Re: [tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
On Thu, Oct 04, 2018 at 06:23:32AM +, ithor wrote: > Ok, correct me if I'm wrong. Is this what happens in a meek request : > 1. unencrypted http request with the hostname I want to connect to in > cleartext. > 2. encrypted https connection to the hostname. > 3. encrypted (http?) relay connection to the Tor entry node. Completely wrong. Please read the docs: https://trac.torproject.org/projects/tor/wiki/doc/meek#Overview https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports#meek Encrypted HTTPS connection with a false SNI (ajax.aspnetcdn.com) readable for the censor, but the actual destination hostname (meek.azureedge.net) in the HTTP "Host" header. This way there's an encrypted connection to the CDN which looks like a browser's HTTPS connection to "ajax.aspnetcdn.com" from the outside. Once connected to the CDN, the meek client can talk to whatever app within the CDN it wants to. It will talk to the meek server (meek.azureedge.net), which IS a Tor bridge and as such acts as the entry guard of the circuit. -- OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3 https://www.parckwart.de/pgp_key signature.asc Description: PGP signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, October 3, 2018 4:25 PM, Andreas Krey wrote: > On Wed, 03 Oct 2018 13:03:14 +, ithor wrote: > ... > > > Can you elaborate upon that for the noob I am. If i understand you > > correctly, when using domain fronting, Tor basically spoofs or "hijacks" > > the ip address of an existing Azure server client ? > > SNI: Server Name Indication. While setting up the encryption the client > needs to send (in cleartext) the host name it wishes to connect to > (so that the server can use the corresponding certificate). That is how > https still gives away whom you're talking to. Ok, correct me if I'm wrong. Is this what happens in a meek request : 1. unencrypted http request with the hostname I want to connect to in cleartext. 2. encrypted https connection to the hostname. 3. encrypted (http?) relay connection to the Tor entry node. > > > What exactly is in the SNI : the name of the Azure server or some kind of > > information of a real client using that service ? > > The name of some service (web site) hosted. Domain fronting means that > the meek client uses one hostname for establishing the encrytion, and > inside the encrypted channel a different hostname it actually wants to > talk to. Google apparently now enforces that these two are the same. Ok, so here is my question : this 'some service' is this some kind of dummy request, like an empty formular that just mimics the looks of a real request, or is this actually a real-world request with an actual website. The reason I ask is if the latter is the case (some real website hosted on a Azure server), it might contain information the DPI finds harmful or compromising for some reason or another to the gvt, and so, beacuse I don't know what 'some service' is actually being used, I might very well be playing Russian roulette with the DPI. > > > What could China block ? The ip of the real client who was spoofed ? > > The cleartest hostname in the SNI (if it bothers to). (Question is how > they detect what hostnames are used there.) Well, if the hostname is sent in cleartext, that shouldn't be too much of a problem... > > > What would ESNI (encrypted SNI) bring into the mix concerning meek > > connections ? > > Here the SNI host field is already sent encrypted so china can't tell > anymore which service/website on azure/whatever you're connecting to, > it only sees that you are addressing azures/googles/amazons/cloudflares > cloud. But it will take time until this is widely in use so that you're > not suspicious for just using ESNI (not sure if that is an official > acronym). > > Actually: > https://en.wikipedia.org/wiki/Domain_fronting > https://blog.cloudflare.com/encrypted-sni/ > > Andreas > > - > > "Totally trivial. Famous last words." > From: Linus Torvalds > > Date: Fri, 22 Jan 2010 07:29:21 -0800 > > -- > > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
On Wed, 03 Oct 2018 13:03:14 +, ithor wrote: ... > Can you elaborate upon that for the noob I am. If i understand you correctly, > when using domain fronting, Tor basically spoofs or "hijacks" the ip address > of an existing Azure server client ? SNI: Server Name Indication. While setting up the encryption the client needs to send (in cleartext) the host name it wishes to connect to (so that the server can use the corresponding certificate). That is how https still gives away whom you're talking to. > What exactly is in the SNI : the name of the Azure server or some kind of > information of a real client using that service ? The name of some service (web site) hosted. Domain fronting means that the meek client uses one hostname for establishing the encrytion, and inside the encrypted channel a different hostname it actually