Anti-censorship issueshttps://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues2022-07-25T22:20:05Zhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/18927Check meek fingerprint on ESR 452022-07-25T22:20:05ZDavid Fifielddcf@torproject.orgCheck meek fingerprint on ESR 45legacy/trac#15197
Previous tickets like this are legacy/trac#15512 and legacy/trac#13442.legacy/trac#15197
Previous tickets like this are legacy/trac#15512 and legacy/trac#13442.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/18904Mac OS: meek-http-helper profile not updated2020-06-27T13:44:16ZMark SmithMac OS: meek-http-helper profile not updatedAfter the changes from legacy/trac#13252 and related tickets were merged, on Mac OS a template is used to create the meek-http-helper browser profile. Unfortunately, the meek-client-torbrowser code that Kathy and I wrote to copy files do...After the changes from legacy/trac#13252 and related tickets were merged, on Mac OS a template is used to create the meek-http-helper browser profile. Unfortunately, the meek-client-torbrowser code that Kathy and I wrote to copy files does not account for the fact that files within the template may change during a Tor Browser update (it only copies files if the profile.meek-http-helper directory does not exist).Mark SmithMark Smithhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/18655Make meek-server easy to use with Let's Encrypt2020-06-27T13:44:16ZDavid Fifielddcf@torproject.orgMake meek-server easy to use with Let's EncryptCurrently it's not trivial to get certificates for meek-server using Let's Encrypt. The `--webroot` option, for example, wants to write a token to the filesystem so the web server can serve it, but meek-server doesn't serve files from th...Currently it's not trivial to get certificates for meek-server using Let's Encrypt. The `--webroot` option, for example, wants to write a token to the filesystem so the web server can serve it, but meek-server doesn't serve files from the filesystem.
Ideally this works in a way that certificates can be renewed (e.g. in a cron job) without restarting tor or meek-server.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/18141Tame "reading from ORPort" error logs in meek-server2021-11-08T19:49:21ZDavid Fifielddcf@torproject.orgTame "reading from ORPort" error logs in meek-servermeek-server operators have asked to disable this error message:
```
reading from ORPort: read tcp 127.0.0.1:YYYY->127.0.0.1:ZZZZ: read: connection reset by peer
```
It occurs whenever tor closes the TCP connection between meek-server an...meek-server operators have asked to disable this error message:
```
reading from ORPort: read tcp 127.0.0.1:YYYY->127.0.0.1:ZZZZ: read: connection reset by peer
```
It occurs whenever tor closes the TCP connection between meek-server and itself. This happens very frequently when you restart the meek-server process, because it loses its cache of current session-IDs. When clients connect using their formerly valid session-IDs, meek-server treats them as new connections and opens new ORPort connections. The clients push TLS application data over the new connection, which doesn't match what tor expects from a new connection, so it shuts it down. Right after restarting you get a ton of these messages for a while (can be more than 10 per second).David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/18077meek-server logging client IP addresses in some situations2021-11-08T19:49:21ZDavid Fifielddcf@torproject.orgmeek-server logging client IP addresses in some situationsToday a meek-server operator saw new types of error, the text of which includes client IP addresses:
```
http: TLS handshake error from X.X.X.X:YYYY: EOF
http: TLS handshake error from X.X.X.X:YYYY: read tcp X.X.X.X:YYYY: i/o timeout
```Today a meek-server operator saw new types of error, the text of which includes client IP addresses:
```
http: TLS handshake error from X.X.X.X:YYYY: EOF
http: TLS handshake error from X.X.X.X:YYYY: read tcp X.X.X.X:YYYY: i/o timeout
```David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/17890Separate the meek bridge backing paid CDNs from the one we tell the general p...2020-06-27T13:44:16ZDavid Fifielddcf@torproject.orgSeparate the meek bridge backing paid CDNs from the one we tell the general public to useIn source code and examples, we recommend !https://meek.bamsoftware.com/ (port 443) for use by the general public. But that's also the backing bridge for meek-azure, and it's rate-limited to reduce costs.
We should split it into two bri...In source code and examples, we recommend !https://meek.bamsoftware.com/ (port 443) for use by the general public. But that's also the backing bridge for meek-azure, and it's rate-limited to reduce costs.
We should split it into two bridges (e.g. running on different ports). Rate-limit the one behind the paid CDN, because that's the expensive one. Make the other one unlimited (if someone else is paying the CDN fees, they can use all the bandwidth they want).
