[tor-talk] What to do if meek gets blocked
David Fifield
david at bamsoftware.com
Tue Jan 6 21:56:06 UTC 2015
The meek pluggable transport has had good success so far.
https://trac.torproject.org/projects/tor/wiki/doc/meek
It works differently than other transports, so it's been able to reach a
new group of users. It now has something like 1000 simultaneous users,
which is only about 1/10 of obfs3, but presumably they are users for
whom obfs3 and other transports don't work.
Increasing use is going to mean increasing pressure on censors to find a
way to block it. meek is not unblockable--that's the wrong way to think
about the problem--but it is designed to be difficult and expensive to
block, by hiding behind an important domain name (the "front domain")
and looking like browser HTTPS. Ideally (ignoring many details), the
censor can't distinguish between someone using meek and someone surfing
https://www.google.com/ (or another important domain). The censor must
either allow some circumvention traffic, or block a domain that has many
beneficial uses. But suppose a censor makes that call, and blocks
Google/Amazon/whatever. What then?
The first thing you should try is a different backend. If you use
meek-google, try meek-amazon or meek-azure. Maybe your censor has
blocked one but not all of them. This is already the case for users in
China, where meek-google is blocked because Google is blocked, but the
others are not.
You can also try using a different DNS server. The most common way to
block a domain name is by DNS poisoning; i.e., the IP address behind the
name is accessible, but the local DNS server gives you a false address.
Try a public DNS server such as 8.8.8.8. But if that works, be aware
that's it's probably only a temporary fix, as censors have historically
figured out the alternate-DNS trick pretty fast.
What you really want to do, if the easy things don't work, is choose a
different front domain. The "domain fronting" trick is meek's core idea.
It lets you talk to one domain while appearing to talk to another. Tor
Browser comes with some built-in front domains, but you can also
configure your own. The current list of front domains is at
https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/Bundle-Data/PTConfigs/bridge_prefs.js:
meek 0.0.2.0:1 url=https://meek-reflect.appspot.com/ front=www.google.com
meek 0.0.2.0:2 url=https://d2zfqthxsdq309.cloudfront.net/ front=a0.awsstatic.com
meek 0.0.2.0:3 url=https://az668014.vo.msecnd.net/ front=ajax.aspnetcdn.com
You can also find it in Browser/TorBrowser/Data/Browser/profile.default/preferences/extension-overrides.js
inside the Tor Browser distribution . These are the default bridge lines
you get when you select meek-google, meek-amazon, or meek-azure from the
bridge configuration screen. But you can also enter them manually (under
"Enter custom bridges"), and then you can change the front domain. I
attached a screenshot that shows how.
Let's take a closer look at what this means:
meek 0.0.2.0:1 url=https://meek-reflect.appspot.com/ front=www.google.com
The first part "meek" is the transport name; don't forget that. The
address "0.0.2.0:1" is ignored. You can set it to anything (just don't
use 0.0.0.X or port 0 because those are used internally by tor). The
next part, "url=https://meek-reflect.appspot.com/", says where your
traffic is *really* going--to a Tor bridge. You can't change the "url="
part unless you set up your own CDN account. The last part,
"front=www.google.com", is the domain that you hide behind--where the
censor sees you going. The "front=" part is what you can change.
Let's say www.google.com is blocked. In its place, you can use virtually
any domain that's operated by Google. For example,
meek 0.0.2.0:1 url=https://meek-reflect.appspot.com/ front=www.gmail.com
Or you can try a country-specific domain:
meek 0.0.2.0:1 url=https://meek-reflect.appspot.com/ front=www.google.com.mx
In fact there are tons of domains operated by Google. Even
long-forgotten ones like www.orkut.com work. Suppose you're behind a
firewall that blocks the Google search page but allows a small number of
whitelisted sites. If any of those sites use Google Analytics or
DoubleClick ads, you're good.
meek 0.0.2.0:1 url=https://meek-reflect.appspot.com/ front=ssl.google-analytics.com
meek 0.0.2.0:1 url=https://meek-reflect.appspot.com/ front=www.doubleclick.net
With meek-amazon, you can use front domains that are on Amazon
CloudFront. The default a0.awsstatic.com is one of them, but you can
find others with some research. Here's a short list of some
*.cloudfront.net domains: http://www.alexa.com/siteinfo/cloudfront.net
("Where do visitors go on cloudfront.net?"). You can use any of them
(remember to change the "front=" part, not the "url=" part):
meek 0.0.2.0:2 url=https://d2zfqthxsdq309.cloudfront.net/ front=d1xjir8ff9s1sc.cloudfront.net
A lot of sites use their own domain name (CNAME) that aliases a
cloudfront.net domain. If you can find one of them, it will work too.
The situation with meek-azure is similar. The default front domain,
ajax.aspnetcdn.com, is used by many web sites to host JavaScript files,
so we think it will be hard to block. You can also use subdomains of
vo.msecnd.net, which belong to the Azure CDN. You can find some with a
web search. This one seems to be related to Microsoft Office:
meek 0.0.2.0:3 url=https://az668014.vo.msecnd.net/ front=officeimg.vo.msecnd.net
It's important to understand that even if you change the front domain,
you're not sticking some random person with a bandwidth bill. It's the
owner of the "url=" that gets charged, not the owner of the "front=",
and the "url=" has to be specially set up to accept meek connections.
The "url="s in this email are set up for public use (i.e., they are
what's getting paid for in the "Summary of meek's costs" emails I send
to tor-dev).
Be aware that you may increase your exposure if you choose an unpopular
front domain. If you're the only one using it, a censor may easily see
that and block you.
Finally, you can always set up your own web app, and point it at a Tor
relay running meek-server. As long as it's only used by few people, it's
unlikely to be blocked. This is basically the same as setting up your
own proxy server, except it's easier because you just need a web hosting
account somewhere, and you get HTTPS camouflage for free. We have such
"reflector" web apps for App Engine, Nginx, PHP, and Python WSGI:
https://gitweb.torproject.org/pluggable-transports/meek.git/tree/appengine
https://gitweb.torproject.org/pluggable-transports/meek.git/tree/nginx
https://gitweb.torproject.org/pluggable-transports/meek.git/tree/php
https://gitweb.torproject.org/pluggable-transports/meek.git/tree/wsgi
Let's say you are using the PHP one. Just upload the index.php file to a
web hosting service that supports HTTPS. Let's say its URL is
https://mysite.example.com/index.php. Then you would enter this into Tor
Browser:
meek 0.0.2.0:4 url=https://mysite.example.com/index.php
In this case you don't use a front because you're relying on the domain
itself being hard to block, either because it's too obscure or because
it hosts other useful data. You should still definitely use HTTPS, not
plain HTTP.
David Fifield
More information about the tor-talk
mailing list