to the bridge
line will disable certificate pin validation.
HPKP headers in HTTP responses are ignored, only the static pin list
is consulted.
* Due to a shift in my philosophy, portions of the new code are
released under the GNU General Public License v3. Exceptions to
the viral nature of the license will be considered on a case-by-case
basis. Contact me for more details.
Tarball/Signature:
https://people.torproject.org/~yawning/releases/obfs4proxy/obfs4proxy-0.0.9.tar.xz
https://people.torproject.org/~yawning/releases/obfs4proxy/obfs4proxy-0.0.9.tar.xz.asc
Changes in version 0.0.9 - 2019-02-05:
- Various meek_lite code cleanups and bug fixes.
- Bug 29077: uTLS for ClientHello camouflage (meek_lite).
- More fixes to HTTP Basic auth.
- (meek_lite) Pin the certificate chain public keys for the default
Tor Browser Azure bridge (meek_lite).
Regards,
--
Yawning Angel
[0]: obfs4proxy WILL NOT build with the upstream version of the library,
and the Firefox fingerprint will not function with Azure using the
upstream version.
[1]: For "I can watch Eluveitie music videos on youtube over it"
definitions of "fairly well".
[2]: Yes, the HPKP spec is rather dead in the wild with a lot of people
giving up on it. It is my opinion that in this context having such a
mechanism makes sense.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20190205/9d0b2559/attachment.sig>
More information about the tor-dev
mailing list