[tor-qa] Fwd: Re: 3.5.4-meek-1 (meek bundles with browser TLS camouflage)

David Fifield david at bamsoftware.com
Sun Apr 20 21:21:54 UTC 2014

On Sun, Apr 20, 2014 at 07:17:40PM +0000, Wilton Gorske wrote:
> > On Sat, Apr 12, 2014 at 12:22:47PM +0000, Wilton Gorske wrote:
> >> TBB Launches successfully: yes, *****but launches two browsers?
> > 
> > David Fitfield: Thanks for testing. Launching two browsers is expected--the second
> > browser is the one that hosts the browser extension that meek uses to
> > make its HTTP requests (see https://trac.torproject.org/projects/tor/ticket/11183
> > and https://trac.torproject.org/projects/tor/wiki/doc/meek#HowtolooklikebrowserHTTPS).
> > But the fact that it shows two icons on OS X is a bug, one I don't know
> > how to fix yet (https://trac.torproject.org/projects/tor/ticket/11429).
> No problem. Thanks for the clarification.
> >> Connections to google.com, evintl-oscp.versigin.com, and
> >> calendar.google.com.
> > 
> > David Fitfield: google.com and evintl-oscp.verisign.com are expected. That's because all
> > your traffic is being routed through Google's App Engine servers. I'm
> > surprised at calendar.google.com though. how did you get those names?
> > Through reverse DNS? Google can you different frontend IPs and maybe one
> > of them reverse-resolves to calendar.google.com.
> The connections were observed using Little Snitch
> (http://www.obdev.at/products/littlesnitch/index.html).
> The PCAP file:
> TorBrowser-4:12:14 at 14:13.pcap -
> https://drive.google.com/file/d/0B8a32woongSmcHRQSGtXNlc2M1k/edit?usp=sharing

Thanks. The only addresses I find in the pcap file are: (ee-in-f147.1e100.net)

I'm assuming that the first two are anonymized standins for your IP
address. appears to be what your Tor Browser uses to talk to
tor on and, and appears to be
the external address used to talk to www.google.com., for
me, reverse resolves to ee-in-f147.1e100.net, which is one of Google's

David Fifield

More information about the tor-qa mailing list