wants to talk to. Google apparently now enforces that these two are the same. > What could China block ? The ip of the real client who was spoofed ? The cleartest hostname in the SNI (if it bothers to). (Question is how they detect what hostnames are used there.) > What would ESNI (encrypted SNI) bring into the mix concerning meek > connections ? Here the SNI host field is already sent encrypted so china can't tell anymore which service/website on azure/whatever you're connecting to, it only sees that you are addressing azures/googles/amazons/cloudflares cloud. But it will take time until this is widely in use so that you're not suspicious for just using ESNI (not sure if that is an official acronym). Actually: https://en.wikipedia.org/wiki/Domain_fronting https://blog.cloudflare.com/encrypted-sni/ Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds Date: Fri, 22 Jan 2010 07:29:21 -0800 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
The IP address of the Azure server you're connecting to. > How does the selection of the Azure server works ? Randomly ? If i understood > well, domain-fronting servers are supposedly located geographically close to > the origin of the browser request. Could it be that TBB selects an Azure > server that could be hosted in a country considered hostile to the regime of > the Internet user ? If so, couldn't that be compromising ? In the case of meek-azure the firewall would also see that you supposedly want to connect to "ajax.aspnetcdn.com", which is a common domain used by websites that are hosted on Azure. > What firewall are we talking about ? The one that sits on the Azure server or > the one of the gvt with the DPI ? Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, October 3, 2018 1:36 PM, Jonathan Marquardt wrote: > On Wed, Oct 03, 2018 at 12:25:52PM +, ithor wrote: > > > So a meek request is sent in clear-text. What exact information is given ? > > The exact ip address of the Azure server, its geolocation ? > > The IP address of the Azure server you're connecting to. In the case of > meek-azure the firewall would also see that you supposedly want to connect to > "ajax.aspnetcdn.com", which is a common domain used by websites that are > hosted on Azure. The domain delivers some JavaScript code and whatnot. So you > should just look like a harmless web browser surfing the web on first sight. > > > Could the DPI find out that this is being used for bootstrapping Tor ? > > Perhaps with some clever traffic correlation or timing attacks, but not so > easily. > > To also answer your question from the other mail in the thread: With encrypted > SNI, the firewall couldn't even see the fake destination (ajax.aspnetcdn.com) > your meek client sends. > > This might be interesting in the future, but isn't in use with meek yet. For > more info on that topic, have a look at this thread: > https://lists.torproject.org/pipermail/tor-dev/2018-September/013452.html > > > > OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3 > https://www.parckwart.de/pgp_key -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
On Wed, Oct 03, 2018 at 12:25:52PM +, ithor wrote: > So a meek request is sent in clear-text. What exact information is given ? > The exact ip address of the Azure server, its geolocation ? The IP address of the Azure server you're connecting to. In the case of meek-azure the firewall would also see that you supposedly want to connect to "ajax.aspnetcdn.com", which is a common domain used by websites that are hosted on Azure. The domain delivers some JavaScript code and whatnot. So you should just look like a harmless web browser surfing the web on first sight. > Could the DPI find out that this is being used for bootstrapping Tor ? Perhaps with some clever traffic correlation or timing attacks, but not so easily. To also answer your question from the other mail in the thread: With encrypted SNI, the firewall couldn't even see the fake destination (ajax.aspnetcdn.com) your meek client sends. This might be interesting in the future, but isn't in use with meek yet. For more info on that topic, have a look at this thread: https://lists.torproject.org/pipermail/tor-dev/2018-September/013452.html -- OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3 https://www.parckwart.de/pgp_key signature.asc Description: PGP signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
On Wed, Oct 03, 2018 at 08:30:53AM -0400, James Bunnell wrote: > I'm a little curious why some people don't take G Suite into consideration :) Google clearly doesn't like seeing it's services used for censorship circumvention. https://lists.torproject.org/pipermail/tor-talk/2016-June/041057.html -- OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3 https://www.parckwart.de/pgp_key signature.asc Description: PGP signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
