meek issueshttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues2020-06-27T13:44:20Zhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/12146Firefox meek-http-helper leaks Host header in CONNECT requests2020-06-27T13:44:20ZDavid Fifielddcf@torproject.orgFirefox meek-http-helper leaks Host header in CONNECT requestslegacy/trac#12120 enabled the browser extension helper to use an upstream HTTP or SOCKS proxy. I'm watching the requests that go to the proxy, and Firefox is leaking the Host header in the proxy request:
```
CONNECT www.google.com:443 HT...legacy/trac#12120 enabled the browser extension helper to use an upstream HTTP or SOCKS proxy. I'm watching the requests that go to the proxy, and Firefox is leaking the Host header in the proxy request:
```
CONNECT www.google.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: meek-reflect.appspot.com
```
The `Host: meek-reflect.appspot.com` is not supposed to be visible on the wire. It's encrypted inside of HTTPS. But Firefox leaks it when configured to use an HTTP proxy.
The Host header must be getting special treatment, because the extension also sets X-Session-ID, and that's not showing up in the proxy request.
We have to turn off the HTTP proxy feature if we can't find a way to prevent the Host from leaking.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/12120Enable Firefox meek-http-helper to use an upstream proxy2020-06-27T13:44:20ZDavid Fifielddcf@torproject.orgEnable Firefox meek-http-helper to use an upstream proxyThe helper should be able to use an upsteam proxy, so that it can be used to implement TOR_PT_PROXY as in legacy/trac#8402/[proposal 232](https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/232-pluggable-transports-through-pro...The helper should be able to use an upsteam proxy, so that it can be used to implement TOR_PT_PROXY as in legacy/trac#8402/[proposal 232](https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/232-pluggable-transports-through-proxy.txt).
[Commit cf81b598](https://gitweb.torproject.org/pluggable-transports/meek.git/commitdiff/cf81b598defd537ed65c015cbf79c322dad26b89) (the removed part) shows how to create a per-request proxy setting.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/11612tbb bundle with meek takes (literally) hours to connect2020-06-27T13:44:21Zcypherpunkstbb bundle with meek takes (literally) hours to connectI tried out the experimental Tor Browser bundle with meek (version 3.5.4-meek-1-Linux, 32 bit).
When first launching the bundle, it took literally hours to make the first connection to the tor network. The progress bar was hung at ~50%, ...I tried out the experimental Tor Browser bundle with meek (version 3.5.4-meek-1-Linux, 32 bit).
When first launching the bundle, it took literally hours to make the first connection to the tor network. The progress bar was hung at ~50%, the console showed error messages like:
[notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 883/4458, and can only build 0% of likely paths. (We have 20% of guards bw, 21% of midpoint bw, and 21% of exit bw.)
[notice] Bootstrapped 72%: Loading relay descriptors.
[warn] Problem bootstrapping. Stuck at 72%: Loading relay descriptors. (DONE; DONE; count 1; recommendation warn)
I quit & restarted it several times, the bootstrapping progress seemed to restart from where it had left off, but it literally took hours before I had a tor browser window.
After that, TBB with meek worked reasonably well, albeit slower than normal Tor BrowserDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/11580Make meek man pages2020-06-27T13:44:21ZDavid Fifielddcf@torproject.orgMake meek man pagesFor:
* meek-client
* meek-server
Maybe also (only used in the bundle):
* meek-client-torbrowser
* terminateprocess-buffer
Join us for our next exciting episode, _Make `man meek` manifest meek manual_, or, _Three billy goats groff_.For:
* meek-client
* meek-server
Maybe also (only used in the bundle):
* meek-client-torbrowser
* terminateprocess-buffer
Join us for our next exciting episode, _Make `man meek` manifest meek manual_, or, _Three billy goats groff_.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/11562meek browser stops working after many idle hours2021-10-29T17:55:46ZDavid Fifielddcf@torproject.orgmeek browser stops working after many idle hoursI left a copy of [3.5.4-meek-1](https://lists.torproject.org/pipermail/tor-dev/2014-April/006718.html) running idle for a few days. When I came back and tried to browse somewhere, the browser said "connection timed out." I will attach lo...I left a copy of [3.5.4-meek-1](https://lists.torproject.org/pipermail/tor-dev/2014-April/006718.html) running idle for a few days. When I came back and tried to browse somewhere, the browser said "connection timed out." I will attach log files in a comment. Sending a HUP to tor caused it to reload its configuration but didn't help things. Neither did "New Identity." Closing the browser and starting it again worked.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/11504Time out requests in meek-server2020-06-27T13:44:21ZDavid Fifielddcf@torproject.orgTime out requests in meek-serverYawning found that the HTTP server in meek-server doesn't time out requests in progress.Yawning found that the HTTP server in meek-server doesn't time out requests in progress.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/11488Add meek to tor launcher2020-06-27T13:44:21ZDavid Fifielddcf@torproject.orgAdd meek to tor launcherCurrent bundles (3.5.4-meek-1, legacy/trac#10935) have meek turned on by default (with a Bridge line in torrc-defaults). For merging, we should rather add it to the bridge configuration screen in tor launcher.Current bundles (3.5.4-meek-1, legacy/trac#10935) have meek turned on by default (with a Bridge line in torrc-defaults). For merging, we should rather add it to the bridge configuration screen in tor launcher.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/11429meek-http-helper opens up a second dock icon2020-06-27T13:44:21ZDavid Fifielddcf@torproject.orgmeek-http-helper opens up a second dock iconThe second copy of firefox that is started by meek-client-torbrowser brings up a second Tor Browser dock icon on OS X. Better if we can find a way to hide it.
Something similar happens on Windows, but it doesn't look as bad because the ...The second copy of firefox that is started by meek-client-torbrowser brings up a second Tor Browser dock icon on OS X. Better if we can find a way to hide it.
Something similar happens on Windows, but it doesn't look as bad because the icons appear in a little stack.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/11413meek README should say what meek is.2020-06-27T13:44:21ZNick Mathewsonmeek README should say what meek is.By convention, a project's README file should tell you what it is, what it does, and how to get started with it. Meek's only mentions that it's public domain.By convention, a project's README file should tell you what it is, what it does, and how to get started with it. Meek's only mentions that it's public domain.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/11393Make an HTTP requestor Chrome extension for meek-client2020-06-27T13:44:21ZDavid Fifielddcf@torproject.orgMake an HTTP requestor Chrome extension for meek-clientLike in legacy/trac#11183, make an extension for Chrome/Chromium that makes HTTP requests on behalf of another program.Like in legacy/trac#11183, make an extension for Chrome/Chromium that makes HTTP requests on behalf of another program.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/11183Make an HTTP requestor Firefox extension for meek-client2020-06-27T13:44:22ZDavid Fifielddcf@torproject.orgMake an HTTP requestor Firefox extension for meek-clientFollowing the discussion at https://lists.torproject.org/pipermail/tor-dev/2014-February/006266.html and the summary at [[doc/meek#HowtolooklikebrowserHTTPS]], I think our best option for having TLS that looks like a browser is to make a...Following the discussion at https://lists.torproject.org/pipermail/tor-dev/2014-February/006266.html and the summary at [[doc/meek#HowtolooklikebrowserHTTPS]], I think our best option for having TLS that looks like a browser is to make a browser extension that meek-client uses as a tool to make HTTPS requests.
To summarize: meek-client needs to make HTTPS requests, but needs to do so with a TLS signature that isn't trivially blockable. A browser doesn't have a blockable TLS signature, so we can have meek-client drive a browser to make requests on its behalf. Rather than ship an entire separate browser to users, we can use an extension in Tor Browser itself, one whose only purpose is to make HTTPS requests using the browser's networking code, bypassing the browser's proxy settings that would otherwise send all requests through Tor.
The communication goes:
browser ↔ tor ↔ meek-client ↔ extension ↔ www.google.com
There will need to be some kind of IPC between meek-client and the extension. I haven't figured out how that will work. Maybe the extension can be an HTTP proxy--that would be super easy to integrate with meek-client. But maybe you don't want an HTTP proxy running in your browser bundle, even if it's only intended for a specific purpose. Maybe the IPC needs to be authenticated somehow, and the extension needs to somehow inform the other process of how to contact it.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/10984PHP relay for meek2020-06-27T13:44:22ZArlo BreaultPHP relay for meekA first pass at the php middle relay is at,
https://github.com/arlolra/meek/tree/php
It borrows heavily from GoAgent.
Deployed to,
https://meek-reflect.herokuapp.com/A first pass at the php middle relay is at,
https://github.com/arlolra/meek/tree/php
It borrows heavily from GoAgent.
Deployed to,
https://meek-reflect.herokuapp.com/David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/10935Make bundles featuring meek2020-06-27T13:44:22ZDavid Fifielddcf@torproject.orgMake bundles featuring meekLet's try out some bundles with [[doc/meek|meek]].Let's try out some bundles with [[doc/meek|meek]].David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.org