[tor-talk] FortiGuard firewall blocks meek by TLS signature
David Fifield
david at bamsoftware.com
Sun Jul 24 08:04:35 UTC 2016
Recently, we had reports of Cyberoam firewalls blocking meek by TLS
signature:
https://lists.torproject.org/pipermail/tor-talk/2016-May/040923.html
I got a similar report, this time for a FortiGuard firewall.
The story is basically the same as last time: the firewall looks for TLS
that has the signature of a specific version of Firefox and is also
destined to one of the default front domains. This time it is the
signature of Firefox 45 they're looking for. They also were not blocking
the domain www.google.com, so meek-google would work if it hadn't been
shut down recently.
Here are workarounds to try if you find yourself in this situation. See
also: What to do if meek gets blocked.
https://lists.torproject.org/pipermail/tor-talk/2015-January/036410.html
First try changing the front domain. This is easy to do; you don't have
to edit any files.
https://trac.torproject.org/projects/tor/wiki/doc/meek#Howtochangethefrontdomain).
These alternative bridge lines worked in this case:
Bridge meek 0.0.2.0:2 url=https://d2zfqthxsdq309.cloudfront.net/ front=d2ko15wevu3ps3.cloudfront.net
Bridge meek 0.0.2.0:3 url=https://az786092.vo.msecnd.net/ front=ajax.microsoft.com
The second workaround is to disable the Firefox TLS camouflage and use
naked Golang TLS. To do that, edit the file
Browser/TorBrowser/Data/Tor/torrc-defaults and change the line
ClientTransportPlugin meek exec TorBrowser\Tor\PluggableTransports\terminateprocess-buffer TorBrowser\Tor\PluggableTransports\meek-client-torbrowser -- TorBrowser\Tor\PluggableTransports\meek-client
to
ClientTransportPlugin meek exec TorBrowser\Tor\PluggableTransports\terminateprocess-buffer TorBrowser\Tor\PluggableTransports\meek-client
I.e., remove the meek-client-torbrowser wrapper program. The format of
the line will differ slightly depending on your operating system, but it
should be pretty easy to figure out.
The third workaround is to set up your own App Engine app. This isn't
very hard to do. Instructions are here:
https://lists.torproject.org/pipermail/tor-talk/2016-June/041699.html
More information about the tor-talk
mailing list