[tor-bugs] #28168 [Obfuscation/meek]: Use ESNI via Firefox HTTPS helper

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Feb 27 21:17:17 UTC 2019 

#28168: Use ESNI via Firefox HTTPS helper
------------------------------+---------------------
 Reporter:  dcf               |          Owner:  dcf
     Type:  project           |         Status:  new
 Priority:  Medium            |      Milestone:
Component:  Obfuscation/meek  |        Version:
 Severity:  Normal            |     Resolution:
 Keywords:                    |  Actual Points:
Parent ID:                    |         Points:
 Reviewer:                    |        Sponsor:
------------------------------+---------------------

Comment (by dcf):

 I set up a Cloudflare account and got this all working: meek with ESNI in
 place of domain fronting, running in Tor Browser with an external Firefox
 helper. When Tor Browser starts using a Firefox newer than 60 ESR, it
 won't need an separate external Firefox.

 === Cloudflare setup ===

  * Register a new domain name. I got rinsed-tinsel.site. (I initially
 planned to use a subdomain of bamsoftware.com, but Cloudflare only allows
 that on their paid plans—on the free plan the only option is to have
 Cloudflare handle ''all'' the DNS for the domain.)
  * Click "+ Add site", enter the domain name, and choose the free plan.
  * At the DNS screen, add a new CNAME record for subdomain "meek" pointing
 to "meek.bamsoftware.com". (How this works is when users query meek
 .rinsed-tinsel.site, the Cloudflare DNS server will give them an A record
 pointing at a Cloudflare edge server, and then the Cloudflare edge server
 will fetch origin pages from meek.bamsoftware.com.)
  * Go back to the name registrar and set the nameserver to the two
 *.ns.cloudflare.com servers that it tells you to set.
  * I then went and made the following configuration changes:
    * Crypto tab
      * SSL: Full (strict)
      * Always Use HTTPS: On
      * Minimum TLS Version: TLS 1.2
    * Firewall tab
      * Security Level: Essentially Off
      * Web Application Firewall
        * Browser Integrity Check: Off
    * Caching tab
      * Always Online™: Off
    * Scrape Shield tab
      * Email Address Obfuscation: Off
      * Server-side Excludes: Off
      * Hotlink Protection: Off

 === WebExtension build ===

 Start with commit [https://gitweb.torproject.org/pluggable-
 transports/meek.git/log/?h=webextension&id=9a822c9e99e0bf23c542427de4eae3493ebccbc3
 9a822c9e99] in the [https://gitweb.torproject.org/pluggable-
 transports/meek.git/log/?h=webextension webextension] branch.

 1. Enter meek/webextension/native and run `go build`. This produces the
 native component of the extension.
 1. Enter meek/webextension and run `make`. This zips up the extension
 files into an installable bundle, !meek-http-helper at bamsoftware.com.xpi.

 === Firefox setup ===

 3. Download [https://www.mozilla.org/en-US/firefox/developer/ Firefox
 Developer Edition]. You need the developer edition in order to install an
 unsigned extension.
 1. Run `firefox/firefox --ProfileManager` and create a new "esni" profile.
 Go to `about:config` and set these prefs:
    {{{
 browser.dom.window.dump.enabled
 network.trr.mode=3
 network.trr.uri=https://1.1.1.1/dns-query
 network.security.esni.enabled=true
 toolkit.startup.max_resumed_crashes=-1
 xpinstall.signatures.required=false
    }}}
 1. Go to `about:addons`. Click Extensions. Click ⚙️ and select "Install
 Add-on From File...". Open meek/webextension/!meek-http-
 helper at bamsoftware.com.xpi. Say yes to the permissions dialog.
 1. Close Firefox.