Or they don't want to ruin their standing with the client who has the name that is used in the SNI (and who takes the loss when china should decide to block that b/c it's used by fronters). Can you elaborate upon that for the noob I am. If i understand you correctly, when using domain fronting, Tor basically spoofs or "hijacks" the ip address of an existing Azure server client ? What exactly is in the SNI : the name of the Azure server or some kind of information of a real client using that service ? What could China block ? The ip of the real client who was spoofed ? What would ESNI (encrypted SNI) bring into the mix concerning meek connections ? https://www.theregister.co.uk/2018/07/17/encrypted_server_names/ Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, October 3, 2018 12:50 PM, Andreas Krey wrote: > On Wed, 03 Oct 2018 14:06:27 +, Jonathan Marquardt wrote: > ... > > > They did so supposedly because it voilated their terms of use. > > It also probably violates a few RFCs, and they never advertised > this 'feature'. > > > They probably don't want to ruin their relationships with totalitarian > > regimes. > > Or they don't want to ruin their standing with the client who > has the name that is used in the SNI (and who takes the loss > when china should decide to block that b/c it's used by fronters). > > Andreas > > - > > "Totally trivial. Famous last words." > From: Linus Torvalds > > Date: Fri, 22 Jan 2010 07:29:21 -0800 > > -- > > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
On Wed, 03 Oct 2018 14:06:27 +, Jonathan Marquardt wrote: ... > They did so supposedly because it voilated their terms of use. It also probably violates a few RFCs, and they never advertised this 'feature'. > They probably don't want to ruin their relationships with totalitarian > regimes. Or they don't want to ruin their standing with the client who has the name that is used in the SNI (and who takes the loss when china should decide to block that b/c it's used by fronters). Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds Date: Fri, 22 Jan 2010 07:29:21 -0800 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
I'm a little curious why some people don't take G Suite into consideration :) On Wed, Oct 3, 2018 at 8:26 AM ithor wrote: > > ok, so for once i'll keep my fingers crossed for Microsoft... > > How should I imagine the connection until the Azure server. What does it tell > the DPI ? Just that I'm connecting to a close-to-my-country-based Microsoft > CDN ? > > On wikipage it's stated that > > The technique works by using different domain names at different layers of > communication. The domain name of an innocuous site is used to initialize the > connection. This domain name is exposed to the censor in clear-text as part > of the DNS request and the TLS Server Name Indication. > > So a meek request is sent in clear-text. What exact information is given ? > The exact ip address of the Azure server, its geolocation ? Could the DPI > find out that this is being used for bootstrapping Tor ? > > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > On Wednesday, October 3, 2018 12:06 PM, Jonathan Marquardt > wrote: > > > On Wed, Oct 03, 2018 at 08:38:52AM +, ithor wrote: > > > > > ever since TBB 8, there's the new moat way to obtain private obfs4 bridges > > > through a CAPTCHA. In the following webpage it's stated meek is used in > > > order to communicate with the Tor bridges database. Now, my question is : > > > which ones ? In my country, domain fronting for Amazon and Google are > > > unavailable, so the only meek_bridge still working is the meek_azure one, > > > which isn't going to last. > > > > It's not just your country. The meek bridge instances in the Google and > > Amazon > > CDNs were shut down by the the corresponding companies. They did so > > supposedly > > because it voilated their terms of use. They probably don't want to ruin > > their > > relationships with totalitarian regimes. Unless all of the sudden Microsoft > > decides that they want these good relationships as well and shut meek-azure > > down, I see no reason to believe that it's not going to last. Meek should be > > relatively hard to censor using a firewall. > > > > > So what will happen when it will shut down ? What alternative solutions > > > TBB > > > will come up with? > > > > There's still the good oldbridges.torproject.org website as an alternative > > as > > well as GetTor: https://gettor.torproject.org/ > > > > > Second question : how is the information concerning the private obfs4 > > > bridge > > > protected during the inquiry ? > > > > Meek works by tunneling your data via TLS encryption from the CDN, in this > > case Microsoft Azure. No adversary tapping your internet connection should > > be > > able to retrieve the data. > > > > -- > > > > OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3 > > https://www.parckwart.de/pgp_key > > > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- Moses was the first one to download to his tablet from the cloud. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