This will enable more people to use the default meek-azure at the same speed, while enabling people who set up their own to go fast.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/16498Update meek quick start screenshots for TB 4.52020-06-27T13:44:16ZDavid Fifielddcf@torproject.orgUpdate meek quick start screenshots for TB 4.5[[doc/meek#Quickstart]]
The order of dialogs has changed. I manually rearranged the TB 4.0 screenshots, but that means "Connect" is on the wrong screen.[[doc/meek#Quickstart]]
The order of dialogs has changed. I manually rearranged the TB 4.0 screenshots, but that means "Connect" is on the wrong screen.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/16269add-on compatibility check occurs repeatedly2020-06-27T13:44:16ZMark Smithadd-on compatibility check occurs repeatedlyThis is a spinoff of ticket legacy/trac#16014. Georg noticed that after he updated Tor Browser 4.5a5 to 5.0a1, he saw a "Checking Compatibility of Add-ons" window each time he started the browser. Kathy and I debugged this and found th...This is a spinoff of ticket legacy/trac#16014. Georg noticed that after he updated Tor Browser 4.5a5 to 5.0a1, he saw a "Checking Compatibility of Add-ons" window each time he started the browser. Kathy and I debugged this and found that this window is coming from the meek helper browser. It shows up repeatedly because the prefs.js file is not being written to the profile (presumably because the meek browser is killed and does not exit in a clean manner).
One way to fix this is to add code to the meek HTTP helper extension that flushes the browser prefs. to disk before it enters the blocking event loop. There may be a better solution, but this seems to solve the problem.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/15523Meek with google is much slower in TBB 4.0.5 than in TBB 4.0.32020-06-27T13:44:17ZcypherpunksMeek with google is much slower in TBB 4.0.5 than in TBB 4.0.3Using Meek - Google in TBB 4.0.5 is much slower than normal tor speed received in TBB 4.0.3 with Meek - Google.So I had gone back to 4.0.3 until this is fixed.
I know speed of internet is not a simple problem, but I have tested this agai...Using Meek - Google in TBB 4.0.5 is much slower than normal tor speed received in TBB 4.0.3 with Meek - Google.So I had gone back to 4.0.3 until this is fixed.
I know speed of internet is not a simple problem, but I have tested this again and again, no effect. 4.0.5 meek-google is much slow and unusable while meek-google in 4.0.3 is at normal expected tor speed.
I guess this sounds like bad report without extra info, but if you tell how, I can give more info on it.
I have not tested with TBB 4.0.4.
I posted above as comment in a blog post, but I reposted here to bring it to attention of good meek developers, apology! Thanks.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/15512Check meek TLS fingerprint on ESR 382022-07-25T22:20:04ZDavid Fifielddcf@torproject.orgCheck meek TLS fingerprint on ESR 38legacy/trac#15196 Rebase Tor Browser patches to ESR 38
See legacy/trac#13442 for an earlier version of this ticket on ESR 31.legacy/trac#15196 Rebase Tor Browser patches to ESR 38
See legacy/trac#13442 for an earlier version of this ticket on ESR 31.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/15427Firefox helper broken when front= is missing2020-06-27T13:44:17ZDavid Fifielddcf@torproject.orgFirefox helper broken when front= is missing[0e6ced86](https://gitweb.torproject.org/pluggable-transports/meek.git/commit/?id=0e6ced86880b54f57a80b34d7f1b32a0eaa33b48) (legacy/trac#12778) broke the Firefox helper when the bridge line is missing the "front" parameter, because it st...[0e6ced86](https://gitweb.torproject.org/pluggable-transports/meek.git/commit/?id=0e6ced86880b54f57a80b34d7f1b32a0eaa33b48) (legacy/trac#12778) broke the Firefox helper when the bridge line is missing the "front" parameter, because it strips off the Host header and doesn't put it back.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/15158meek-client should support SOCKS proxies w/o Firefox2020-06-27T13:44:17ZNathan Freitasmeek-client should support SOCKS proxies w/o FirefoxWith meek on Android 4.x in Orbot's VPN mode, we need to proxy outbound connections through a loopback proxy in order to flag socket connections to not go through the VPN. Currently, we have a local SOCKS proxy that does this for tor and...With meek on Android 4.x in Orbot's VPN mode, we need to proxy outbound connections through a loopback proxy in order to flag socket connections to not go through the VPN. Currently, we have a local SOCKS proxy that does this for tor and obfs4, but since meek requires Firefox to use SOCKS we can't support it in VPN mode.
It would be great to have meek supports SOCKS natively w/o needing Firefox.
We currently use SOCKS 5, but can support SOCKS 4 as well, via this java class:
https://github.com/guardianproject/OrbotVPN/blob/master/src/com/runjva/sourceforge/jsocks/protocol/ProxyServer.javaYawning AngelYawning Angelhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/15125meek-client-torbrowser does not use signals well2020-06-27T13:44:17ZXimin Luomeek-client-torbrowser does not use signals wellWhen testing meek-client-wrapper, I noticed two things:
- it does not respond to SIGINT or SIGKILL. also, the signal handling code is different from meek-client. perhaps we should move it to goptlib?
