Opened 23 months ago

Closed 23 months ago

Last modified 8 months ago

#17473 closed defect (fixed)

Update the meek-amazon fingerprint to B9E7141C594AF25699E0079C1F0146F409495296

Reported by: dcf Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201510R meek tor-assistants tbb-bridges
Cc: tim@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description


Hash: SHA1

The bridge fingerprint for the meek-amazon bridge has changed. It was:

4EE0CC769EB4B15A872F742EDE27D298A59DCADE

but is now:

6DDD1DB8526282837C50E9AB5D14AB50150CD624

People who try using meek-amazon are getting a message like this in
their logs:

Oct 30 09:18:46.000 [warn] Tried connecting to router at 0.0.2.0:2, but identity key was not as expected: wanted 4EE0CC769EB4B15A872F742EDE27D298A59DCADE but got 6DDD1DB8526282837C50E9AB5D14AB50150CD624.

The bridge changed fingerprint when it was rebooted on 2015-10-09 to
renew its TLS certificate:

https://lists.torproject.org/pipermail/tor-talk/2015-October/039234.html

I neglected to test the bridge using a configured bridge fingerprint.
(I only tested it using a configuration that did not specify a
fingerprint.) According to the bridge operator, the old identity key is
lost.

Please update the bridge's key in bridge_prefs.js. I will attach a
patch.


Version: GnuPG v1

iQIcBAEBAgAGBQJWM5u3AAoJEOK5PYFc04jlsRcP/il8KGrD1ORuCmSv0leH20ob
NAAsRAAaV12PL9CSKuZS9lQi8InfMvZQSz56MyCkIGkFsgn8TlIq6O8nd1tpC3PM
98S+hwrqbXfs85nGdsYPtWZ4HrKfQkRnxBGErM0ideL6EVLi+fy0B+S83o02ktfl
ZB28xs675FjLoEWZhMCDya3hjFQk/vMJXHEOK3GaFzTb6Gj0ELHUCS2ETcCNTSux
g/U4xO0Z4Kk42DY00VPJwFjRc2PQ3pEQ/cZECO20D1erhELFzfQScaeWMpH6M2cV
gKSxCWpUOpZOuzCriaGveY8Vx1dM0HrmCEdtTwR/U6yN5UtXB06G92u2uuj9UuAQ
FAHaqaKpA7nwiNldyGXFsDHFkNb9DHK5O9Y25brTCT7M8MAC1P3gAha0KmLtDUZz
gSj/BEs1mGOQN2NozW4kT3OmBj5Ar8TjAIqt0P55zHMREbB7ZYxaFiFtiFxIrGwo
HqgIgQu5rU944Ut9SA2nA93onkqdYDp6F+4LgrDfoZUvttRM99nUMPlCrCbtWebn
i6R8RhunN1isjpSIv+M1J0rl5s79WXhHY4Bseja5sgX60AkApukaRwBBY1cgS3QZ
ADqj1mBttTKJM4DeemPOsA0IHyNY+kBHc7AeNAizU4ULozA+5yYGwKJWiARU3z+w
frtlxHT+WoWlswOkq7Xh
=ImMV


Child Tickets

Change History (12)

comment:1 Changed 23 months ago by dcf

Sorry, I screwed up the PGP formatting in the description.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The bridge fingerprint for the meek-amazon bridge has changed. It was:
        4EE0CC769EB4B15A872F742EDE27D298A59DCADE
but is now:
        6DDD1DB8526282837C50E9AB5D14AB50150CD624
People who try using meek-amazon are getting a message like this in
their logs:
        Oct 30 09:18:46.000 [warn] Tried connecting to router at 0.0.2.0:2, but identity key was not as expected: wanted 4EE0CC769EB4B15A872F742EDE27D298A59DCADE but got 6DDD1DB8526282837C50E9AB5D14AB50150CD624.

The bridge changed fingerprint when it was rebooted on 2015-10-09 to
renew its TLS certificate:
        https://lists.torproject.org/pipermail/tor-talk/2015-October/039234.html
I neglected to test the bridge using a configured bridge fingerprint.
(I only tested it using a configuration that did not specify a
fingerprint.) According to the bridge operator, the old identity key is
lost.