ok, so for once i'll keep my fingers crossed for Microsoft... How should I imagine the connection until the Azure server. What does it tell the DPI ? Just that I'm connecting to a close-to-my-country-based Microsoft CDN ? On wikipage it's stated that The technique works by using different domain names at different layers of communication. The domain name of an innocuous site is used to initialize the connection. This domain name is exposed to the censor in clear-text as part of the DNS request and the TLS Server Name Indication. So a meek request is sent in clear-text. What exact information is given ? The exact ip address of the Azure server, its geolocation ? Could the DPI find out that this is being used for bootstrapping Tor ? Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, October 3, 2018 12:06 PM, Jonathan Marquardt wrote: > On Wed, Oct 03, 2018 at 08:38:52AM +, ithor wrote: > > > ever since TBB 8, there's the new moat way to obtain private obfs4 bridges > > through a CAPTCHA. In the following webpage it's stated meek is used in > > order to communicate with the Tor bridges database. Now, my question is : > > which ones ? In my country, domain fronting for Amazon and Google are > > unavailable, so the only meek_bridge still working is the meek_azure one, > > which isn't going to last. > > It's not just your country. The meek bridge instances in the Google and Amazon > CDNs were shut down by the the corresponding companies. They did so supposedly > because it voilated their terms of use. They probably don't want to ruin their > relationships with totalitarian regimes. Unless all of the sudden Microsoft > decides that they want these good relationships as well and shut meek-azure > down, I see no reason to believe that it's not going to last. Meek should be > relatively hard to censor using a firewall. > > > So what will happen when it will shut down ? What alternative solutions TBB > > will come up with? > > There's still the good oldbridges.torproject.org website as an alternative as > well as GetTor: https://gettor.torproject.org/ > > > Second question : how is the information concerning the private obfs4 bridge > > protected during the inquiry ? > > Meek works by tunneling your data via TLS encryption from the CDN, in this > case Microsoft Azure. No adversary tapping your internet connection should be > able to retrieve the data. > > -- > > OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3 > https://www.parckwart.de/pgp_key -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
On Wed, Oct 03, 2018 at 08:38:52AM +, ithor wrote: > ever since TBB 8, there's the new moat way to obtain private obfs4 bridges > through a CAPTCHA. In the following webpage it's stated meek is used in > order to communicate with the Tor bridges database. Now, my question is : > which ones ? In my country, domain fronting for Amazon and Google are > unavailable, so the only meek_bridge still working is the meek_azure one, > which isn't going to last. It's not just your country. The meek bridge instances in the Google and Amazon CDNs were shut down by the the corresponding companies. They did so supposedly because it voilated their terms of use. They probably don't want to ruin their relationships with totalitarian regimes. Unless all of the sudden Microsoft decides that they want these good relationships as well and shut meek-azure down, I see no reason to believe that it's not going to last. Meek should be relatively hard to censor using a firewall. > So what will happen when it will shut down ? What alternative solutions TBB > will come up with? There's still the good old bridges.torproject.org website as an alternative as well as GetTor: https://gettor.torproject.org/ > Second question : how is the information concerning the private obfs4 bridge > protected during the inquiry ? Meek works by tunneling your data via TLS encryption from the CDN, in this case Microsoft Azure. No adversary tapping your internet connection should be able to retrieve the data. -- OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3 https://www.parckwart.de/pgp_key signature.asc Description: PGP signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
Hi, ever since TBB 8, there's the new moat way to obtain private obfs4 bridges through a CAPTCHA. In the following webpage it's stated meek is used in order to communicate with the Tor bridges database. Now, my question is : which ones ? In my country, domain fronting for Amazon and Google are unavailable, so the only meek_bridge still working is the meek_azure one, which isn't going to last. So what will happen when it will shut down ? What alternative solutions TBB will come up with? Second question : how is the information concerning the private obfs4 bridge protected during the inquiry ? Sent with [ProtonMail](https://protonmail.com) Secure Email. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk