On Wed, Oct 03, 2018 at 07:01:21PM -0600, David Fifield wrote:
And for that matter, why not a plain old HTTP CONNECT proxy? That would be even more efficient.
I should add that--leaving out domain fronting/encrypted SNI--there's an implementation of exactly this, a pluggable transport built on an HTTP proxy, by Sergey Frolov et al. He has been trying to get some attention or buy-in to get it integrated into Tor Browser, but hasn't had much luck so far. In my opinion, it will make a great alternative to obfs4 and be effective in many situations.
There's a bit more to it than I've described above. It can work with any HTTP proxy (with HTTPS encryption to hide the destination from the censor, of course)--but they've also implemented a proxy plugin for the Caddy web server, which supports authentication. The authentication is to resist active probing like the GFW does: a genuine client who got the password through BridgeDB will be able to use the proxy, while a censor probing IP address will just get the web server's normal pages. Check the links for more info.
https://bugs.torproject.org/26923 https://github.com/sergeyfrolov/httpsproxy