[tor-qa] Fwd: Re: 3.5.4-meek-1 (meek bundles with browser TLS camouflage)

David Fifield david at bamsoftware.com
Sun Apr 20 21:21:54 UTC 2014 

On Sun, Apr 20, 2014 at 07:17:40PM +0000, Wilton Gorske wrote:
> > On Sat, Apr 12, 2014 at 12:22:47PM +0000, Wilton Gorske wrote:
> >> TBB Launches successfully: yes, *****but launches two browsers?
> > 
> > David Fitfield: Thanks for testing. Launching two browsers is expected--the second
> > browser is the one that hosts the browser extension that meek uses to
> > make its HTTP requests (see https://trac.torproject.org/projects/tor/ticket/11183
> > and https://trac.torproject.org/projects/tor/wiki/doc/meek#HowtolooklikebrowserHTTPS).
> > But the fact that it shows two icons on OS X is a bug, one I don't know
> > how to fix yet (https://trac.torproject.org/projects/tor/ticket/11429).
> 
> No problem. Thanks for the clarification.
> 
> >> Connections to google.com, evintl-oscp.versigin.com, and
> >> calendar.google.com.
> > 
> > David Fitfield: google.com and evintl-oscp.verisign.com are expected. That's because all
> > your traffic is being routed through Google's App Engine servers. I'm
> > surprised at calendar.google.com though. how did you get those names?
> > Through reverse DNS? Google can you different frontend IPs and maybe one
> > of them reverse-resolves to calendar.google.com.
> 
> The connections were observed using Little Snitch
> (http://www.obdev.at/products/littlesnitch/index.html).
> 
> The PCAP file:
> TorBrowser-4:12:14 at 14:13.pcap -
> https://drive.google.com/file/d/0B8a32woongSmcHRQSGtXNlc2M1k/edit?usp=sharing

Thanks. The only addresses I find in the pcap file are:

0.0.194.82
0.0.194.95
127.0.0.1
173.194.65.147 (ee-in-f147.1e100.net)

I'm assuming that the first two are anonymized standins for your IP
address. 0.0.194.82 appears to be what your Tor Browser uses to talk to
tor on 127.0.0.1:9150 and 127.0.0.1:9151, and 0.0.194.95 appears to be
the external address used to talk to www.google.com. 173.194.65.147, for
me, reverse resolves to ee-in-f147.1e100.net, which is one of Google's
servers.

David Fifield

More information about the tor-qa mailing list