[tor-dev] Easy(?) adaptation of meek-client for ESNI

David Fifield david at bamsoftware.com
Tue Oct 23 22:32:41 UTC 2018 

On Mon, Sep 24, 2018 at 08:23:58PM -0600, David Fifield wrote:
> What we would need in order for meek to used encrypted SNI would be
> either:
>  1) support for encrypted SNI in Go's crypto/tls package; or
>  2) support for encrypted SNI in the Firefox that ships with Tor
>     Browser, which meek-client could use through its TLS camouflage
>     helper support.
> 
> IMO (2) is less desirable because I'd like to get rid of the TLS
> camouflage helper support and replace it with a Go-level TLS camouflage
> library: https://github.com/refraction-networking/utls. The TLS helper
> works, but its complexity is a pain to deal with and leads to problems
> like https://bugs.torproject.org/12774 https://bugs.torproject.org/25405.

I wrote an untested overview of how to adapt meek to use ESNI, using an
external copy of Firefox Nightly rather than Tor Browser's built-in copy
of Firefox. Testing this out to see if it works would be a good task for
someone who wants to get involved with pluggable transports.

Use ESNI via Firefox HTTPS helper
https://bugs.torproject.org/28168

1. Download Tor Browser and Firefox Nightly.
2. Go to about:config in Firefox nightly and set
     network.trr.mode=3
     network.trr.uri=https://1.1.1.1/dns-query
     network.security.esni.enabled=true
3. Copy the meek-http-helper at bamsoftware.com.xpi from Tor Browser to
   Firefox Nightly.
4. Hack meek-client-torbrowser/{mac,linux,windows}.go to point
   firefoxPath at the copy of Firefox Nightly and disable the custom
   profile. (Additional hacks to remove hardcoded Tor Browser
   assumptions may be required.)
5. Set up a Cloudflare instance pointing to https://meek.bamsoftware.com/,
   call it https://meek.example.com/.
6. Set up a custom bridge in Tor Browser, using url= without front=
   (because we're no longer domain fronting).
     bridge meek 0.0.2.0:3 url=https://meek.example.com/ 

The only slightly weird part I foresee is hacking
meek-client-torbrowser; it has some internal hardcoded paths and
profiles that are specific to the Tor Browser directory layout, and
you'll have to point those to an external Firefox Nightly. Of course,
once ESNI support makes its way into Tor Browser itself, there won't be
a need for another external copy of Firefox.

More information about the tor-dev mailing list