[tor-dev] A layered transport

David Fifield david at bamsoftware.com
Mon Oct 26 15:59:37 UTC 2015

On Mon, Oct 26, 2015 at 03:44:59PM +0800, Da Feng wrote:
> Hi:
>    I've discovered that the GFW normally doesn't block https
> protocols. We can use a https front tier to distribute connections to
> actual bridges.

This is a good idea. HTTPS is a good cover protocol.

> The front tier encrypts an internal address identifier with its
> private key (no matching public key or public algorithm) and returns
> to user the encrypted identifier, part of which also includes the
> user's chosen password. Then when submitting requests, the user
> encrypt again with his password the items such as his timestamp,
> broswer headers.

If I understand this correctly, this is a defense against active
probing. You are saying that every HTTPS bridge has a password, and the
client must provide the correct password in order to use the bridge.
(Like ScrambleSuit or obfs4.) If the GFW tries to connect to the bridge,
it does not know the password, and therefore it cannot use the bridge.

> The request line to https server is no different from an ordinary one
> and include both the user encrypted item and front tier encrypted
> item. After the connection is established, data is relayed inside
> https between bridge and user.

You can already do something like this, except for the active probing
defense, using a PHP script and Tor Browser. First install this file on
an HTTP server:


(Let's say it is installed at https://example.com/meek/index.php.) Then,
in the Tor Browser bridge configuration, enter the bridge line:

meek url=https://example.com/meek/index.php

See "What to do if meek gets blocked" for some more options:

More information about the tor-dev mailing list