Update the meek-amazon fingerprint to B9E7141C594AF25699E0079C1F0146F409495296

[dcf]

---

Hash: SHA1

The bridge fingerprint for the meek-amazon bridge has changed. It was:

4EE0CC769EB4B15A872F742EDE27D298A59DCADE

but is now:

6DDD1DB8526282837C50E9AB5D14AB50150CD624

People who try using meek-amazon are getting a message like this in
their logs:

Oct 30 09:18:46.000 [warn] Tried connecting to router at 0.0.2.0:2, but identity key was not as expected: wanted 4EE0CC769EB4B15A872F742EDE27D298A59DCADE but got 6DDD1DB8526282837C50E9AB5D14AB50150CD624.

The bridge changed fingerprint when it was rebooted on 2015-10-09 to
renew its TLS certificate:

​https://lists.torproject.org/pipermail/tor-talk/2015-October/039234.html

I neglected to test the bridge using a configured bridge fingerprint.
(I only tested it using a configuration that did not specify a
fingerprint.) According to the bridge operator, the old identity key is
lost.

Please update the bridge's key in bridge_prefs.js. I will attach a
patch.

---

Version: GnuPG v1

iQIcBAEBAgAGBQJWM5u3AAoJEOK5PYFc04jlsRcP/il8KGrD1ORuCmSv0leH20ob
NAAsRAAaV12PL9CSKuZS9lQi8InfMvZQSz56MyCkIGkFsgn8TlIq6O8nd1tpC3PM
98S+hwrqbXfs85nGdsYPtWZ4HrKfQkRnxBGErM0ideL6EVLi+fy0B+S83o02ktfl
ZB28xs675FjLoEWZhMCDya3hjFQk/vMJXHEOK3GaFzTb6Gj0ELHUCS2ETcCNTSux
g/U4xO0Z4Kk42DY00VPJwFjRc2PQ3pEQ/cZECO20D1erhELFzfQScaeWMpH6M2cV
gKSxCWpUOpZOuzCriaGveY8Vx1dM0HrmCEdtTwR/U6yN5UtXB06G92u2uuj9UuAQ
FAHaqaKpA7nwiNldyGXFsDHFkNb9DHK5O9Y25brTCT7M8MAC1P3gAha0KmLtDUZz
gSj/BEs1mGOQN2NozW4kT3OmBj5Ar8TjAIqt0P55zHMREbB7ZYxaFiFtiFxIrGwo
HqgIgQu5rU944Ut9SA2nA93onkqdYDp6F+4LgrDfoZUvttRM99nUMPlCrCbtWebn
i6R8RhunN1isjpSIv+M1J0rl5s79WXhHY4Bseja5sgX60AkApukaRwBBY1cgS3QZ
ADqj1mBttTKJM4DeemPOsA0IHyNY+kBHc7AeNAizU4ULozA+5yYGwKJWiARU3z+w
frtlxHT+WoWlswOkq7Xh
=ImMV

---

[dcf]

Sorry, I screwed up the PGP formatting in the description.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The bridge fingerprint for the meek-amazon bridge has changed. It was:
        4EE0CC769EB4B15A872F742EDE27D298A59DCADE
but is now:
        6DDD1DB8526282837C50E9AB5D14AB50150CD624
People who try using meek-amazon are getting a message like this in
their logs:
        Oct 30 09:18:46.000 [warn] Tried connecting to router at 0.0.2.0:2, but identity key was not as expected: wanted 4EE0CC769EB4B15A872F742EDE27D298A59DCADE but got 6DDD1DB8526282837C50E9AB5D14AB50150CD624.

The bridge changed fingerprint when it was rebooted on 2015-10-09 to
renew its TLS certificate:
        https://lists.torproject.org/pipermail/tor-talk/2015-October/039234.html
I neglected to test the bridge using a configured bridge fingerprint.
(I only tested it using a configuration that did not specify a
fingerprint.) According to the bridge operator, the old identity key is
lost.

