[tor-talk] FortiGuard firewall blocks meek by TLS signature
Justin
davisjustin002 at gmail.com
Mon Jul 25 18:47:25 UTC 2016
Hi,
That’s not surprising. Wonder if we’ll see other filtering companies start blocking Meek this way.
> On Jul 24, 2016, at 3:04 AM, David Fifield <david at bamsoftware.com> wrote:
>
> Recently, we had reports of Cyberoam firewalls blocking meek by TLS
> signature:
> https://lists.torproject.org/pipermail/tor-talk/2016-May/040923.html
> I got a similar report, this time for a FortiGuard firewall.
>
> The story is basically the same as last time: the firewall looks for TLS
> that has the signature of a specific version of Firefox and is also
> destined to one of the default front domains. This time it is the
> signature of Firefox 45 they're looking for. They also were not blocking
> the domain www.google.com, so meek-google would work if it hadn't been
> shut down recently.
>
> Here are workarounds to try if you find yourself in this situation. See
> also: What to do if meek gets blocked.
> https://lists.torproject.org/pipermail/tor-talk/2015-January/036410.html
>
> First try changing the front domain. This is easy to do; you don't have
> to edit any files.
> https://trac.torproject.org/projects/tor/wiki/doc/meek#Howtochangethefrontdomain).
> These alternative bridge lines worked in this case:
> Bridge meek 0.0.2.0:2 url=https://d2zfqthxsdq309.cloudfront.net/ front=d2ko15wevu3ps3.cloudfront.net
> Bridge meek 0.0.2.0:3 url=https://az786092.vo.msecnd.net/ front=ajax.microsoft.com
>
> The second workaround is to disable the Firefox TLS camouflage and use
> naked Golang TLS. To do that, edit the file
> Browser/TorBrowser/Data/Tor/torrc-defaults and change the line
> ClientTransportPlugin meek exec TorBrowser\Tor\PluggableTransports\terminateprocess-buffer TorBrowser\Tor\PluggableTransports\meek-client-torbrowser -- TorBrowser\Tor\PluggableTransports\meek-client
> to
> ClientTransportPlugin meek exec TorBrowser\Tor\PluggableTransports\terminateprocess-buffer TorBrowser\Tor\PluggableTransports\meek-client
> I.e., remove the meek-client-torbrowser wrapper program. The format of
> the line will differ slightly depending on your operating system, but it
> should be pretty easy to figure out.
>
> The third workaround is to set up your own App Engine app. This isn't
> very hard to do. Instructions are here:
> https://lists.torproject.org/pipermail/tor-talk/2016-June/041699.html
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
More information about the tor-talk
mailing list