The meek pluggable transport has had good success so far. https://trac.torproject.org/projects/tor/wiki/doc/meek It works differently than other transports, so it's been able to reach a new group of users. It now has something like 1000 simultaneous users, which is only about 1/10 of obfs3, but presumably they are users for whom obfs3 and other transports don't work.
Increasing use is going to mean increasing pressure on censors to find a way to block it. meek is not unblockable--that's the wrong way to think about the problem--but it is designed to be difficult and expensive to block, by hiding behind an important domain name (the "front domain") and looking like browser HTTPS. Ideally (ignoring many details), the censor can't distinguish between someone using meek and someone surfing https://www.google.com/ (or another important domain). The censor must either allow some circumvention traffic, or block a domain that has many beneficial uses. But suppose a censor makes that call, and blocks Google/Amazon/whatever. What then? The first thing you should try is a different backend. If you use meek-google, try meek-amazon or meek-azure. Maybe your censor has blocked one but not all of them. This is already the case for users in China, where meek-google is blocked because Google is blocked, but the others are not. You can also try using a different DNS server. The most common way to block a domain name is by DNS poisoning; i.e., the IP address behind the name is accessible, but the local DNS server gives you a false address. Try a public DNS server such as 8.8.8.8. But if that works, be aware that's it's probably only a temporary fix, as censors have historically figured out the alternate-DNS trick pretty fast. What you really want to do, if the easy things don't work, is choose a different front domain. The "domain fronting" trick is meek's core idea. It lets you talk to one domain while appearing to talk to another. Tor Browser comes with some built-in front domains, but you can also configure your own. The current list of front domains is at https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/Bundle-Data/PTConfigs/bridge_prefs.js: meek 0.0.2.0:1 url=https://meek-reflect.appspot.com/ front=www.google.com meek 0.0.2.0:2 url=https://d2zfqthxsdq309.cloudfront.net/ front=a0.awsstatic.com meek 0.0.2.0:3 url=https://az668014.vo.msecnd.net/ front=ajax.aspnetcdn.com You can also find it in Browser/TorBrowser/Data/Browser/profile.default/preferences/extension-overrides.js inside the Tor Browser distribution . These are the default bridge lines you get when you select meek-google, meek-amazon, or meek-azure from the bridge configuration screen. But you can also enter them manually (under "Enter custom bridges"), and then you can change the front domain. I attached a screenshot that shows how. Let's take a closer look at what this means: meek 0.0.2.0:1 url=https://meek-reflect.appspot.com/ front=www.google.com The first part "meek" is the transport name; don't forget that. The address "0.0.2.0:1" is ignored. You can set it to anything (just don't use 0.0.0.X or port 0 because those are used internally by tor). The next part, "url=https://meek-reflect.appspot.com/";, says where your traffic is *really* going--to a Tor bridge. You can't change the "url=" part unless you set up your own CDN account. The last part, "front=www.google.com", is the domain that you hide behind--where the censor sees you going. The "front=" part is what you can change. Let's say www.google.com is blocked. In its place, you can use virtually any domain that's operated by Google. For example, meek 0.0.2.0:1 url=https://meek-reflect.appspot.com/ front=www.gmail.com Or you can try a country-specific domain: meek 0.0.2.0:1 url=https://meek-reflect.appspot.com/ front=www.google.com.mx In fact there are tons of domains operated by Google. Even long-forgotten ones like www.orkut.com work. Suppose you're behind a firewall that blocks the Google search page but allows a small number of whitelisted sites. If any of those sites use Google Analytics or DoubleClick ads, you're good. meek 0.0.2.0:1 url=https://meek-reflect.appspot.com/ front=ssl.google-analytics.com meek 0.0.2.0:1 url=https://meek-reflect.appspot.com/ front=www.doubleclick.net With meek-amazon, you can use front domains that are on Amazon CloudFront. The default a0.awsstatic.com is one of them, but you can find others with some research. Here's a short list of some *.cloudfront.net domains: http://www.alexa.com/siteinfo/cloudfront.net ("Where do visitors go on cloudfront.net?"). You can use any of them (remember to change the "front=" part, not the "url=" part): meek 0.0.2.0:2 url=https://d2zfqthxsdq309.cloudfront.net/ front=d1xjir8ff9s1sc.cloudfront.net A lot of sites use their own domain name (CNAME) that aliases a cloudfront.net domain. If you can find one of them, it will work too. The situation with meek-azure is similar. The default front domain, ajax.aspnetcdn.com, is used by many web sites to host JavaScript files, so we think it will be hard to block. You can also use subdomains of vo.msecnd.net, which belong to the Azure CDN. You can find some with a web search. This one seems to be related to Microsoft Office: meek 0.0.2.0:3 url=https://az668014.vo.msecnd.net/ front=officeimg.vo.msecnd.net It's important to understand that even if you change the front domain, you're not sticking some random person with a bandwidth bill. It's the owner of the "url=" that gets charged, not the owner of the "front=", and the "url=" has to be specially set up to accept meek connections. The "url="s in this email are set up for public use (i.e., they are what's getting paid for in the "Summary of meek's costs" emails I send to tor-dev). Be aware that you may increase your exposure if you choose an unpopular front domain. If you're the only one using it, a censor may easily see that and block you. Finally, you can always set up your own web app, and point it at a Tor relay running meek-server. As long as it's only used by few people, it's unlikely to be blocked. This is basically the same as setting up your own proxy server, except it's easier because you just need a web hosting account somewhere, and you get HTTPS camouflage for free. We have such "reflector" web apps for App Engine, Nginx, PHP, and Python WSGI: https://gitweb.torproject.org/pluggable-transports/meek.git/tree/appengine https://gitweb.torproject.org/pluggable-transports/meek.git/tree/nginx https://gitweb.torproject.org/pluggable-transports/meek.git/tree/php https://gitweb.torproject.org/pluggable-transports/meek.git/tree/wsgi Let's say you are using the PHP one. Just upload the index.php file to a web hosting service that supports HTTPS. Let's say its URL is https://mysite.example.com/index.php. Then you would enter this into Tor Browser: meek 0.0.2.0:4 url=https://mysite.example.com/index.php In this case you don't use a front because you're relying on the domain itself being hard to block, either because it's too obscure or because it hosts other useful data. You should still definitely use HTTPS, not plain HTTP. David Fifield -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