Please update the bridge's key in bridge_prefs.js. I will attach a
patch.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWM5u3AAoJEOK5PYFc04jlsRcP/il8KGrD1ORuCmSv0leH20ob
NAAsRAAaV12PL9CSKuZS9lQi8InfMvZQSz56MyCkIGkFsgn8TlIq6O8nd1tpC3PM
98S+hwrqbXfs85nGdsYPtWZ4HrKfQkRnxBGErM0ideL6EVLi+fy0B+S83o02ktfl
ZB28xs675FjLoEWZhMCDya3hjFQk/vMJXHEOK3GaFzTb6Gj0ELHUCS2ETcCNTSux
g/U4xO0Z4Kk42DY00VPJwFjRc2PQ3pEQ/cZECO20D1erhELFzfQScaeWMpH6M2cV
gKSxCWpUOpZOuzCriaGveY8Vx1dM0HrmCEdtTwR/U6yN5UtXB06G92u2uuj9UuAQ
FAHaqaKpA7nwiNldyGXFsDHFkNb9DHK5O9Y25brTCT7M8MAC1P3gAha0KmLtDUZz
gSj/BEs1mGOQN2NozW4kT3OmBj5Ar8TjAIqt0P55zHMREbB7ZYxaFiFtiFxIrGwo
HqgIgQu5rU944Ut9SA2nA93onkqdYDp6F+4LgrDfoZUvttRM99nUMPlCrCbtWebn
i6R8RhunN1isjpSIv+M1J0rl5s79WXhHY4Bseja5sgX60AkApukaRwBBY1cgS3QZ
ADqj1mBttTKJM4DeemPOsA0IHyNY+kBHc7AeNAizU4ULozA+5yYGwKJWiARU3z+w
frtlxHT+WoWlswOkq7Xh
=ImMV
-----END PGP SIGNATURE-----

[dcf]

Here is the patch: attachment:0001-Update-meek-amazon-bridge-fingerprint-to-6DDD1DB8526.patch​​.

I was soon going to file a ticket to remove meek-amazon from the browser anyway (cf. #17330). But we should apply this patch so that the correct current fingerprint appears in the commit history.

[dcf]

Stand by; the bridge operator told me they are going to leave a comment on this ticket with the long-term fingerprint to use.

[gk]

Please let me know as soon as possible what to include. The next stable release is actually already built and on tor-qa but we are willing to rebundle once more for this fix.

[torland]

Please use the following fingerprint:

B9E7141C594AF25699E0079C1F0146F409495296

dcf, I send you a signed email with the fingerprint. Please confirm.

[dcf]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I received a signed email from the bridge operator saying to use this
fingerprint:

B9E7141C594AF25699E0079C1F0146F409495296

I have tested it just now with this bridge line:

Bridge meek 0.0.2.0:2 B9E7141C594AF25699E0079C1F0146F409495296 url=https://d2zfqthxsdq309.cloudfront.net/ front=a0.awsstatic.com

I've attached a new patch to use this fingerprint.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWM/k4AAoJEOK5PYFc04jl8JoP/30D5ASboLTFq0MpbjrwsryZ
cVBJetJMk3FrMKohnZKZdbIRi4KfVE+qWUVprJLZgfN/euVG8OT2awAJT+ENdMnB
NAeu9NBqkoZf9+NjFdCSdnG6exsXSIgWlaCPRp9G/WyIn5uFeFeNifpnvFTjAdR0
EsuzAez12xwL3McMu9xthM0s17zU8kgfDx1/3acgC/LRF2Q67qNGZ4NScQwrDnoR
tZ77x8ok+qKZ9+Vn67syk2m5tAin7uqWdLH1bxiTfrb5EfySwht9QNUQyZIRjbxa
MjeQPHuXwfTzbgRUs3+xSpUOrR03dawKq9DcP3fsbo6mE0GeCBqKTDDDR53EDHo9
aFe8NyvakHgKfCjdBSJ2xDuoNFjE8ACKxAT8zHK74zmrjSDLX9pva3rSP3tyoDXb
wEVHRbXsYL1MHhAjQDjghV2Z5+Q1ygza3ItJfAkkSbmVW2Qra0aOYNZ/7U/GUCFH
ndkJRHeef245jQpO3aVjnsut38/cSg6Z3fFl47Irxl9m3sD4qDt2bAqcHaMbtCJF
eL7XCQ2rtDmosXfjK/7N2PVPEUJ0lBVKr4s84I6bw4xRrE/Ge6dNNByGXQpvqHVN
uthSjkVXXQQjwh9bPDYvrV3XWHk41mMWPy7GmtlRUd6sE2MM91iznRB/TbSjvhWm
8fg+5ayQne748lFXuGjt
=oTN9
-----END PGP SIGNATURE-----

This is the patch: attachment:0001-Update-meek-amazon-bridge-fingerprint-to-B9E7141C594.patch​​.

[gk]

That'll make it in all upcoming releases (5.0.4/5.5a4/5.5a4-hardened).