- Sep 04, 2022
-
-
Yawning Angel authored
-
Yawning Angel authored
-
Yawning Angel authored
-
- Feb 04, 2022
-
-
Yawning Angel authored
-
- Feb 03, 2022
-
-
Yawning Angel authored
While this was a good idea back when I did it: * People don't like the fact that it requires a fork of utls to fix compatibility issues, and would rather spend 3 years complaining about it instead of spending a weekend to fix the issues in upstream. * Tor over meek is trivially identifiable regardless of utls or not. * Malware asshats ruined domain fronting for everybody.
-
- Jan 02, 2022
-
-
Yawning Angel authored
-
- Dec 31, 2021
-
-
Yawning Angel authored
-
Yawning Angel authored
Replace agl's Elligator2 implementation with a different one, that fixes the various distinguishers stemming from bugs in the original implementation and "The Elligator paper is extremely hard to read". All releases prior to this commit are trivially distinguishable with simple math, so upgrading is strongly recommended. The upgrade is fully backward-compatible with existing implementations, however the non-upgraded side will emit traffic that is trivially distinguishable from random. Special thanks to Loup Vaillant for his body of work on this primitive, and for motivating me to fix it.
-
- May 11, 2021
-
-
Yawning Angel authored
And add the Chrome 83 fingerprint.
-
- Dec 17, 2020
-
-
Philipp Winter authored
Obfs4proxy implements the -unsafeLogging switch but it's been ignored so far. This patch makes it work.
-
- Dec 07, 2020
-
-
Philipp Winter authored
Microsoft recently updated the root CA certificates that are served to Azure clients. See the following article for more details: https://docs.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes This change broke meek-lite because none of its pins work anymore. That means that Tor Browser users can no longer use meek-azure or moat as both rely on meek-lite. This patch fixes the problem by updating the certificate pins. Signed-off-by: Yawning Angel <yawning@schwanenlied.me>
-
- Apr 10, 2020
-
-
Yawning Angel authored
I really didn't want to do this, but this should make `go get` work again, and maybe people will leave me alone.
-
- Jun 21, 2019
-
-
Yawning Angel authored
-
Yawning Angel authored
-
Yawning Angel authored
-
Yawning Angel authored
The old behavior closed the connection on handshake failure after: * The first N bytes (random on a per-server basis). * The first M seconds (random on a per-server basis). Whichever came first. As Sergey Frolov kindly points out, depending on which conditions cause termination, the server will send either a FIN or a RST. This change will remove the "amount read" based termination threshold, so that connections that cause failed handshakes will discard all data received until the teardown time is reached. Thanks to Sergey Frolov for bringing this issue to my attention.
-
- May 20, 2019
-
-
Yawning Angel authored
-
Yawning Angel authored
-
- Apr 12, 2019
-
-
Yawning Angel authored
-
- Feb 05, 2019
-
-
Yawning Angel authored
-
Yawning Angel authored
-
- Feb 04, 2019
-
-
Yawning Angel authored
HPKP is effectively dead as far as a standard goes, but the idea has merit in certain use cases, this being one of them. As a TLS MITM essentially will strip whatever obfuscation that the transport may provide, the digests of the SubjectPublicKeyInfo fields of the Tor Browser Azure meek host are now hardcoded. The behavior can be disabled by passing `disableHPKP=true` on the bridge line, for cases where comaptibility is prefered over security.
-
- Feb 01, 2019
-
-
Yawning Angel authored
-
- Jan 21, 2019
-
-
Yawning Angel authored
There's still some interesting oddities depending on remote server and what fingerprint is chosen, but I can watch videos online with the chosen settings and the TBB Azure bridge. Note: Despite what people are claiming in the Tor Browser bug tracker it isn't all that hard to use the built in http client with utls. And yes, the `transport.go` code does negotiate correctly in a standalone test case (apart from compatibility related oddities).
-
- Jan 20, 2019
-
-
Yawning Angel authored
-
Yawning Angel authored
-
- Jan 16, 2019
-
-
Yawning Angel authored
This commit changes the upstream repo location to: https://gitlab.com/yawning/obfs4.git Additionally all the non-`main` sub-packages now have an import comment annotation. As a matter of courtesy, I will continue to push to both the existing github.com and git.torproject.org repos for the foreseeable future, though I reserve the right to stop doing so at any time.
-
- Nov 03, 2018
-
-
Daniel Martí authored
The biggest win is that we now declare what versions of each dependency we require to build. This way, building a certain version of obfs4 will always use the same source code, independent of the master branch of each dependency. This is necessary for reproducible builds. On top of that, go.sum contains checksums of all the transitive dependencies and their modules, so the build system will also recognise when the source code has been changed. Updated the build instructions accordingly. We don't drop support for earlier Go versions, but those won't get the benefit of reproducible builds unless we start vendoring the dependencies too.
-
- Apr 21, 2018
-
-
Yawning Angel authored
- Nov 15, 2016
-
-
Yawning Angel authored
-
Yawning Angel authored
-
- Oct 20, 2016
-
-
Yawning Angel authored
-
- Jul 11, 2016
-
-
Yawning Angel authored
It's supposed to use the one derived from the client's handshake (assuming the clock skew is within acceptable limits), but it was using the one based off the current system time.
-
- Apr 13, 2016
-
-
Yawning Angel authored
It used to be that all of the bridge side parameters needed to be manually specified together. This was somewhat nonsensical, and the IAT mode can now be set as the only obfs4 option in a `ServerTransportOptions` torrc directive. Thanks to dcf for reporting the issue.
-
- Jan 25, 2016
-
-
Yawning Angel authored
-
Yawning Angel authored
-
- Oct 29, 2015
-
-
Yawning Angel authored
This is a meek client only implementation, with the following differences with dcf's `meek-client`: - It is named `meek_lite` to differentiate it from the real thing. - It does not support using an external helper to normalize TLS signatures, so adversaries can look for someone using the Go TLS library to do HTTP. - It does the right thing with TOR_PT_PROXY, even when a helper is not present. Most of the credit goes to dcf, who's code I librerally cribbed and stole. It is intended primarily as a "better than nothina" option for enviornments that do not or can not presently use an external Firefox helper.
-
- Jun 01, 2015
-
-
Yawning Angel authored
-
- Apr 23, 2015
-
-
Yawning Angel authored
-