New Pluggable Transport meek_lite Coming to the Whonix 14
Hello Whonix people!
We are thrilled to announce that a new pluggable transport called meek_lite is coming to the Whonix 14. In this blog post, we are going to introduce what meek_lite is and how you can use it in the upcoming Whonix 14.
What is Pluggable Transports?
In many areas around the world, the direct connection to the Tor network is censored. This is possible and easy to implement, in terms of technology, because all the Tor relays and directory authorities information is publicly available for everyone. A censor can simply maintain a real-time blacklist of all the IP addresses of the Tor guard relays and the directory authorities to block all the direct connections to the Tor network.
To solve this problem, the Tor project came up with the idea to provide users with unlisted Tor guard relays, called vanilla bridges, via many relatively private channels, Email and HTTPS web page, for example. Unfortunately, this is not a very effective way to bypass the censorship because, although the actual content in the traffic is strong-encrypted by the Tor clients, it can be fairly easy for a censor to identify whether the traffic is Tor traffic and then block it.
To overcome the weakness, Pluggable Transports (PT) is used to make the Tor traffic between Tor client and the Tor guard relay innocent-looking in a censor’s eye.
Why meek_lite is important?
Before Whonix 14, only there are only two types of Pluggable Transport supported by Whonix: obfs3 and obfs4. Integrating meek_lite into Whonix will be a great improvement on the usability and user experience for Whonix users who live in heavily censored areas. This is because:
- In some heavily censored area, China for example,
meek_liteis the only Tor Pluggable Transport that is effective. - A coming feature that allows users to get Tor Bridges from Tor launcher/anon-connection-wizard relies on it.
What is unique about meek_lite ?
The idea bedind traditional bridges, like vanilla and obfs4 bridges is security by obscurity. That is to say, an adversary can still get the bridges information via BridgeDB, just like what a normal user in censored area does. Although BridgeDB has been adopting many different kinds of way to reject those attempt, for example, by requiring getting the bridges using an email service under certain email providers, by developing algorithms that prevents people from getting a large number of different unlisted bridges in a short amount of time, still most of those bridges are blocked in some countries.
What is more, David Fifield said on the @tor-dev:
We know that at least China and Kazakhstan pay attention to the default Tor Browser bridges (and China blocks them as soon as they enter the source code, even before a release).
Unlike traditional bridges, meek_lite is on the concept of Collateral Freedom. According to the Tor Wiki, “[t]raffic is relayed through a third-party server that is hard to block, for example a CDN. It uses a trick called domain fronting to talk to a Tor relay while appearing to talk to another domain”.
This approach make meek_lite have better performance on censorship circumvention in heavily censored area. For example, during the 19th National Congress of the Communist Party of China in this October, meek is one of a limited number of censorship circumvention tools that were still effective in China after the upgrade of Internet censorship.
What are the differences between meek_lite and meek?
Tor Browser Bundle users may be familiar with the Pluggable Transport meek. meek_lite is a different implementation of meek. The differences are described by its author Yawning from the Tor project as follows:
This is a meek client only implementation, with the following
differences with dcf’smeek-client:
- It is named
meek_liteto differentiate it from the real thing.- It does not support using an external helper to normalize TLS
signatures, so adversaries can look for someone using the Go
TLS library to do HTTP.- It does the right thing with TOR_PT_PROXY, even when a helper is
not present.Most of the credit goes to dcf, who’s code I librerally cribbed and
stole. It is intended primarily as a “better than nothina” option
for enviornments that do not or can not presently use an external
Firefox helper.
To clarify, although meek_lite does not normalize TLS signatures, it is still effective enough to help users bypass the censorship in most of the cases. The best proof is that Orbot has been using meek_lite for a while.
How to use meek_lite in Whonix?
There will be two ways to let Tor use meek_lite once Whonix 14 is released. Both of the ways have been documented in the Whonix Wiki.
Option 1: edit the /etc/tor/torrc file manually
Add the following lines to /etc/tor/torrc file:
DisableNetwork 0
UseBridges 1
ClientTransportPlugin meek_lite exec /usr/bin/obfs4proxy
Bridge meek_lite 0.0.2.0:2 B9E7141C594AF25699E0079C1F0146F409495296 url=https://d2cly7j4zqgua7.cloudfront.net/ front=a0.awsstatic.com
Then reload the Tor.
Option 2: Use Anon-Connection-Wizard
Open Anon-Connection-Wizard, and select meek-amazon or meek-azure as bridge type in the Tor Bridges Configuration Page:
Should I use meek_lite as Pluggable Transport?
When choosing Pkuggable Transport, here is a practical rule you are recommended following:
- If you are not living in a censored area, it is neither necessary nor recommended to use any Pluggable Transport.
- If you are living in a censored area where obfs4 works, go for obfs4.
- If you are living in a censored area where obfs4 does not work, try meek/meek_lite.
Development Story
It is impossible to get meek_lite into Whonix 14 without the cooperation between developers from many different communities, including the Tor project, Debian, Tails and Whonix. I intentionally tried to keep a relatively complete record of how the work was done in this Whonix forum post.
If you are interested in contributing in such an efficient, supportive and encouraging environment, please consider to join us!