Nathan of Guardian:
On Mon, Sep 24, 2018 at 08:23:58PM -0600, David Fifield wrote:
What we would need in order for meek to used encrypted SNI would be either:
- support for encrypted SNI in Go's crypto/tls package; or
- support for encrypted SNI in the Firefox that ships with Tor Browser, which meek-client could use through its TLS camouflage helper support.
IMO (2) is less desirable because I'd like to get rid of the TLS camouflage helper support and replace it with a Go-level TLS camouflage library: https://github.com/refraction-networking/utls. The TLS helper works, but its complexity is a pain to deal with and leads to problems like https://bugs.torproject.org/12774 https://bugs.torproject.org/25405.
I wrote an untested overview of how to adapt meek to use ESNI, using an external copy of Firefox Nightly rather than Tor Browser's built-in copy of Firefox. Testing this out to see if it works would be a good task for someone who wants to get involved with pluggable transports.
Use ESNI via Firefox HTTPS helper https://bugs.torproject.org/28168
- Download Tor Browser and Firefox Nightly.
- Go to about:config in Firefox nightly and set network.trr.mode=3 network.trr.uri=https://1.1.1.1/dns-query network.security.esni.enabled=true
- Copy the meek-http-helper@bamsoftware.com.xpi from Tor Browser to Firefox Nightly.
- Hack meek-client-torbrowser/{mac,linux,windows}.go to point firefoxPath at the copy of Firefox Nightly and disable the custom profile. (Additional hacks to remove hardcoded Tor Browser assumptions may be required.)
- Set up a Cloudflare instance pointing to https://meek.bamsoftware.com/, call it https://meek.example.com/.
- Set up a custom bridge in Tor Browser, using url= without front= (because we're no longer domain fronting). bridge meek 0.0.2.0:3 url=https://meek.example.com/
The only slightly weird part I foresee is hacking meek-client-torbrowser; it has some internal hardcoded paths and profiles that are specific to the Tor Browser directory layout, and you'll have to point those to an external Firefox Nightly. Of course, once ESNI support makes its way into Tor Browser itself, there won't be a need for another external copy of Firefox.
Two things to follow up on this thread:
1) I believe ESNI support is now in the Firefox betas, so that approach is looking like an option
2) Guardian Project got a grant to work on a full stack prototype of using Pluggable Transports. We're going to try to do it with ESNI using Stephen Farrell's patches to openssl.
My last thought on this topic for today: we should be careful about making it too easy to use ESNI for circumvention before its gained any server side implementers. If it gets branded a activist tool, I could see many orgs failing to adopt ESNI. I think Cloudflare is the only active provider offering it.
.hc