meek issueshttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues2020-06-27T13:44:16Zhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/16498Update meek quick start screenshots for TB 4.52020-06-27T13:44:16ZDavid Fifielddcf@torproject.orgUpdate meek quick start screenshots for TB 4.5[[doc/meek#Quickstart]]
The order of dialogs has changed. I manually rearranged the TB 4.0 screenshots, but that means "Connect" is on the wrong screen.[[doc/meek#Quickstart]]
The order of dialogs has changed. I manually rearranged the TB 4.0 screenshots, but that means "Connect" is on the wrong screen.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/16269add-on compatibility check occurs repeatedly2020-06-27T13:44:16ZMark Smithadd-on compatibility check occurs repeatedlyThis is a spinoff of ticket legacy/trac#16014. Georg noticed that after he updated Tor Browser 4.5a5 to 5.0a1, he saw a "Checking Compatibility of Add-ons" window each time he started the browser. Kathy and I debugged this and found th...This is a spinoff of ticket legacy/trac#16014. Georg noticed that after he updated Tor Browser 4.5a5 to 5.0a1, he saw a "Checking Compatibility of Add-ons" window each time he started the browser. Kathy and I debugged this and found that this window is coming from the meek helper browser. It shows up repeatedly because the prefs.js file is not being written to the profile (presumably because the meek browser is killed and does not exit in a clean manner).
One way to fix this is to add code to the meek HTTP helper extension that flushes the browser prefs. to disk before it enters the blocking event loop. There may be a better solution, but this seems to solve the problem.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/15523Meek with google is much slower in TBB 4.0.5 than in TBB 4.0.32020-06-27T13:44:17ZcypherpunksMeek with google is much slower in TBB 4.0.5 than in TBB 4.0.3Using Meek - Google in TBB 4.0.5 is much slower than normal tor speed received in TBB 4.0.3 with Meek - Google.So I had gone back to 4.0.3 until this is fixed.
I know speed of internet is not a simple problem, but I have tested this agai...Using Meek - Google in TBB 4.0.5 is much slower than normal tor speed received in TBB 4.0.3 with Meek - Google.So I had gone back to 4.0.3 until this is fixed.
I know speed of internet is not a simple problem, but I have tested this again and again, no effect. 4.0.5 meek-google is much slow and unusable while meek-google in 4.0.3 is at normal expected tor speed.
I guess this sounds like bad report without extra info, but if you tell how, I can give more info on it.
I have not tested with TBB 4.0.4.
I posted above as comment in a blog post, but I reposted here to bring it to attention of good meek developers, apology! Thanks.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/15512Check meek TLS fingerprint on ESR 382022-07-25T22:20:04ZDavid Fifielddcf@torproject.orgCheck meek TLS fingerprint on ESR 38legacy/trac#15196 Rebase Tor Browser patches to ESR 38
See legacy/trac#13442 for an earlier version of this ticket on ESR 31.legacy/trac#15196 Rebase Tor Browser patches to ESR 38
See legacy/trac#13442 for an earlier version of this ticket on ESR 31.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/15427Firefox helper broken when front= is missing2020-06-27T13:44:17ZDavid Fifielddcf@torproject.orgFirefox helper broken when front= is missing[0e6ced86](https://gitweb.torproject.org/pluggable-transports/meek.git/commit/?id=0e6ced86880b54f57a80b34d7f1b32a0eaa33b48) (legacy/trac#12778) broke the Firefox helper when the bridge line is missing the "front" parameter, because it st...[0e6ced86](https://gitweb.torproject.org/pluggable-transports/meek.git/commit/?id=0e6ced86880b54f57a80b34d7f1b32a0eaa33b48) (legacy/trac#12778) broke the Firefox helper when the bridge line is missing the "front" parameter, because it strips off the Host header and doesn't put it back.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/15158meek-client should support SOCKS proxies w/o Firefox2020-06-27T13:44:17ZNathan Freitasmeek-client should support SOCKS proxies w/o FirefoxWith meek on Android 4.x in Orbot's VPN mode, we need to proxy outbound connections through a loopback proxy in order to flag socket connections to not go through the VPN. Currently, we have a local SOCKS proxy that does this for tor and...With meek on Android 4.x in Orbot's VPN mode, we need to proxy outbound connections through a loopback proxy in order to flag socket connections to not go through the VPN. Currently, we have a local SOCKS proxy that does this for tor and obfs4, but since meek requires Firefox to use SOCKS we can't support it in VPN mode.
It would be great to have meek supports SOCKS natively w/o needing Firefox.
We currently use SOCKS 5, but can support SOCKS 4 as well, via this java class:
https://github.com/guardianproject/OrbotVPN/blob/master/src/com/runjva/sourceforge/jsocks/protocol/ProxyServer.javaYawning AngelYawning Angelhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/15125meek-client-torbrowser does not use signals well2020-06-27T13:44:17ZXimin Luomeek-client-torbrowser does not use signals wellWhen testing meek-client-wrapper, I noticed two things:
- it does not respond to SIGINT or SIGKILL. also, the signal handling code is different from meek-client. perhaps we should move it to goptlib?
