Discussion:
[tor-talk] privacy concerns with new CAPTCHA-method for obfs4 bridges
ithor
2018-10-03 08:38:52 UTC
Permalink
Hi,

ever since TBB 8, there's the new moat way to obtain private obfs4 bridges through a CAPTCHA. In the following webpage it's stated meek is used in order to communicate with the Tor bridges database. Now, my question is : which ones ? In my country, domain fronting for Amazon and Google are unavailable, so the only meek_bridge still working is the meek_azure one, which isn't going to last. So what will happen when it will shut down ? What alternative solutions TBB will come up with? Second question : how is the information concerning the private obfs4 bridge protected during the inquiry ?

Sent with [ProtonMail](https://protonmail.com) Secure Email.
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi
Jonathan Marquardt
2018-10-03 12:06:27 UTC
Permalink
Post by ithor
ever since TBB 8, there's the new moat way to obtain private obfs4 bridges
through a CAPTCHA. In the following webpage it's stated meek is used in
which ones ? In my country, domain fronting for Amazon and Google are
unavailable, so the only meek_bridge still working is the meek_azure one,
which isn't going to last.
It's not just your country. The meek bridge instances in the Google and Amazon
CDNs were shut down by the the corresponding companies. They did so supposedly
because it voilated their terms of use. They probably don't want to ruin their
relationships with totalitarian regimes. Unless all of the sudden Microsoft
decides that they want these good relationships as well and shut meek-azure
down, I see no reason to believe that it's not going to last. Meek should be
relatively hard to censor using a firewall.
Post by ithor
So what will happen when it will shut down ? What alternative solutions TBB
will come up with?
There's still the good old bridges.torproject.org website as an alternative as
well as GetTor: https://gettor.torproject.org/
Post by ithor
Second question : how is the information concerning the private obfs4 bridge
protected during the inquiry ?
Meek works by tunneling your data via TLS encryption from the CDN, in this
case Microsoft Azure. No adversary tapping your internet connection should be
able to retrieve the data.
--
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
ithor
2018-10-03 12:25:52 UTC
Permalink
ok, so for once i'll keep my fingers crossed for Microsoft...

How should I imagine the connection until the Azure server. What does it tell the DPI ? Just that I'm connecting to a close-to-my-country-based Microsoft CDN ?

On wikipage it's stated that

The technique works by using different domain names at different layers of communication. The domain name of an innocuous site is used to initialize the connection. This domain name is exposed to the censor in clear-text as part of the DNS request and the TLS Server Name Indication.

So a meek request is sent in clear-text. What exact information is given ? The exact ip address of the Azure server, its geolocation ? Could the DPI find out that this is being used for bootstrapping Tor ?