Please update the bridge's key in bridge_prefs.js. I will attach a
patch.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWM5u3AAoJEOK5PYFc04jlsRcP/il8KGrD1ORuCmSv0leH20ob
NAAsRAAaV12PL9CSKuZS9lQi8InfMvZQSz56MyCkIGkFsgn8TlIq6O8nd1tpC3PM
98S+hwrqbXfs85nGdsYPtWZ4HrKfQkRnxBGErM0ideL6EVLi+fy0B+S83o02ktfl
ZB28xs675FjLoEWZhMCDya3hjFQk/vMJXHEOK3GaFzTb6Gj0ELHUCS2ETcCNTSux
g/U4xO0Z4Kk42DY00VPJwFjRc2PQ3pEQ/cZECO20D1erhELFzfQScaeWMpH6M2cV
gKSxCWpUOpZOuzCriaGveY8Vx1dM0HrmCEdtTwR/U6yN5UtXB06G92u2uuj9UuAQ
FAHaqaKpA7nwiNldyGXFsDHFkNb9DHK5O9Y25brTCT7M8MAC1P3gAha0KmLtDUZz
gSj/BEs1mGOQN2NozW4kT3OmBj5Ar8TjAIqt0P55zHMREbB7ZYxaFiFtiFxIrGwo
HqgIgQu5rU944Ut9SA2nA93onkqdYDp6F+4LgrDfoZUvttRM99nUMPlCrCbtWebn
i6R8RhunN1isjpSIv+M1J0rl5s79WXhHY4Bseja5sgX60AkApukaRwBBY1cgS3QZ
ADqj1mBttTKJM4DeemPOsA0IHyNY+kBHc7AeNAizU4ULozA+5yYGwKJWiARU3z+w
frtlxHT+WoWlswOkq7Xh
=ImMV
-----END PGP SIGNATURE-----

comment:2 Changed 23 months ago by dcf

Status: newneeds_review

Here is the patch: attachment:0001-Update-meek-amazon-bridge-fingerprint-to-6DDD1DB8526.patch​.

I was soon going to file a ticket to remove meek-amazon from the browser anyway (cf. #17330). But we should apply this patch so that the correct current fingerprint appears in the commit history.

comment:3 Changed 23 months ago by dcf

Stand by; the bridge operator told me they are going to leave a comment on this ticket with the long-term fingerprint to use.

comment:4 Changed 23 months ago by tsammut

Cc: tim@… added
Keywords: tor-assistants added

comment:5 Changed 23 months ago by gk

Please let me know as soon as possible what to include. The next stable release is actually already built and on tor-qa but we are willing to rebundle once more for this fix.

comment:6 Changed 23 months ago by torland

Please use the following fingerprint:

B9E7141C594AF25699E0079C1F0146F409495296

dcf, I send you a signed email with the fingerprint. Please confirm.

comment:7 Changed 23 months ago by dcf

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I received a signed email from the bridge operator saying to use this
fingerprint:

B9E7141C594AF25699E0079C1F0146F409495296

I have tested it just now with this bridge line:

Bridge meek 0.0.2.0:2 B9E7141C594AF25699E0079C1F0146F409495296 url=https://d2zfqthxsdq309.cloudfront.net/ front=a0.awsstatic.com

I've attached a new patch to use this fingerprint.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWM/k4AAoJEOK5PYFc04jl8JoP/30D5ASboLTFq0MpbjrwsryZ
cVBJetJMk3FrMKohnZKZdbIRi4KfVE+qWUVprJLZgfN/euVG8OT2awAJT+ENdMnB
NAeu9NBqkoZf9+NjFdCSdnG6exsXSIgWlaCPRp9G/WyIn5uFeFeNifpnvFTjAdR0
EsuzAez12xwL3McMu9xthM0s17zU8kgfDx1/3acgC/LRF2Q67qNGZ4NScQwrDnoR
tZ77x8ok+qKZ9+Vn67syk2m5tAin7uqWdLH1bxiTfrb5EfySwht9QNUQyZIRjbxa
MjeQPHuXwfTzbgRUs3+xSpUOrR03dawKq9DcP3fsbo6mE0GeCBqKTDDDR53EDHo9
aFe8NyvakHgKfCjdBSJ2xDuoNFjE8ACKxAT8zHK74zmrjSDLX9pva3rSP3tyoDXb
wEVHRbXsYL1MHhAjQDjghV2Z5+Q1ygza3ItJfAkkSbmVW2Qra0aOYNZ/7U/GUCFH
ndkJRHeef245jQpO3aVjnsut38/cSg6Z3fFl47Irxl9m3sD4qDt2bAqcHaMbtCJF
eL7XCQ2rtDmosXfjK/7N2PVPEUJ0lBVKr4s84I6bw4xRrE/Ge6dNNByGXQpvqHVN
uthSjkVXXQQjwh9bPDYvrV3XWHk41mMWPy7GmtlRUd6sE2MM91iznRB/TbSjvhWm
8fg+5ayQne748lFXuGjt
=oTN9
-----END PGP SIGNATURE-----

This is the patch: attachment:0001-Update-meek-amazon-bridge-fingerprint-to-B9E7141C594.patch​.

comment:8 Changed 23 months ago by dcf

Summary: Update the meek-amazon fingerprint to 6DDD1DB8526282837C50E9AB5D14AB50150CD624Update the meek-amazon fingerprint to B9E7141C594AF25699E0079C1F0146F409495296

comment:9 Changed 23 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

That'll make it in all upcoming releases (5.0.4/5.5a4/5.5a4-hardened).

comment:10 Changed 8 months ago by dcf

Keywords: tbb-bridges added
Note: See TracTickets for help on using tickets.