[tor-dev] Domain Fronting, Meek, Cloudflare, and Encrypted SNI...

David Fifield david at bamsoftware.com
Thu Oct 4 01:19:02 UTC 2018

On Wed, Oct 03, 2018 at 07:01:21PM -0600, David Fifield wrote:
> And for that matter, why not a plain old HTTP CONNECT proxy? That would
> be even more efficient.

I should add that--leaving out domain fronting/encrypted SNI--there's an
implementation of exactly this, a pluggable transport built on an HTTP
proxy, by Sergey Frolov et al. He has been trying to get some attention
or buy-in to get it integrated into Tor Browser, but hasn't had much
luck so far. In my opinion, it will make a great alternative to obfs4
and be effective in many situations.

There's a bit more to it than I've described above. It can work with any
HTTP proxy (with HTTPS encryption to hide the destination from the
censor, of course)--but they've also implemented a proxy plugin for the
Caddy web server, which supports authentication. The authentication is
to resist active probing like the GFW does: a genuine client who got the
password through BridgeDB will be able to use the proxy, while a censor
probing IP address will just get the web server's normal pages. Check
the links for more info.


More information about the tor-dev mailing list