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Post by Jonathan Marquardt
Post by ithor
ever since TBB 8, there's the new moat way to obtain private obfs4 bridges
through a CAPTCHA. In the following webpage it's stated meek is used in
which ones ? In my country, domain fronting for Amazon and Google are
unavailable, so the only meek_bridge still working is the meek_azure one,
which isn't going to last.
It's not just your country. The meek bridge instances in the Google and Amazon
CDNs were shut down by the the corresponding companies. They did so supposedly
because it voilated their terms of use. They probably don't want to ruin their
relationships with totalitarian regimes. Unless all of the sudden Microsoft
decides that they want these good relationships as well and shut meek-azure
down, I see no reason to believe that it's not going to last. Meek should be
relatively hard to censor using a firewall.
Post by ithor
So what will happen when it will shut down ? What alternative solutions TBB
will come up with?
There's still the good oldbridges.torproject.org website as an alternative as
well as GetTor: https://gettor.torproject.org/
Post by ithor
Second question : how is the information concerning the private obfs4 bridge
protected during the inquiry ?
Meek works by tunneling your data via TLS encryption from the CDN, in this
case Microsoft Azure. No adversary tapping your internet connection should be
able to retrieve the data.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/li
James Bunnell
2018-10-03 12:30:53 UTC
Permalink
I'm a little curious why some people don't take G Suite into consideration :)
Post by ithor
ok, so for once i'll keep my fingers crossed for Microsoft...
How should I imagine the connection until the Azure server. What does it tell the DPI ? Just that I'm connecting to a close-to-my-country-based Microsoft CDN ?
On wikipage it's stated that
The technique works by using different domain names at different layers of communication. The domain name of an innocuous site is used to initialize the connection. This domain name is exposed to the censor in clear-text as part of the DNS request and the TLS Server Name Indication.
So a meek request is sent in clear-text. What exact information is given ? The exact ip address of the Azure server, its geolocation ? Could the DPI find out that this is being used for bootstrapping Tor ?
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Post by Jonathan Marquardt
Post by ithor
ever since TBB 8, there's the new moat way to obtain private obfs4 bridges
through a CAPTCHA. In the following webpage it's stated meek is used in
which ones ? In my country, domain fronting for Amazon and Google are
unavailable, so the only meek_bridge still working is the meek_azure one,
which isn't going to last.
It's not just your country. The meek bridge instances in the Google and Amazon
CDNs were shut down by the the corresponding companies. They did so supposedly
because it voilated their terms of use. They probably don't want to ruin their
relationships with totalitarian regimes. Unless all of the sudden Microsoft
decides that they want these good relationships as well and shut meek-azure
down, I see no reason to believe that it's not going to last. Meek should be
relatively hard to censor using a firewall.
Post by ithor
So what will happen when it will shut down ? What alternative solutions TBB
will come up with?
There's still the good oldbridges.torproject.org website as an alternative as
well as GetTor: https://gettor.torproject.org/
Post by ithor
Second question : how is the information concerning the private obfs4 bridge
protected during the inquiry ?
Meek works by tunneling your data via TLS encryption from the CDN, in this
case Microsoft Azure. No adversary tapping your internet connection should be
able to retrieve the data.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
--
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
--
Moses was the first one to download to his tablet from the cloud.
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.t
Jonathan Marquardt
2018-10-03 13:21:16 UTC
Permalink
Post by James Bunnell
I'm a little curious why some people don't take G Suite into consideration :)
Google clearly doesn't like seeing it's services used for censorship
circumvention.

https://lists.torproject.org/pipermail/tor-talk/2016-June/041057.html
--
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
Jonathan Marquardt
2018-10-03 13:36:53 UTC
Permalink
Post by ithor
So a meek request is sent in clear-text. What exact information is given ?
The exact ip address of the Azure server, its geolocation ?
The IP address of the Azure server you're connecting to. In the case of
meek-azure the firewall would also see that you supposedly want to connect to
"ajax.aspnetcdn.com", which is a common domain used by websites that are
hosted on Azure. The domain delivers some JavaScript code and whatnot. So you
should just look like a harmless web browser surfing the web on first sight.
Post by ithor
Could the DPI find out that this is being used for bootstrapping Tor ?
Perhaps with some clever traffic correlation or timing attacks, but not so
easily.

To also answer your question from the other mail in the thread: With encrypted
SNI, the firewall couldn't even see the fake destination (ajax.aspnetcdn.com)
your meek client sends.

