Set up domain fronting for BridgeDB
We've been discussing setting up domain fronting for BridgeDB for a while now.
Benefits include better reachability (to BridgeDB) for clients in censored regions. Solving the problem of clients not being able to reach BridgeDB would allow for Tor Browser to do smarter things w.r.t. helping clients get bridges, helping them get the right kind of bridges, helping clients determine which kind of bridge is the right kind, and helping BridgeDB know more about which (types of) bridges are blocked (in specific regions, possibly). This will also allow Tor Browser to recommend to meek users to obtain a different type of working bridges, which will allow us to hopefully start reducing meek's costs without losing bridge users (and hopefully, without decreasing usability).
This shouldn't be too difficult to set up, however, some open questions include:
What changes, if any, will we need to make to meek-server to reuse David's work?
What changes will we need to make to BridgeDB?
Who will maintain the CDN accounts? Who will pay for them?
How can we ensure that the traffic to/from BridgeDB is end-to-end TLS encrypted? Can we do this and yet still get the client's real IP address (which BridgeDB currently uses for some necessary rate-limiting logic)?
How many, and which, CDNs do we want to set up?