[tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
Jonathan Marquardt
mail at parckwart.de
Thu Oct 4 17:52:04 UTC 2018
On Thu, Oct 04, 2018 at 06:23:32AM +0000, ithor wrote:
> Ok, correct me if I'm wrong. Is this what happens in a meek request :
> 1. unencrypted http request with the hostname I want to connect to in cleartext.
> 2. encrypted https connection to the hostname.
> 3. encrypted (http?) relay connection to the Tor entry node.
Completely wrong.
Please read the docs:
https://trac.torproject.org/projects/tor/wiki/doc/meek#Overview
https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports#meek
Encrypted HTTPS connection with a false SNI (ajax.aspnetcdn.com) readable for
the censor, but the actual destination hostname (meek.azureedge.net) in the
HTTP "Host" header. This way there's an encrypted connection to the CDN which
looks like a browser's HTTPS connection to "ajax.aspnetcdn.com" from the
outside. Once connected to the CDN, the meek client can talk to whatever app
within the CDN it wants to. It will talk to the meek server
(meek.azureedge.net), which IS a Tor bridge and as such acts as the entry
guard of the circuit.
--
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20181004/0215d48e/attachment.sig>
More information about the tor-talk
mailing list