 === meek-client-torbrowser build ===

 7. Edit meek/meek-client-torbrowser/{linux,mac,windows}.go (whatever's
 needed for your platform) and adjust the paths:
    {{{
 firefoxPath                = "/path/to/firefox/firefox"
 firefoxProfilePath         =
 "/home/user/.mozilla/firefox/<RANDCHARS>.esni"
 helperNativeManifestDir    = "/path/to/tor-browser_en-US/Browser/.mozilla
 /native-messaging-hosts"
 helperNativeExecutablePath = "/path/to/meek/webextension/native/native"
    }}}
 1. In meek/meek-client-torbrowser, run `go build`.
 1. Copy the resulting meek-client-torbrowser binary to tor-browser_en-
 US/Browser/TorBrowser/Tor/PluggableTransports/.

 === Tor Browser setup ===

 10. Click the "Configure" button in Tor Launcher, or "Tor Network
 Settings..." in the onion toolbar icon.
 1. Click "Tor ic censored in my country" and "Provide a bridge I know".
 Enter the bridge line:
    {{{
 meek 0.0.2.0:3 1922840D0D66CB82EACE4327F5001430227C0127 url=https://meek
 .rinsed-tinsel.site/
    }}}
 1. Because of #12774, it may not work right away and you'll have to
 restart.

 ----

 This is a packet capture of bootstrapping and browsing to example.com:
 attachment:meek-esni.pcap. Here's a summary of all the Client Hellos it
 contains:
 {{{
 No.  Time                 Source         Destination    Protocol Info
   7  2019-02-27 12:24:38  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
  14  2019-02-27 12:24:38  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
  15  2019-02-27 12:24:38  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
  16  2019-02-27 12:24:38  192.168.111.2  1.1.1.1        TLSv1    Client
 Hello
 122  2019-02-27 12:24:38  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
 133  2019-02-27 12:24:38  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
 134  2019-02-27 12:24:38  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
 236  2019-02-27 12:24:39  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
 237  2019-02-27 12:24:39  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
 242  2019-02-27 12:24:39  192.168.111.2  1.1.1.1        TLSv1    Client
 Hello
 243  2019-02-27 12:24:39  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
 348  2019-02-27 12:24:40  192.168.111.2  1.1.1.1        TLSv1.3  Client
 Hello
 351  2019-02-27 12:24:40  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
 431  2019-02-27 12:24:41  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
 432  2019-02-27 12:24:41  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
 437  2019-02-27 12:24:41  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
 438  2019-02-27 12:24:41  192.168.111.2  1.1.1.1        TLSv1.2  Client
 Hello
 550  2019-02-27 12:24:41  192.168.111.2  104.27.168.47  TLSv1.2  Client
 Hello
 }}}
 All the handshakes with 1.1.1.1 are DNS-over-HTTPS name lookup—I'm
 guessing some of them are Firefox's internal lookups, unrelated to the
 meek tunnel. 104.27.168.47 is the Cloudflare edge server.

 The TLS fingerprints are:
 ||1.1.1.1       ||[https://tlsfingerprint.io/id/8300bf0e26f2a109
 8300bf0e26f2a109]
 ([https://web.archive.org/web/20190227210213/https://tlsfingerprint.io/id/8300bf0e26f2a109
 archive]) rank 3620
 ||[https://tlsfingerprint.io/compare/bb94e801f7aee52b/8300bf0e26f2a109
 comparison]
 ([https://web.archive.org/web/20190227210604/https://tlsfingerprint.io/compare/bb94e801f7aee52b/8300bf0e26f2a109
 archive]) with ESR 60 rank 31 ||
 ||104.27.168.47 ||[https://tlsfingerprint.io/id/2dcbeba533890640
 2dcbeba533890640]
 ([https://web.archive.org/web/20190227210126/https://tlsfingerprint.io/id/2dcbeba533890640
 archive]) rank 6272
 ||[https://tlsfingerprint.io/compare/bb94e801f7aee52b/2dcbeba533890640
 comparison]
 ([https://web.archive.org/web/20190227210435/https://tlsfingerprint.io/compare/bb94e801f7aee52b/2dcbeba533890640
 archive]) with ESR 60 rank 31 ||
 The differences against the currently ESR 60 fingerprint appear to be
 partly from the lack of plaintext SNI, and partly from unrelated TLS
 changes in Firefox.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28168#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list