- it uses sigkill to kill its childr...When testing meek-client-wrapper, I noticed two things:
- it does not respond to SIGINT or SIGKILL. also, the signal handling code is different from meek-client. perhaps we should move it to goptlib?
- it uses sigkill to kill its children, not giving them a chance to clean up. Yes, this is awkward on windows but we can at least do something nicer on posix systems.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/14897meek-client looks for /etc/resolv.conf on Android2020-06-27T13:44:17ZNathan Freitasmeek-client looks for /etc/resolv.conf on AndroidI have meek-client successfully cross compiled and starting up on Android, but as requests come in, there is a DNS lookup that relies on /etc/resolv.conf which doesn't exist on Android:
2015/02/13 16:16:00 error in handling request: dia...I have meek-client successfully cross compiled and starting up on Android, but as requests come in, there is a DNS lookup that relies on /etc/resolv.conf which doesn't exist on Android:
2015/02/13 16:16:00 error in handling request: dial tcp: error reading DNS config: open /etc/resolv.conf: no such file or directoryDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/14256Clarify whether Cloudflare's Universal SSL thing works with meek2020-06-27T13:44:18ZcypherpunksClarify whether Cloudflare's Universal SSL thing works with meekThe [Meek wiki](https://trac.torproject.org/projects/tor/wiki/doc/meek) page has a section on CloudFlare as a possible CDN to use, but seems to have been written before CloudFlare rolled out their [Universal SSL](https://blog.cloudflare....The [Meek wiki](https://trac.torproject.org/projects/tor/wiki/doc/meek) page has a section on CloudFlare as a possible CDN to use, but seems to have been written before CloudFlare rolled out their [Universal SSL](https://blog.cloudflare.com/introducing-universal-ssl/) free tier.
Would it be possible to have a meek-cloudflare using this Universal SSL thing?David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/14203Tor Browser with meek opens two Software Update windows2020-06-27T13:44:18ZDavid Fifielddcf@torproject.orgTor Browser with meek opens two Software Update windowsWhen I'm browsing with meek, I tend to get two "Software Update Available" windows appearing simultaneously. I suppose the second one is from the headless meek-http-helper.When I'm browsing with meek, I tend to get two "Software Update Available" windows appearing simultaneously. I suppose the second one is from the headless meek-http-helper.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/13442Check TLS fingerprint in Tor Browser 4.02022-07-25T22:20:04ZDavid Fifielddcf@torproject.orgCheck TLS fingerprint in Tor Browser 4.0Make sure we still only differ in client randomness as claimed at [[doc/meek#Sampleclienthellos]]. Also update that section of the wiki page.Make sure we still only differ in client randomness as claimed at [[doc/meek#Sampleclienthellos]]. Also update that section of the wiki page.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/13335Guide on how to use various public services for meek2020-06-27T13:44:18ZXimin LuoGuide on how to use various public services for meek<dcf1> You only need a reflector-like thing when the CDN-like thing doesn't let you point to arbitrary domains.
<dcf1> Amazon CloudFront lets you point to any domain, so the reflector is the CDN itself.
<dcf1> Google only lets you point ...<dcf1> You only need a reflector-like thing when the CDN-like thing doesn't let you point to arbitrary domains.
<dcf1> Amazon CloudFront lets you point to any domain, so the reflector is the CDN itself.
<dcf1> Google only lets you point to a Google domain, so to get around that you run an app on App Engine.
<dcf1> Azure also only allows you to point to an Azure domain, so you use the PHP or WSGI code.
It would be nice to collect this information into a document in meek.git for others.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/13306meek should use the user's country Google site2020-06-27T13:44:18ZTracmeek should use the user's country Google siteAccording to the documentation, meek-google uses google.com as the front-end site.
However, google.com would redirect the browser to a local site - e.g. google.co.uk, google.ae, google.com.sa etc.
**Trac**:
**Username**: john1deerAccording to the documentation, meek-google uses google.com as the front-end site.
However, google.com would redirect the browser to a local site - e.g. google.co.uk, google.ae, google.com.sa etc.
**Trac**:
**Username**: john1deerDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/13189Set up an Azure backend2020-06-27T13:44:18ZDavid Fifielddcf@torproject.orgSet up an Azure backendI got a 12-month research pass for [[doc/meek#MicrosoftAzure]].I got a 12-month research pass for [[doc/meek#MicrosoftAzure]].David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/13182Meek's TLS client hello should use system time2020-06-27T13:44:18ZcypherpunksMeek's TLS client hello should use system timeSince Meek's purpose is to hide and blend in like a typical Firefox user browsing Google.com, the time sent in the TLS client hello handshake should use the user's local or system time, not the common time as in general tor usage.
This ...Since Meek's purpose is to hide and blend in like a typical Firefox user browsing Google.com, the time sent in the TLS client hello handshake should use the user's local or system time, not the common time as in general tor usage.
