[tor-dev] How to present multiple meek backends in Tor Launcher?

David Fifield david at bamsoftware.com
Tue Aug 5 15:55:15 UTC 2014 

On Tue, Aug 05, 2014 at 11:07:57AM -0400, Mark Smith wrote:
> On 8/3/14, 2:37 AM, David Fifield wrote:
> >On Sat, Aug 02, 2014 at 11:28:08PM -0700, David Fifield wrote:
> >>I made some test meek bundles that are capable of using the Amazon
> >>CloudFront CDN as a backend, in addition to Google App Engine that was
> >>supported before.
> >>
> >>https://people.torproject.org/~dcf/pt-bundle/3.6.3-meek-2/
> >>
> >>https://trac.torproject.org/projects/tor/wiki/doc/meek#AmazonCloudFront
> >>
> >>To test it, go to the pluggable transport screen, and choose
> >>"meek-amazon" from the selection box.
> >
> >I opened a ticket to discuss how this user interface can be improved.
> >
> >https://trac.torproject.org/projects/tor/ticket/12777
> >
> >While it's easy to add new entries like this (see
> >https://trac.torproject.org/projects/tor/attachment/ticket/12777/0001-Add-an-option-to-use-meek-through-CloudFront.patch),
> >I'm worried that it's not so clear for most users. On what are they
> >supposed to base their decision? How could it be better?
> >
> >A possibility is that we could include just one option in the bundles,
> >and distribute the others from BridgeDB or support assistants.
> 
> Would it be possible (and safe for users) for meek to try Google and then
> try Amazon upon failure?  It seems like that is what users will need to do
> themselves, unless they have access to other information such as
> "meek-google is not a good choice in my country but meek-amazon might work."

It would be possible (it's just one more layer on top of everything). To
probe both would create a little distinguishability: a censor could
block first connection attempts to Google (while allowing later
attempts), and see if the user tries immediately connecting to Amazon
when the Google connection fails.

If we auto-probe backends, we would want to keep the property that you
can configure your front from Tor Launcher. I was in an environment once
where www.google.com was blocked but fonts.googleapis.com was not. I was
able to connect by changing the Bridge line from
	Bridge meek 0.0.2.1:1 url=https://meek-reflect.appspot.com/ front=www.google.com
to
	Bridge meek 0.0.2.1:1 url=https://meek-reflect.appspot.com/ front=fonts.googleapis.com

David Fifield

More information about the tor-dev mailing list