censorship circumvention / Tor pluggable transports

iry · September 16, 2017, 6:25am

Exciting news: meek bridges can work in China with a few tiny modifications!

yawning said in Tor ticket #12716:

obfs4proxy as packaged in Debian supports acting as a meek client and has for quite a while.

The implementation of it can be found here:

github.com/Yawning/obfs4

Add the "meek_lite" transport, which does what one would expect.

committed 05:29PM - 29 Oct 15 UTC

+455 -2

This is a meek client only implementation, with the following differences with d…cf's `meek-client`: - It is named `meek_lite` to differentiate it from the real thing. - It does not support using an external helper to normalize TLS signatures, so adversaries can look for someone using the Go TLS library to do HTTP. - It does the right thing with TOR_PT_PROXY, even when a helper is not present. Most of the credit goes to dcf, who's code I librerally cribbed and stole. It is intended primarily as a "better than nothina" option for enviornments that do not or can not presently use an external Firefox helper.

intrigeri then tested using meek bridges via obfs4proxy in Tails and it worked! However, intrigeri said:

I have no idea if that’s enough to work in China because obfs4proxy’s minimal meek client does not normalize TLS signatures.

The good news is, I tested using meek bridges via obfs4proxy under different ISPs in China, and the approach worked pretty well in those environment.

Use meek bridges via obfs4proxy in Debian8 :

create a Debian8 VM for testing;
add TPO repository for core Tor;
add TPO repository for obfs4proxy (the version in Debian old stable is too low to support acting as a meek client);
sudo apt-get update && apt-get install tor obfs4proxy
Then, edit /etc/tor/torrc as follows:

(I am posting the real bridge info here because the philosophy of meek is collateral freedom, unlike the philosophy of obfs4 which is security by obscurity ):

DisableNetwork 0
UseBridges 1
ClientTransportPlugin obfs3,obfs4,meek_lite exec /usr/bin/obfs4proxy 
Bridge meek_lite 0.0.2.0:2 B9E7141C594AF25699E0079C1F0146F409495296 url=https://d2cly7j4zqgua7.cloudfront.net/ front=a0.awsstatic.com

Notice that it is meek_lite, NOT meek because this is not a real meek client, this is obfs4proxy acting as meek client.

The bridge is used in TBB and the info can be found here: bridge_prefs.js\PTConfigs\Bundle-Data - builders/tor-browser-bundle - Old (2013-2017) build scripts for the Tor Browser Bundle based on gitian-builder

start Tor

TODO:

I have not had it work in Whonix yet. This is very likely because Whonix-gateway automatically filtered the clearnet traffic, including the traffic to AWS.

I tried to use clearnet user according to the documentation, but still got the following error:

[warn] 1 connections have failed:
[warn] 1 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE

I did route my traffic to different ISPs in China when testing because different ISPs have different censorship policies. However, we need more feedback from users in China to know how well this approach work. Maybe ask users for testing?
The version of obfs4proxy package in Debian old stable is 0.0.3, which does not support acting as a meek client. It is really important to get the newer version into Debian because TPO’s repository is censored, not Debian’s. I will report a bug against it.
Document this when it is mature.
Let anon-connection-wizard support meek when it is mature.