On Mon, Oct 26, 2015 at 03:44:59PM +0800, Da Feng wrote:
Hi: I've discovered that the GFW normally doesn't block https protocols. We can use a https front tier to distribute connections to actual bridges.
This is a good idea. HTTPS is a good cover protocol.
The front tier encrypts an internal address identifier with its private key (no matching public key or public algorithm) and returns to user the encrypted identifier, part of which also includes the user's chosen password. Then when submitting requests, the user encrypt again with his password the items such as his timestamp, broswer headers.
If I understand this correctly, this is a defense against active probing. You are saying that every HTTPS bridge has a password, and the client must provide the correct password in order to use the bridge. (Like ScrambleSuit or obfs4.) If the GFW tries to connect to the bridge, it does not know the password, and therefore it cannot use the bridge.
The request line to https server is no different from an ordinary one and include both the user encrypted item and front tier encrypted item. After the connection is established, data is relayed inside https between bridge and user.
You can already do something like this, except for the active probing defense, using a PHP script and Tor Browser. First install this file on an HTTP server:
https://gitweb.torproject.org/pluggable-transports/meek.git/tree/php/index.p...
(Let's say it is installed at https://example.com/meek/index.php.) Then, in the Tor Browser bridge configuration, enter the bridge line:
meek 0.0.2.0:1 url=https://example.com/meek/index.php
See "What to do if meek gets blocked" for some more options: https://lists.torproject.org/pipermail/tor-talk/2015-January/036410.html