[tor-dev] Release: obfs4proxy-0.0.9

Yawning Angel yawning at schwanenlied.me
Tue Feb 5 15:06:01 UTC 2019


Hello all,

I just tagged obfs4proxy-0.0.9.  The main features of this release are
primarily related to improving the behavior of the `meek_lite` transport.

Since some of the changes are major, I will expand on them separately
from the brief summary given in the ChangeLog.

 * A forked version[0] of https://github.com/refraction-networking/utls
   is now used to mask the TLS signature.  This results in a ClientHello
   that should resemble modern versions of Firefox by default.  While
   the utls profile is named `HelloFirefox_63`, a cursory examination
   leads me to believe that there are no differences in FF 65.

   The bridge line option `utls=<fingerprint>` will allow specifying the
   behavior, with (case-insenstive) string representations of the utls
   fingerprint names.  `none` will revert to the previous behavior.

   Not all fingerprints were tested and or are guaranteed to work.
   Development was primarily done with `HelloChrome_70,
   `HelloFirefox_63`, and `HelloChrome_71` (experimental).  While I can
   not vouch for the mimicry accuracy of every single profile, all of
   the profiles that attempt to mimic browsers should function fairly
   well[1], though this partially depends on the the configuration of
   the host doing the fronting.

 * meek_lite now has HPKP[2] style public key pins for all of the
   Microsoft CA certs that are used to sign Azure leaf certificates.
   This is only enabled when `utls` is being used, because I'm lazy.  If
   Microsoft happens to change their CA certificates prior to the next
   release, 2024-05-20, or you are ok with being actively man-in-the-
   middled for some reason, adding `disableHPKP=true` to the bridge
   line will disable certificate pin validation.

   HPKP headers in HTTP responses are ignored, only the static pin list
   is consulted.

 * Due to a shift in my philosophy, portions of the new code are
   released under the GNU General Public License v3.  Exceptions to
   the viral nature of the license will be considered on a case-by-case
   basis.  Contact me for more details.

Tarball/Signature:
https://people.torproject.org/~yawning/releases/obfs4proxy/obfs4proxy-0.0.9.tar.xz
https://people.torproject.org/~yawning/releases/obfs4proxy/obfs4proxy-0.0.9.tar.xz.asc

Changes in version 0.0.9 - 2019-02-05:
 - Various meek_lite code cleanups and bug fixes.
 - Bug 29077: uTLS for ClientHello camouflage (meek_lite).
 - More fixes to HTTP Basic auth.
 - (meek_lite) Pin the certificate chain public keys for the default
   Tor Browser Azure bridge (meek_lite).

Regards,

-- 
Yawning Angel

[0]: obfs4proxy WILL NOT build with the upstream version of the library,
and the Firefox fingerprint will not function with Azure using the
upstream version.

[1]: For "I can watch Eluveitie music videos on youtube over it"
definitions of "fairly well".

[2]: Yes, the HPKP spec is rather dead in the wild with a lot of people
giving up on it.  It is my opinion that in this context having such a
mechanism makes sense.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20190205/9d0b2559/attachment.sig>


More information about the tor-dev mailing list