Use ESNI via Firefox HTTPS helper
As of 2018-10-18, Firefox Nightly supports encrypted SNI, and Cloudflare supports it on the server side. Because meek supports using Firefox as a channel for issuing HTTPS requests, it ought to be pretty easy to adapt the meek client software to use ESNI rather than domain fronting. The server software doesn't need any change.
These steps are untested:
- Download Tor Browser and Firefox Nightly.
- Go to about:config in Firefox Nightly and set
- network.trr.mode=3
- network.trr.uri=https://1.1.1.1/dns-query
- network.security.esni.enabled=true
- Copy the meek-http-helper@bamsoftware.com.xpi from Tor Browser to Firefox Nightly.
- Hack meek-client-torbrowser/{mac,linux,windows}.go to point
firefoxPath
at the copy of Firefox Nightly and disable the custom profile. (Additional hacks to remove hardcoded Tor Browser assumptions may be required.) - Set up a Cloudflare instance pointing to https://meek.bamsoftware.com/, call it https://meek.example.com/.
- Set up a custom bridge in Tor Browser, using
url=
withoutfront=
(because we're no longer domain fronting).bridge meek 0.0.2.0:3 url=https://meek.example.com/
Of course, once ESNI support makes it into the version of Firefox used by Tor Browser, this will be even easier, not requiring a separate Firefox Nightly.
Edited by David Fifield