Opened 2 years ago

Closed 2 years ago

#13442 closed task (fixed)

Check TLS fingerprint in Tor Browser 4.0

Reported by: dcf Owned by: dcf
Priority: High Milestone:
Component: Obfuscation/meek Version:
Severity: Keywords: easy
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Make sure we still only differ in client randomness as claimed at doc/meek#Sampleclienthellos. Also update that section of the wiki page.

Child Tickets

Change History (2)

comment:1 Changed 2 years ago by dcf

It turns out that Tor Browser 4.0 with meek 0.11 is missing the "SessionTicket TLS" extension, just like back in comment:9:ticket:11183. It's because of #10822, where the name of a pref effectively changed from security.enable_tls_session_tickets to security.ssl.disable_session_identifiers. meek-http-helper's user.js file is still using the old name.

--- firefox.txt	2014-10-26 11:26:40.834292634 -0700
+++ meek.txt	2014-10-26 11:27:11.764528579 -0700
@@ -1,111 +1,107 @@
 Secure Sockets Layer
     TLSv1.2 Record Layer: Handshake Protocol: Client Hello
         Content Type: Handshake (22)
         Version: TLS 1.0 (0x0301)
-        Length: 176
+        Length: 172
         Handshake Protocol: Client Hello
             Handshake Type: Client Hello (1)
-            Length: 172
+            Length: 168
             Version: TLS 1.2 (0x0303)
             Random
-                GMT Unix Time: Mar  6, 2014 22:59:28.000000000 PST
-                Random Bytes: 0d118b8cc9643095c9c7089e5445d186c10720fcd81de073...
+                GMT Unix Time: Apr  9, 2009 16:43:59.000000000 PDT
+                Random Bytes: 3bc6a8d4c151f111312cc2a3026c95bf6bb9e823c632ea7a...
             Session ID Length: 0
             Cipher Suites Length: 46
             Cipher Suites (23 suites)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                 Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
                 Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
                 Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                 Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                 Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                 Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                 Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                 Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                 Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                 Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                 Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
                 Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                 Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                 Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                 Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                 Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
             Compression Methods Length: 1
             Compression Methods (1 method)
                 Compression Method: null (0)
-            Extensions Length: 85
+            Extensions Length: 81
             Extension: server_name
                 Type: server_name (0x0000)
                 Length: 19
                 Server Name Indication extension
                     Server Name list length: 17
                     Server Name Type: host_name (0)
                     Server Name length: 14
                     Server Name: www.google.com
             Extension: renegotiation_info
                 Type: renegotiation_info (0xff01)
                 Length: 1
                 Renegotiation Info extension
                     Renegotiation info extension length: 0
             Extension: elliptic_curves
                 Type: elliptic_curves (0x000a)
                 Length: 8
                 Elliptic Curves Length: 6
                 Elliptic curves (3 curves)
                     Elliptic curve: secp256r1 (0x0017)
                     Elliptic curve: secp384r1 (0x0018)
                     Elliptic curve: secp521r1 (0x0019)
             Extension: ec_point_formats
                 Type: ec_point_formats (0x000b)
                 Length: 2
                 EC point formats Length: 1
                 Elliptic curves point formats (1)
                     EC point format: uncompressed (0)
-            Extension: SessionTicket TLS
-                Type: SessionTicket TLS (0x0023)
-                Length: 0
-                Data (0 bytes)
             Extension: next_protocol_negotiation
                 Type: next_protocol_negotiation (0x3374)
                 Length: 0
             Extension: status_request
                 Type: status_request (0x0005)
                 Length: 5
                 Certificate Status Type: OCSP (1)
                 Responder ID list Length: 0
                 Request Extensions Length: 0
             Extension: signature_algorithms
                 Type: signature_algorithms (0x000d)
                 Length: 18
                 Signature Hash Algorithms Length: 16
                 Signature Hash Algorithms (8 algorithms)
                     Signature Hash Algorithm: 0x0401
                         Signature Hash Algorithm Hash: SHA256 (4)
                         Signature Hash Algorithm Signature: RSA (1)
                     Signature Hash Algorithm: 0x0501
                         Signature Hash Algorithm Hash: SHA384 (5)
                         Signature Hash Algorithm Signature: RSA (1)
                     Signature Hash Algorithm: 0x0201
                         Signature Hash Algorithm Hash: SHA1 (2)
                         Signature Hash Algorithm Signature: RSA (1)
                     Signature Hash Algorithm: 0x0403
                         Signature Hash Algorithm Hash: SHA256 (4)
                         Signature Hash Algorithm Signature: ECDSA (3)
                     Signature Hash Algorithm: 0x0503
                         Signature Hash Algorithm Hash: SHA384 (5)
                         Signature Hash Algorithm Signature: ECDSA (3)
                     Signature Hash Algorithm: 0x0203
                         Signature Hash Algorithm Hash: SHA1 (2)
                         Signature Hash Algorithm Signature: ECDSA (3)
                     Signature Hash Algorithm: 0x0402
                         Signature Hash Algorithm Hash: SHA256 (4)
                         Signature Hash Algorithm Signature: DSA (2)
                     Signature Hash Algorithm: 0x0202
                         Signature Hash Algorithm Hash: SHA1 (2)
                         Signature Hash Algorithm Signature: DSA (2)

comment:2 Changed 2 years ago by dcf

  • Resolution set to fixed
  • Status changed from new to closed

Opened #13586 with a patch for the extension mismatch.

Note: See TracTickets for help on using tickets.