[tor-bugs] #22871 [Obfuscation/BridgeDB]: Implement backend for moat

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Sep 13 19:20:39 UTC 2017 

#22871: Implement backend for moat
----------------------------------------+----------------------
 Reporter:  isis                        |          Owner:  isis
     Type:  enhancement                 |         Status:  new
 Priority:  High                        |      Milestone:
Component:  Obfuscation/BridgeDB        |        Version:
 Severity:  Normal                      |     Resolution:
 Keywords:  SponsorM, bridgedb-captcha  |  Actual Points:
Parent ID:                              |         Points:  3
 Reviewer:                              |        Sponsor:
----------------------------------------+----------------------

Comment (by isis):

 Replying to [comment:4 iry]:
 > Hi isis!
 >
 > I am posting the reply in this ticket since it seems to be more related
 to the topic:
 >
 > isis:
 > >This API won't be publicly accessible though, it'll be reachable
 through the API for #22871, and even then it's only reachable through a
 special meek reflector as part of #16650.
 > I love the idea to "Set up domain fronting for BridgeDB:. The benefits
 are huge as described in #16650.
 >
 > However, meek has not been supported neither by Whonix nor by Tails so
 far. It is very likely because meek has not been packaged in to Debian as
 a standalone client because of its increasingly high-coupling with TBB:
 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764007

 That makes sense, although it's unfortunate. There is a `meek-client`
 program included in meek, however, as I understand it, the TLS is more
 fingerprintable which is why dcf went the route of instrumenting a
 browser. It would be better to ask dcf about this.

 I also just remembered that you actually ''can't'' do a `POST /meek/*` to
 BridgeDB unless you go through the meek reflector, because of the way the
 TLS termination is handled. Also FYI, this distributor relies on getting
 the client's IP address in an `X-Forwarded-For` header from the meek
 reflector. We could consider setting up the same moat API as its own
 separate distributor for clients which can't use meek, but that should be
 a new ticket. (Also, I'd prefer that they be separate distributors, since
 there's a possibility that we may need to allocate differently, or treat
 different automated bridge distribution clients differently, e.g.
 different rate limiting, in the future.)

 > I will also ask Tails about why meek is not available in Tails, given
 that Tails does ship a Tor Browser (unlike Whonix-gateway).

 Thanks! I'd be curious to hear why.

 > > Is anon-connection-wizard what Tails uses now? I'd be happy to support
 Tails as well (but I'd strongly prefer the connection to go through the
 meek reflector).
 >
 > anon-connection-wizard has not been used by Tails so far. But some quick
 and dirty test on integrating anon-connection-wizard has been done by
 anonym from Tails. Some details can be found here:
 > https://mailman.boum.org/pipermail/tails-dev/2017-September/011638.html

 That's great! Is it being considered because Firefox is removing support
 for extensions? (Wasn't Tails doing something special to run Tor Launcher
 as a desktop app?)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22871#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list