[tor-dev] Easy(?) adaptation of meek-client for ESNI

Hans-Christoph Steiner hans at guardianproject.info
Fri Dec 7 14:55:42 UTC 2018

Nathan of Guardian:
> On Mon, Sep 24, 2018 at 08:23:58PM -0600, David Fifield wrote:
>> What we would need in order for meek to used encrypted SNI would be
>> either:
>>  1) support for encrypted SNI in Go's crypto/tls package; or
>>  2) support for encrypted SNI in the Firefox that ships with Tor
>>     Browser, which meek-client could use through its TLS camouflage
>>     helper support.
>> IMO (2) is less desirable because I'd like to get rid of the TLS
>> camouflage helper support and replace it with a Go-level TLS camouflage
>> library: https://github.com/refraction-networking/utls. The TLS helper
>> works, but its complexity is a pain to deal with and leads to problems
>> like https://bugs.torproject.org/12774 https://bugs.torproject.org/25405.
> I wrote an untested overview of how to adapt meek to use ESNI, using an
> external copy of Firefox Nightly rather than Tor Browser's built-in copy
> of Firefox. Testing this out to see if it works would be a good task for
> someone who wants to get involved with pluggable transports.
> Use ESNI via Firefox HTTPS helper
> https://bugs.torproject.org/28168
> 1. Download Tor Browser and Firefox Nightly.
> 2. Go to about:config in Firefox nightly and set
>      network.trr.mode=3
>      network.trr.uri=
>      network.security.esni.enabled=true
> 3. Copy the meek-http-helper at bamsoftware.com.xpi from Tor Browser to
>    Firefox Nightly.
> 4. Hack meek-client-torbrowser/{mac,linux,windows}.go to point
>    firefoxPath at the copy of Firefox Nightly and disable the custom
>    profile. (Additional hacks to remove hardcoded Tor Browser
>    assumptions may be required.)
> 5. Set up a Cloudflare instance pointing to https://meek.bamsoftware.com/,
>    call it https://meek.example.com/.
> 6. Set up a custom bridge in Tor Browser, using url= without front=
>    (because we're no longer domain fronting).
>      bridge meek url=https://meek.example.com/ 
> The only slightly weird part I foresee is hacking
> meek-client-torbrowser; it has some internal hardcoded paths and
> profiles that are specific to the Tor Browser directory layout, and
> you'll have to point those to an external Firefox Nightly. Of course,
> once ESNI support makes its way into Tor Browser itself, there won't be
> a need for another external copy of Firefox.

Two things to follow up on this thread:

1) I believe ESNI support is now in the Firefox betas, so that approach
is looking like an option

2) Guardian Project got a grant to work on a full stack prototype of
using Pluggable Transports.  We're going to try to do it with ESNI using
Stephen Farrell's patches to openssl.

My last thought on this topic for today: we should be careful about
making it too easy to use ESNI for circumvention before its gained any
server side implementers.  If it gets branded a activist tool, I could
see many orgs failing to adopt ESNI.  I think Cloudflare is the only
active provider offering it.


PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556

More information about the tor-dev mailing list