Opened 2 months ago

Last modified 2 months ago

#30895 new defect

meek-cloudflare: Tunnel via Cloudflare Argo.

Reported by: cypherpunks Owned by: dcf
Priority: Medium Milestone:
Component: Circumvention/meek Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Child Tickets

Change History (4)

comment:1 Changed 2 months ago by cypherpunks

It was mentioned by Adam Chalmers‏ who created Free plan of Argo tunnel.

comment:2 Changed 2 months ago by nickm

Component: - Select a componentCircumvention/meek
Owner: set to dcf

comment:3 Changed 2 months ago by cypherpunks

While CloudFlare is anti-privacy company this 'cloudflare meek' is useful from censored countries because the government can't block CloudFlare IP address.
If the government block CloudFlare it will block many other websites

comment:4 Changed 2 months ago by dcf

One problem with using Argo is that the cloudflared daemon isn't free software. The license says e.g. "You may examine source code, if provided to you, solely for the limited purpose of evaluating the Software for security flaws."

Another problem is that the connection to the Argo middlebox, according to the blog post, is TLS to "a random subdomain of trycloudflare.com." That means whatever subdomain it uses must be packaged in software, distributed to users, etc., which means that a censor can learn it as well and block it by examining the SNI field. The old solution would be to use domain fronting, but domain fronting only works if it's HTTP inside the TLS, and I don't see an indication that Argo tunnels using HTTP. So this may have to wait for ESNI.

Note: See TracTickets for help on using tickets.