This might be interesting in the future, but isn't in use with meek yet. For
more info on that topic, have a look at this thread:
https://lists.torproject.org/pipermail/tor-dev/2018-September/013452.html
--
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
ithor
2018-10-03 13:57:09 UTC
Permalink
The IP address of the Azure server you're connecting to.
How does the selection of the Azure server works ? Randomly ? If i understood well, domain-fronting servers are supposedly located geographically close to the origin of the browser request. Could it be that TBB selects an Azure server that could be hosted in a country considered hostile to the regime of the Internet user ? If so, couldn't that be compromising ?
In the case of meek-azure the firewall would also see that you supposedly want to connect to
"ajax.aspnetcdn.com", which is a common domain used by websites that are hosted on Azure.
What firewall are we talking about ? The one that sits on the Azure server or the one of the gvt with the DPI ?
Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Post by ithor
So a meek request is sent in clear-text. What exact information is given ?
The exact ip address of the Azure server, its geolocation ?
The IP address of the Azure server you're connecting to. In the case of
meek-azure the firewall would also see that you supposedly want to connect to
"ajax.aspnetcdn.com", which is a common domain used by websites that are
hosted on Azure. The domain delivers some JavaScript code and whatnot. So you
should just look like a harmless web browser surfing the web on first sight.
Post by ithor
Could the DPI find out that this is being used for bootstrapping Tor ?
Perhaps with some clever traffic correlation or timing attacks, but not so
easily.
To also answer your question from the other mail in the thread: With encrypted
SNI, the firewall couldn't even see the fake destination (ajax.aspnetcdn.com)
your meek client sends.
This might be interesting in the future, but isn't in use with meek yet. For
https://lists.torproject.org/pipermail/tor-dev/2018-September/013452.html
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinf
Andreas Krey
2018-10-03 12:50:25 UTC
Permalink
On Wed, 03 Oct 2018 14:06:27 +0000, Jonathan Marquardt wrote:
...
They did so supposedly because it voilated their terms of use.
It also probably violates a few RFCs, and they never advertised
this 'feature'.
They probably don't want to ruin their relationships with totalitarian regimes.
Or they don't want to ruin their standing with the client who
has the name that is used in the SNI (and who takes the loss
when china should decide to block that b/c it's used by fronters).

Andreas
--
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torprojec
ithor
2018-10-03 13:03:14 UTC
Permalink
Or they don't want to ruin their standing with the client who
has the name that is used in the SNI (and who takes the loss
when china should decide to block that b/c it's used by fronters).

Can you elaborate upon that for the noob I am. If i understand you correctly, when using domain fronting, Tor basically spoofs or "hijacks" the ip address of an existing Azure server client ? What exactly is in the SNI : the name of the Azure server or some kind of information of a real client using that service ?

What could China block ? The ip of the real client who was spoofed ?

What would ESNI (encrypted SNI) bring into the mix concerning meek connections ?

https://www.theregister.co.uk/2018/07/17/encrypted_server_names/


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Post by Andreas Krey
...
They did so supposedly because it voilated their terms of use.
It also probably violates a few RFCs, and they never advertised
this 'feature'.
They probably don't want to ruin their relationships with totalitarian regimes.
Or they don't want to ruin their standing with the client who
has the name that is used in the SNI (and who takes the loss
when china should decide to block that b/c it's used by fronters).
Andreas
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
"Totally trivial. Famous last words."
Date: Fri, 22 Jan 2010 07:29:21 -0800
--------------------------------------
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/
Andreas Krey
2018-10-03 16:25:51 UTC
Permalink
On Wed, 03 Oct 2018 13:03:14 +0000, ithor wrote:
...
Post by ithor
Can you elaborate upon that for the noob I am. If i understand you correctly, when using domain fronting, Tor basically spoofs or "hijacks" the ip address of an existing Azure server client ?
SNI: Server Name Indication. While setting up the encryption the client
needs to send (in cleartext) the host name it wishes to connect to
(so that the server can use the corresponding certificate). That is how
https still gives away whom you're talking to.
Post by ithor
What exactly is in the SNI : the name of the Azure server or some kind of information of a real client using that service ?
The name of some service (web site) hosted. Domain fronting means that
the meek client uses one hostname for establishing the encrytion, and
inside the encrypted channel a different hostname it actually wants to
talk to. Google apparently now enforces that these two are the same.
Post by ithor
What could China block ? The ip of the real client who was spoofed ?
The cleartest hostname in the SNI (if it bothers to). (Question is how
they detect what hostnames are used there.)
Post by ithor
What would ESNI (encrypted SNI) bring into the mix concerning meek connections ?
Here the SNI host field is already sent encrypted so china can't tell
anymore which service/website on azure/whatever you're connecting to,
it only sees that you are addressing azures/googles/amazons/cloudflares
cloud. But it will take time until this is widely in use so that you're
not suspicious for just using ESNI (not sure if that is an official
acronym).

