On Sun, May 08, 2016 at 01:37:47PM -0700, David Fifield wrote: > With the meek blocking, it might be that they are doing some kind of > timing analysis, or it might be that we screwed up something simple like > the TLS signature. Could you try it in these configurations? > Tor Browser 5.5.5 > https://blog.torproject.org/blog/tor-browser-555-released > Tor Browser 6.0a5 > https://blog.torproject.org/blog/tor-browser-60a5-released > meek_lite in obfs4proxy > TB 6.0a5 uses a different version of Firefox than 5.5.5, so the TLS > signature might be different (I haven't checked yet). To run meek_lite, > use a torrc file like this one: > UseBridges 1 > ClientTransportPlugin meek_lite exec ./obfs4proxy > Bridge meek_lite 0.0.3.0:5 url=https://meek-reflect.appspot.com/ > front=www.google.com
Justin helped me by running some tests and we think we know how this Cyberoam device is blocking meek connections. It blocks TLS connections that have the Firefox 38's TLS signature and that have an SNI field that is one of our front domains: www.google.com, a0.awsstatic.com, ajax.aspnetcdn.com. This blocking policy incurs some collateral damage: it blocks ordinary Firefox 38 when visiting one of the above domains (we tried it)--but changing the name even slightly, such as using google.com in place of www.google.com, works. Perhaps there are few enough users of Firefox 38 that the level of false blocking is acceptable. http://gs.statcounter.com/ says that Firefox 38 is now only 0.38% of browsers (compared to 11.36% in June 2015 and Firefox 45's 9.73% now). If this blocking affects you, one way to solve it is to use the 6.0a5 alpha release, which is based on Firefox 45 and has a different TLS signature. https://blog.torproject.org/blog/tor-browser-60a5-released Another solution is to change the front domain to something else, for exmaple using google.com instead of www.google.com. Instructions for changing the front domain are here: https://trac.torproject.org/projects/tor/wiki/doc/meek#Howtochangethefrontdomain -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
