#28168: Use ESNI via Firefox HTTPS helper ------------------------------+--------------------- Reporter: dcf | Owner: dcf Type: project | Status: new Priority: Medium | Milestone: Component: Obfuscation/meek | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: ------------------------------+---------------------
Comment (by dcf): I set up a Cloudflare account and got this all working: meek with ESNI in place of domain fronting, running in Tor Browser with an external Firefox helper. When Tor Browser starts using a Firefox newer than 60 ESR, it won't need an separate external Firefox. === Cloudflare setup === * Register a new domain name. I got rinsed-tinsel.site. (I initially planned to use a subdomain of bamsoftware.com, but Cloudflare only allows that on their paid plans—on the free plan the only option is to have Cloudflare handle ''all'' the DNS for the domain.) * Click "+ Add site", enter the domain name, and choose the free plan. * At the DNS screen, add a new CNAME record for subdomain "meek" pointing to "meek.bamsoftware.com". (How this works is when users query meek .rinsed-tinsel.site, the Cloudflare DNS server will give them an A record pointing at a Cloudflare edge server, and then the Cloudflare edge server will fetch origin pages from meek.bamsoftware.com.) * Go back to the name registrar and set the nameserver to the two *.ns.cloudflare.com servers that it tells you to set. * I then went and made the following configuration changes: * Crypto tab * SSL: Full (strict) * Always Use HTTPS: On * Minimum TLS Version: TLS 1.2 * Firewall tab * Security Level: Essentially Off * Web Application Firewall * Browser Integrity Check: Off * Caching tab * Always Online™: Off * Scrape Shield tab * Email Address Obfuscation: Off * Server-side Excludes: Off * Hotlink Protection: Off === WebExtension build === Start with commit [https://gitweb.torproject.org/pluggable- transports/meek.git/log/?h=webextension&id=9a822c9e99e0bf23c542427de4eae3493ebccbc3 9a822c9e99] in the [https://gitweb.torproject.org/pluggable- transports/meek.git/log/?h=webextension webextension] branch. 1. Enter meek/webextension/native and run `go build`. This produces the native component of the extension. 1. Enter meek/webextension and run `make`. This zips up the extension files into an installable bundle, !meek-http-hel...@bamsoftware.com.xpi. === Firefox setup === 3. Download [https://www.mozilla.org/en-US/firefox/developer/ Firefox Developer Edition]. You need the developer edition in order to install an unsigned extension. 1. Run `firefox/firefox --ProfileManager` and create a new "esni" profile. Go to `about:config` and set these prefs: {{{ browser.dom.window.dump.enabled network.trr.mode=3 network.trr.uri=https://1.1.1.1/dns-query network.security.esni.enabled=true toolkit.startup.max_resumed_crashes=-1 xpinstall.signatures.required=false }}} 1. Go to `about:addons`. Click Extensions. Click ⚙️ and select "Install Add-on From File...". Open meek/webextension/!meek-http- hel...@bamsoftware.com.xpi. Say yes to the permissions dialog. 1. Close Firefox. === meek-client-torbrowser build === 7. Edit meek/meek-client-torbrowser/{linux,mac,windows}.go (whatever's needed for your platform) and adjust the paths: {{{ firefoxPath = "/path/to/firefox/firefox" firefoxProfilePath = "/home/user/.mozilla/firefox/<RANDCHARS>.esni" helperNativeManifestDir = "/path/to/tor-browser_en-US/Browser/.mozilla /native-messaging-hosts" helperNativeExecutablePath = "/path/to/meek/webextension/native/native" }}} 1. In meek/meek-client-torbrowser, run `go build`. 1. Copy the resulting meek-client-torbrowser binary to tor-browser_en- US/Browser/TorBrowser/Tor/PluggableTransports/. === Tor Browser setup === 10. Click the "Configure" button in Tor Launcher, or "Tor Network Settings..." in the onion toolbar icon. 1. Click "Tor ic censored in my country" and "Provide a bridge I know". Enter the bridge line: {{{ meek 0.0.2.0:3 1922840D0D66CB82EACE4327F5001430227C0127 url=https://meek .rinsed-tinsel.site/ }}} 1. Because of #12774, it may not work right away and you'll have to restart. ---- This is a packet capture of bootstrapping and browsing to example.com: attachment:meek-esni.pcap. Here's a summary of all the Client Hellos it contains: {{{ No. Time Source Destination Protocol Info 7 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 14 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 15 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 16 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1 Client Hello 122 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 133 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 134 2019-02-27 12:24:38 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 236 2019-02-27 12:24:39 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 237 2019-02-27 12:24:39 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 242 2019-02-27 12:24:39 192.168.111.2 1.1.1.1 TLSv1 Client Hello 243 2019-02-27 12:24:39 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 348 2019-02-27 12:24:40 192.168.111.2 1.1.1.1 TLSv1.3 Client Hello 351 2019-02-27 12:24:40 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 431 2019-02-27 12:24:41 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 432 2019-02-27 12:24:41 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 437 2019-02-27 12:24:41 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 438 2019-02-27 12:24:41 192.168.111.2 1.1.1.1 TLSv1.2 Client Hello 550 2019-02-27 12:24:41 192.168.111.2 104.27.168.47 TLSv1.2 Client Hello }}} All the handshakes with 1.1.1.1 are DNS-over-HTTPS name lookup—I'm guessing some of them are Firefox's internal lookups, unrelated to the meek tunnel. 104.27.168.47 is the Cloudflare edge server. The TLS fingerprints are: ||1.1.1.1 ||[https://tlsfingerprint.io/id/8300bf0e26f2a109 8300bf0e26f2a109] ([https://web.archive.org/web/20190227210213/https://tlsfingerprint.io/id/8300bf0e26f2a109 archive]) rank 3620 ||[https://tlsfingerprint.io/compare/bb94e801f7aee52b/8300bf0e26f2a109 comparison] ([https://web.archive.org/web/20190227210604/https://tlsfingerprint.io/compare/bb94e801f7aee52b/8300bf0e26f2a109 archive]) with ESR 60 rank 31 || ||104.27.168.47 ||[https://tlsfingerprint.io/id/2dcbeba533890640 2dcbeba533890640] ([https://web.archive.org/web/20190227210126/https://tlsfingerprint.io/id/2dcbeba533890640 archive]) rank 6272 ||[https://tlsfingerprint.io/compare/bb94e801f7aee52b/2dcbeba533890640 comparison] ([https://web.archive.org/web/20190227210435/https://tlsfingerprint.io/compare/bb94e801f7aee52b/2dcbeba533890640 archive]) with ESR 60 rank 31 || The differences against the currently ESR 60 fingerprint appear to be partly from the lack of plaintext SNI, and partly from unrelated TLS changes in Firefox. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28168#comment:5> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs