On Sat, Feb 22, 2014 at 05:47:55PM +0000, Arlo Breault wrote:
It seems the right thing to do is mimic a browser, and I can think of at least three ways to do that: 1. Try really hard, using NSS or some other library, to look like a particular browser. 2. Run a second browser, apart from Tor Browser, that receives commands from a client PT program and makes the HTTPS requests it is commanded to. 3. Run a browser plugin *inside* Tor Browser, that makes HTTPS requests *directly on the Internet, without going through Tor*. That is, the plugin receives commands from the client PT program, and then bypasses all of Tor Browser's proxy settings in order to send HTTPS requests to the web site fronting the circumvention. It's the third option I want to ask about. The first option puts us on the parrot treadmill. The second has the usability and distribution problems of running two browsers at once.
Usability might not be such an issue if you're using a headless browser. Distribution still would be.
Thanks Arlo. I took this idea and some from IRC discussion and summarized them here:
https://trac.torproject.org/projects/tor/wiki/doc/meek#HowtolooklikebrowserH...
1. Use your own HTTPS/TLS library, and take care to make sure your ciphersuites and extensions match those of a browser. There are [https://www.mozilla.org/projects/security/pki/python-nss/ Python bindings for NSS] that might make it easier. Chromium is [https://code.google.com/p/chromium/issues/detail?id=62803 moving to OpenSSL] in the future. 2. Use a separate (headless) browser as an instrument for making HTTPS requests. This is what [https://raw.github.com/wiki/gsathya/htpt/Overall_architecture2.png htpt plans to do]. [http://phantomjs.org/ PhantomJS] is a headless WebKit that is scriptable with JavaScript. Its compressed size is 7–13 MB. [https://github.com/ariya/phantomjs/blob/master/examples/postserver.js This postserver.js example] shows it running its own web server, which we could use as a means of communication: meek-client on localhost ←HTTP→ PhantomJS on localhost ←HTTPS→ www.google.com. Another option is to write an extension for some other browser and communicate with it using some custom IPC. 3. Use an [https://developer.mozilla.org/en/Extensions extension] in Tor Browser itself. The plugin bypasses Tor Browser's normal proxy settings in order to issue HTTPS requests directly to the front domain. * [tor-dev] Feasibility of using a Tor Browser plugin as a PT component? https://lists.torproject.org/pipermail/tor-dev/2014-February/006266.html GeKo says that [https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsISocket... nsISocketTransportService] is what we want to look at. * [https://stackoverflow.com/questions/10173811/how-to-connect-to-a-remote-serv... How to connect to a remote server using nsISocketTransportService in a firefox extension?] * [https://code.google.com/p/weaponry/source/browse/trunk/xulrunner/weaponry/di... WeaponryRawHttpRequest.js] is doing what we want. [https://developer.mozilla.org/en-US/docs/Mozilla/XPCOM XPCOM] (a Firefox API) allows you to create [https://developer.mozilla.org/en-US/docs/WebAPI/TCP_Socket TCP sockets].
David Fifield