[tbb-bugs] #29430 [Applications/Tor Browser]: Use uTLS for meek TLS camouflage in Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 7 23:21:49 UTC 2019 

#29430: Use uTLS for meek TLS camouflage in Tor Browser
--------------------------------------+--------------------------
 Reporter:  dcf                       |          Owner:  tbb-team
     Type:  enhancement               |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  meek utls                 |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by dcf):

 Here is a sample branch that uses the same meek repo.
  * [https://gitweb.torproject.org/user/dcf/tor-browser-build.git/log/?h
 =meek-client-utls_2&id=616fbe2c19a9fce7a9d0adbc466b259c18c45fb8 meek-
 client-utls_2 branch]
  * [https://gitweb.torproject.org/user/dcf/tor-browser-build.git/diff/?h
 =meek-client-
 utls_2&id=616fbe2c19a9fce7a9d0adbc466b259c18c45fb8&id2=86ebdafc28a55042fea553ad7f23f796ea963b75
 cumulative diff]

 It's pretty straightforward; I think the noteworthy changes are:
  * It only activates uTLS on alpha. I feel this is the kind of thing that
 should be tested on alpha before going into stable.
  * meek-client uses the mainline utls repo, not the fork that obfs4proxy
 uses, so I moved the goutls project to goutls-yawning and re-added a
 goutls project pointing to the original repo. I'm not sure what's best to
 do here :/
  * It requires a small tor-launcher patch: attachment:0001-Make-uTLS-
 aware.patch, which I didn't upload to a branch anywhere.

 There are a few additional changes that could happen, namely deleting the
 meek-client-torbrowser executable and the meek-http-helper browser
 profile.

 It works; I'm using it to post this comment. I ran a [attachment:meek-
 client-utls_2.pcap packet capture] of me using Moat and then starting to
 bootstrap using meek-azure. There are 5 Client Hellos in the packet
 capture, all with TLS fingerprint
 [https://tlsfingerprint.io/id/71a81bafd58e1301 71a81bafd58e1301], which
 uTLS calls `HelloIOS_11_1`. The first 4 are me struggling with the Moat
 captcha (lol) and the 5th is starting the bootstrap itself.

 I'm not marking this needs_review because I'm not necessarily proposing
 this branch for merge, just using it as an example of what integration
 could look like. I don't want to exclude the possibility of using
 obfs4proxy. I think it's more like needs_discussion at this point.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29430#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list