Actually:
https://en.wikipedia.org/wiki/Domain_fronting
https://blog.cloudflare.com/encrypted-sni/

Andreas
--
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinf
ithor
2018-10-04 06:23:32 UTC
Permalink
Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Post by Andreas Krey
...
Post by ithor
Can you elaborate upon that for the noob I am. If i understand you correctly, when using domain fronting, Tor basically spoofs or "hijacks" the ip address of an existing Azure server client ?
SNI: Server Name Indication. While setting up the encryption the client
needs to send (in cleartext) the host name it wishes to connect to
(so that the server can use the corresponding certificate). That is how
https still gives away whom you're talking to.
Ok, correct me if I'm wrong. Is this what happens in a meek request :
1. unencrypted http request with the hostname I want to connect to in cleartext.
2. encrypted https connection to the hostname.
3. encrypted (http?) relay connection to the Tor entry node.
Post by Andreas Krey
Post by ithor
What exactly is in the SNI : the name of the Azure server or some kind of information of a real client using that service ?
The name of some service (web site) hosted. Domain fronting means that
the meek client uses one hostname for establishing the encrytion, and
inside the encrypted channel a different hostname it actually wants to
talk to. Google apparently now enforces that these two are the same.
Ok, so here is my question : this 'some service' is this some kind of dummy request, like an empty formular that just mimics the looks of a real request, or is this actually a real-world request with an actual website. The reason I ask is if the latter is the case (some real website hosted on a Azure server), it might contain information the DPI finds harmful or compromising for some reason or another to the gvt, and so, beacuse I don't know what 'some service' is actually being used, I might very well be playing Russian roulette with the DPI.
Post by Andreas Krey
Post by ithor
What could China block ? The ip of the real client who was spoofed ?
The cleartest hostname in the SNI (if it bothers to). (Question is how
they detect what hostnames are used there.)
Well, if the hostname is sent in cleartext, that shouldn't be too much of a problem...
Post by Andreas Krey
Post by ithor
What would ESNI (encrypted SNI) bring into the mix concerning meek connections ?
Here the SNI host field is already sent encrypted so china can't tell
anymore which service/website on azure/whatever you're connecting to,
it only sees that you are addressing azures/googles/amazons/cloudflares
cloud. But it will take time until this is widely in use so that you're
not suspicious for just using ESNI (not sure if that is an official
acronym).
https://en.wikipedia.org/wiki/Domain_fronting
https://blog.cloudflare.com/encrypted-sni/
Andreas
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
"Totally trivial. Famous last words."
Date: Fri, 22 Jan 2010 07:29:21 -0800
--------------------------------------
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mai
Jonathan Marquardt
2018-10-04 17:52:04 UTC
Permalink
Post by ithor
1. unencrypted http request with the hostname I want to connect to in cleartext.
2. encrypted https connection to the hostname.
3. encrypted (http?) relay connection to the Tor entry node.
Completely wrong.

Please read the docs:
https://trac.torproject.org/projects/tor/wiki/doc/meek#Overview
https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports#meek

Encrypted HTTPS connection with a false SNI (ajax.aspnetcdn.com) readable for
the censor, but the actual destination hostname (meek.azureedge.net) in the
HTTP "Host" header. This way there's an encrypted connection to the CDN which
looks like a browser's HTTPS connection to "ajax.aspnetcdn.com" from the
outside. Once connected to the CDN, the meek client can talk to whatever app
within the CDN it wants to. It will talk to the meek server
(meek.azureedge.net), which IS a Tor bridge and as such acts as the entry
guard of the circuit.
--
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
https://www.parckwart.de/pgp_key
Loading...