- it uses sigkill to kill its childr...When testing meek-client-wrapper, I noticed two things:
- it does not respond to SIGINT or SIGKILL. also, the signal handling code is different from meek-client. perhaps we should move it to goptlib?
- it uses sigkill to kill its children, not giving them a chance to clean up. Yes, this is awkward on windows but we can at least do something nicer on posix systems.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/14897meek-client looks for /etc/resolv.conf on Android2020-06-27T13:44:17ZNathan Freitasmeek-client looks for /etc/resolv.conf on AndroidI have meek-client successfully cross compiled and starting up on Android, but as requests come in, there is a DNS lookup that relies on /etc/resolv.conf which doesn't exist on Android:
2015/02/13 16:16:00 error in handling request: dia...I have meek-client successfully cross compiled and starting up on Android, but as requests come in, there is a DNS lookup that relies on /etc/resolv.conf which doesn't exist on Android:
2015/02/13 16:16:00 error in handling request: dial tcp: error reading DNS config: open /etc/resolv.conf: no such file or directoryDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/14256Clarify whether Cloudflare's Universal SSL thing works with meek2020-06-27T13:44:18ZcypherpunksClarify whether Cloudflare's Universal SSL thing works with meekThe [Meek wiki](https://trac.torproject.org/projects/tor/wiki/doc/meek) page has a section on CloudFlare as a possible CDN to use, but seems to have been written before CloudFlare rolled out their [Universal SSL](https://blog.cloudflare....The [Meek wiki](https://trac.torproject.org/projects/tor/wiki/doc/meek) page has a section on CloudFlare as a possible CDN to use, but seems to have been written before CloudFlare rolled out their [Universal SSL](https://blog.cloudflare.com/introducing-universal-ssl/) free tier.
Would it be possible to have a meek-cloudflare using this Universal SSL thing?David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/14203Tor Browser with meek opens two Software Update windows2020-06-27T13:44:18ZDavid Fifielddcf@torproject.orgTor Browser with meek opens two Software Update windowsWhen I'm browsing with meek, I tend to get two "Software Update Available" windows appearing simultaneously. I suppose the second one is from the headless meek-http-helper.When I'm browsing with meek, I tend to get two "Software Update Available" windows appearing simultaneously. I suppose the second one is from the headless meek-http-helper.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/13442Check TLS fingerprint in Tor Browser 4.02022-07-25T22:20:04ZDavid Fifielddcf@torproject.orgCheck TLS fingerprint in Tor Browser 4.0Make sure we still only differ in client randomness as claimed at [[doc/meek#Sampleclienthellos]]. Also update that section of the wiki page.Make sure we still only differ in client randomness as claimed at [[doc/meek#Sampleclienthellos]]. Also update that section of the wiki page.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/13335Guide on how to use various public services for meek2020-06-27T13:44:18ZXimin LuoGuide on how to use various public services for meek<dcf1> You only need a reflector-like thing when the CDN-like thing doesn't let you point to arbitrary domains.
<dcf1> Amazon CloudFront lets you point to any domain, so the reflector is the CDN itself.
<dcf1> Google only lets you point ...<dcf1> You only need a reflector-like thing when the CDN-like thing doesn't let you point to arbitrary domains.
<dcf1> Amazon CloudFront lets you point to any domain, so the reflector is the CDN itself.
<dcf1> Google only lets you point to a Google domain, so to get around that you run an app on App Engine.
<dcf1> Azure also only allows you to point to an Azure domain, so you use the PHP or WSGI code.
It would be nice to collect this information into a document in meek.git for others.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/13306meek should use the user's country Google site2020-06-27T13:44:18ZTracmeek should use the user's country Google siteAccording to the documentation, meek-google uses google.com as the front-end site.
However, google.com would redirect the browser to a local site - e.g. google.co.uk, google.ae, google.com.sa etc.
**Trac**:
**Username**: john1deerAccording to the documentation, meek-google uses google.com as the front-end site.
However, google.com would redirect the browser to a local site - e.g. google.co.uk, google.ae, google.com.sa etc.
**Trac**:
**Username**: john1deerDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/13189Set up an Azure backend2020-06-27T13:44:18ZDavid Fifielddcf@torproject.orgSet up an Azure backendI got a 12-month research pass for [[doc/meek#MicrosoftAzure]].I got a 12-month research pass for [[doc/meek#MicrosoftAzure]].David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.org