[tor-dev] Please try 3.5.4-meek-1 bundles (covert HTTPS pluggable transport)

David Fifield david at bamsoftware.com
Fri Apr 18 21:33:58 UTC 2014


A while back I wrote about a pluggable transport called meek that routes
your traffic through a third-party web service in a way that should be
difficult to block. There are now experimental bundles featuring this
transport, ready for somewhat wider testing. Please try:

https://people.torproject.org/~dcf/pt-bundle/3.5.4-meek-1/

The files are signed with my key 0xC11F6276 from:
https://www.torproject.org/docs/signing-keys
https://www.bamsoftware.com/david/david.asc

You don't have to do anything in the configuration. Just click
"Connect". What you'll see, if you look at your network traffic, is a
lot of HTTPS requests to www.google.com. (And no connections to any Tor
bridge, nor anything speaking the Tor protocol.) Behind the scenes,
Google is passing the requests on to our web app, which then forwards
them to a Tor bridge. More on how the whole system works is at
https://trac.torproject.org/projects/tor/wiki/doc/meek.

Another thing to know is that starting the browser will run a second,
headless instance of Firefox. The second browser is used as a tool for
making HTTPS requests. It's the same Firefox binary used by Tor Browser
(so it doesn't increase the size of the bundles), but it has a special
configuration and an extension that allows it to access the network
directly. When you're using meek, this browser extension is in fact the
only thing that touches the network, but you never interact with it
directly--it only takes orders from the client transport plugin. We do
it this way so that the HTTPS requests look like they come from a
browser, and are not fingerprintable as coming from some custom SSL
program. The second browser should be completely invisible to
you--except on OS X, where it creates a second dock icon (this is bug
#11429).

These bundles are experimental and you shouldn't use them to replace
your main browser just yet. We're most interested in hearing about what
didn't work for you or what was surprising. I'll write another post
about code review and other things that need to happen before you'll see
meek in a mainline bundle.

David Fifield


More information about the tor-dev mailing list