This will lead to meek page requests look like typical Google.com visit, to ISP, or anyone between user and ISP, or between ISP and Google App.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/13174Amazon CloudFront sets X-Forwarded-For2020-06-27T13:44:18ZDavid Fifielddcf@torproject.orgAmazon CloudFront sets X-Forwarded-ForAmazon sets the X-Forwarded-For header that contains the client's true IP. Here's what the header looks like as it arrives at meek-server:
```
POST / HTTP/1.1
Host: d1727xplrgzao3.cloudfront.net
Via: 1.1 c54d7f08e2f3dab1918454910cc8aad0....Amazon sets the X-Forwarded-For header that contains the client's true IP. Here's what the header looks like as it arrives at meek-server:
```
POST / HTTP/1.1
Host: d1727xplrgzao3.cloudfront.net
Via: 1.1 c54d7f08e2f3dab1918454910cc8aad0.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 4ygWFdM8S5fIh-pnW7BK7hKsA7vv6tba-G30YwVHLCXT2Kblcl_yDw==
Connection: Keep-Alive
Content-Length: 244
Accept-Encoding: gzip, deflate
X-Forwarded-Proto: https
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
X-Forwarded-For: 192.0.2.101
CloudFront-Is-Mobile-Viewer: false
CloudFront-Is-Tablet-Viewer: false
CloudFront-Is-Desktop-Viewer: true
CloudFront-Viewer-Country: US
Accept-Language: en-US,en;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
CloudFront-Forwarded-Proto: https
X-Session-Id: FHY4jxw72uodLxdRbrFtqRMnBbMxoa5USSuLj1pzh4w=
Content-Type: application/octet-stream
```
From a censorship point of view, the presence of the client IP address doesn't make a difference, because the request is out of the censor's view by the time the IP is visible. From a surveillance point of view, it doesn't really increase the exposure of clients over ordinary bridges or other transports, because someone surveilling one of those bridges also gets a list of client IPs. But if we can hide the IP on the link between the CDN and meek-server, then we can be in an even better situation with respect to surveillance.
Previously we didn't enable HTTPS on the link between App Engine and meek-server because it [comment:6:ticket:10935 increased latency]. That was for App Engine, though, not Amazon, and HTTPS is not as slow anymore with optimizations made in newer Go releases. (Now it's about 300 ms with HTTPS and 100 ms without.)David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/13171meek's reflector should forward the client's IP address/port to the bridge.2023-05-22T16:50:14ZYawning Angelmeek's reflector should forward the client's IP address/port to the bridge.It would be nice to do this so the value passed to the ExtORPort was correct for better metrics. A few ways this could be done, off the top of my head:
* Set `X-Forwarded-For`. The "standard" layout of this field doesn't include the p...It would be nice to do this so the value passed to the ExtORPort was correct for better metrics. A few ways this could be done, off the top of my head:
* Set `X-Forwarded-For`. The "standard" layout of this field doesn't include the port, but since it's unofficial, there's nothing stopping us from adding it. This would require us to secure the link between the reflector and the meek-server instance separately, which means TLS.
* Set a custom header (Eg: `Meek-Forwarded-For`), with a encrypted/encoded IP/Port pair. Less overhead than bringing TLS into the picture. I would use something like a Base64 encoded NaCl crypto_secretbox. Key management here may be an issue, though it depends on who runs the bridge and reflector (The other method has cert management to deal with so this isn't a strict minus IMO).David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/13160make a deb of meek and get into Debian2020-12-23T15:13:11Zpropermake a deb of meek and get into Debianaka
`apt-get install meek`
Speaking for Whonix, this would be very useful. Perhaps for Tails as well, but I am not speaking for them.aka
`apt-get install meek`
Speaking for Whonix, this would be very useful. Perhaps for Tails as well, but I am not speaking for them.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/12982Port Meek to Android2020-06-27T13:44:19ZcypherpunksPort Meek to AndroidMeek should be ported to Android, so it can be added to obfsclient of Orbot.
Meek makes more useful to run on handheld computers.Meek should be ported to Android, so it can be added to obfsclient of Orbot.
Meek makes more useful to run on handheld computers.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/12873Reenable TLSv1.1 and TLSv1.2 in meek-http-helper when rebased on Firefox 31 ESR2020-06-27T13:44:19ZDavid Fifielddcf@torproject.orgReenable TLSv1.1 and TLSv1.2 in meek-http-helper when rebased on Firefox 31 ESRFirefox 31 has TLSv1.1 and TLSv1.2 enabled by default. We'll need to undo legacy/trac#12766 (just by removing the line that sets `security.tls.version.max=1`) in order to look like ordinary Firefox again. Making this a child of legacy/tr...Firefox 31 has TLSv1.1 and TLSv1.2 enabled by default. We'll need to undo legacy/trac#12766 (just by removing the line that sets `security.tls.version.max=1`) in order to look like ordinary Firefox again. Making this a child of legacy/trac#12620 so we're less likely to forget.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.org