Delivery-Date: Wed, 11 May 2016 22:40:38 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 0CEF61E0BEF;
	Wed, 11 May 2016 22:40:36 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 747193A719;
	Thu, 12 May 2016 02:40:31 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 95F433A717
 for <tor-talk@lists.torproject.org>; Thu, 12 May 2016 02:40:27 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id gsj3sbWYMM6V for <tor-talk@lists.torproject.org>;
 Thu, 12 May 2016 02:40:27 +0000 (UTC)
Received: from melchior.bamsoftware.com (melchior.bamsoftware.com
 [IPv6:2600:3c00:e000:128:de39:20ee:9704:752d])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 7B5683A716
 for <tor-talk@lists.torproject.org>; Thu, 12 May 2016 02:40:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=bamsoftware.com; s=mail; 
 h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date;
 bh=ZphZ6HIHwoZqQoawcisYBCp+uze3g/jyUI03Mjabv5o=; 
 b=q0AsLLffDRwT3fX0mlL1scMVwL0+9cvpnrRALHBALSlmfBaB7PkLrOLzVxptludIqDUcMtDlO1pnG8OlrITsukwK4jz8OJd0lWi197KmMTD64cFBh9/yfeFtHE+HCrriKvg0iJX2b8GatNbAPCtCySwhbGsAqQKge77WmXjTLGw=;
Date: Wed, 11 May 2016 19:40:17 -0700
From: David Fifield <david@bamsoftware.com>
To: tor-talk@lists.torproject.org
Message-ID: <20160512024017.GD14712@happy.bamsoftware.com>
Mail-Followup-To: tor-talk@lists.torproject.org,
 Justin <davisjustin002@gmail.com>
References: <C32F85D1-4226-4650-B38C-237D860D4F56@gmail.com>
 <20160508203747.GA25441@happy.bamsoftware.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20160508203747.GA25441@happy.bamsoftware.com>
User-Agent: Mutt/1.6.0 (2016-04-01)
X-Spam_score: -2.9
X-Spam_bar: --
Subject: Re: [tor-talk] Pluggable Transports and DPI
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Sun, May 08, 2016 at 01:37:47PM -0700, David Fifield wrote:
> With the meek blocking, it might be that they are doing some kind of
> timing analysis, or it might be that we screwed up something simple like
> the TLS signature. Could you try it in these configurations?
> 	Tor Browser 5.5.5 https://blog.torproject.org/blog/tor-browser-555-released
> 	Tor Browser 6.0a5 https://blog.torproject.org/blog/tor-browser-60a5-released
> 	meek_lite in obfs4proxy
> TB 6.0a5 uses a different version of Firefox than 5.5.5, so the TLS
> signature might be different (I haven't checked yet). To run meek_lite,
> use a torrc file like this one:
> 	UseBridges 1
> 	ClientTransportPlugin meek_lite exec ./obfs4proxy
> 	Bridge meek_lite 0.0.3.0:5 url=https://meek-reflect.appspot.com/ front=www.google.com

Justin helped me by running some tests and we think we know how this
Cyberoam device is blocking meek connections. It blocks TLS connections
that have the Firefox 38's TLS signature and that have an SNI field that
is one of our front domains: www.google.com, a0.awsstatic.com,
ajax.aspnetcdn.com.

This blocking policy incurs some collateral damage: it blocks ordinary
Firefox 38 when visiting one of the above domains (we tried it)--but
changing the name even slightly, such as using google.com in place of
www.google.com, works. Perhaps there are few enough users of Firefox 38
that the level of false blocking is acceptable.
http://gs.statcounter.com/ says that Firefox 38 is now only 0.38% of
browsers (compared to 11.36% in June 2015 and Firefox 45's 9.73% now).

If this blocking affects you, one way to solve it is to use the 6.0a5
alpha release, which is based on Firefox 45 and has a different TLS
signature.
https://blog.torproject.org/blog/tor-browser-60a5-released
Another solution is to change the front domain to something else, for
exmaple using google.com instead of www.google.com. Instructions for
changing the front domain are here:
https://trac.torproject.org/projects/tor/wiki/doc/meek#Howtochangethefrontdomain
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

