[tor-mirrors] Testing cloudflare on a mirror of tor's website

David Fifield david at bamsoftware.com
Sun Sep 14 06:00:25 UTC 2014 

On Tue, Sep 09, 2014 at 09:05:21PM -0400, Andrew Lewman wrote:
> Unless some company/country are going to block all of cloudflare or a
> CDN, our mirrors can still be reachable. This is the same idea that
> David Fifeld is counting on with the meek transport using Google App
> Engine. Blocking all of Google seems a huge cost vs the gain of stopping
> some tor users.

On that note, it's worth looking at what GreatFire.org is doing for
some of their mirror sites: https://github.com/greatfire/wiki.

Here is one of the URLs:
	https://a248.e.akamai.net/f/1/1/1/dci.download.akamai.com/35985/159415/1/f/
This URL is from an Akamai reseller, http://cachesimple.com/, who have a
plan starting at $50/month. The long URL is an explicit form of what
normally happens implicitly through SNI at the Akamai CDN (see page 5 of
https://research.microsoft.com/en-us/um/people/ratul/akamai/freeflow.pdf
for Akamai URL structure). The important thing is that all the blockable
content is encrypted in the path component. The censor only gets to see
the domain name a248.e.akamai.net, which is some kind of magic Akamai
HTTPS domain that's used for tons of stuff. I think a mirror like this
would be very hard to block.

I know of another Akamai reseller that would probably work,
http://www.hpcloud.com/products-services/cdn. That one apparently gives
you URLs that look like https://a248.e.akamai.net/cdn.hpcloudsvc.com/....
This one would also for sure serve the files itself from HP's cloud
storage.

Other GreatFire URLs are:
	https://objects.dreamhost.com/freeweibo/index.html
	https://edgecastcdn.net/00107ED/g/
The blockable information is hidden in the path component behind the
generic shared-SSL domains objects.dreamhost.com and edgecastcdn.net.

As far as I know,
	https://fw2.azurewebsites.net/
	https://d1stdkq55ggsv7.cloudfront.net/
don't have the same claim to unblockability because the important
information is in the domain. I guess the rationale here is it's easy to
get a new name when an old one gets blocked.

David Fifield

More information about the tor-mirrors mailing list