wiki:doc/AChildsGardenOfPluggableTransports

Here is an exploration of pluggable transports, how they look on the wire.

Pluggable transports disguise Tor traffic for the evading of network censorship. Some transports try to make the traffic look like another protocol, and others try to make it look random. Some transports are aimed at evading IP-based blocks rather than content-based blocks. If you want to see what running Tor with a pluggable transport is like, download a recent version of Tor Browser (version 3.6 or later), and say Yes to the question Does your Internet Service Provider (ISP) block or otherwise censor connections to the Tor Network?

We'll look at hex dumps and text logs, outside and inside encryption, sometimes paying attention to packet boundaries and sometimes ignoring them, in order to discover what makes each transport unique and wonderful.

Ordinary Tor

Why use pluggable transports? It's because it's possible to fingerprint ordinary Tor traffic based on byte patterns that appear in it. Here's a hex dump of the first thing that a client sends to its entry node. It is actually a TLS Client Hello message, as the outer layer of the Tor protocol is TLS. Some parts are colored according to their meaning: cipher suite list, server name, and TLS extensions.

00000000  16 03 01 00 e5 01 00 00  e1 03 03 d2 23 9e 55 3d ........ ....#.U=
00000010  21 cc 80 d5 2b 34 4b e1  be 90 04 c6 d0 f8 f9 a5 !...+4K. ........
00000020  56 3f 01 22 ef c6 e1 22  64 c5 0a 00 00 30 c0 2b V?."..." d....0.+
00000030  c0 2f c0 0a c0 09 c0 13  c0 14 c0 12 c0 07 c0 11 ./...... ........
00000040  00 33 00 32 00 45 00 39  00 38 00 88 00 16 00 2f .3.2.E.9 .8...../
00000050  00 41 00 35 00 84 00 0a  00 05 00 04 00 ff 01 00 .A.5.... ........
00000060  00 88 00 00 00 17 00 15  00 00 12 77 77 77 2e 6b ........ ...www.k
00000070  66 33 69 61 6d 6d 6e 79  70 2e 63 6f 6d 00 0b 00 f3iammny p.com...
00000080  04 03 00 01 02 00 0a 00  34 00 32 00 0e 00 0d 00 ........ 4.2.....
00000090  19 00 0b 00 0c 00 18 00  09 00 0a 00 16 00 17 00 ........ ........
000000A0  08 00 06 00 07 00 14 00  15 00 04 00 05 00 12 00 ........ ........
000000B0  13 00 01 00 02 00 03 00  0f 00 10 00 11 00 23 00 ........ ......#.
000000C0  00 00 0d 00 20 00 1e 06  01 06 02 06 03 05 01 05 .... ... ........
000000D0  02 05 03 04 01 04 02 04  03 03 01 03 02 03 03 02 ........ ........
000000E0  01 02 02 02 03 00 0f 00  01 01                   ........ ..

Here's the first thing the relay sends back in response, a TLS Server Hello along with a certificate and key exchange message.

00000000  16 03 03 00 3e 02 00 00  3a 03 03 5c 67 84 3c 3a ....>... :..\g.<:
00000010  7c 45 d5 ee 2d 64 2d 12  e7 0f b4 2d 14 78 40 f0 |E..-d-. ...-.x@.
00000020  59 58 b2 2e 70 e5 e4 c6  5c 2b 25 00 c0 2f 00 00 YX..p... \+%../..
00000030  12 ff 01 00 01 00 00 0b  00 04 03 00 01 02 00 0f ........ ........
00000040  00 01 01 16 03 03 01 cb  0b 00 01 c7 00 01 c4 00 ........ ........
00000050  01 c1 30 82 01 bd 30 82  01 26 a0 03 02 01 02 02 ..0...0. .&......
00000060  08 30 5c fb 15 5d 79 91  84 30 0d 06 09 2a 86 48 .0\..]y. .0...*.H
00000070  86 f7 0d 01 01 05 05 00  30 24 31 22 30 20 06 03 ........ 0$1"0 ..
00000080  55 04 03 0c 19 77 77 77  2e 75 64 6f 6e 69 74 64 U....www .udonitd
00000090  67 74 34 71 66 77 79 62  70 70 2e 63 6f 6d 30 1e gt4qfwyb pp.com0.
000000A0  17 0d 31 33 31 30 31 35  30 30 30 30 30 30 5a 17 ..131015 000000Z.
000000B0  0d 31 34 30 39 31 30 30  30 30 30 30 30 5a 30 1e .1409100 00000Z0.
000000C0  31 1c 30 1a 06 03 55 04  03 0c 13 77 77 77 2e 77 1.0...U. ...www.w
000000D0  6a 72 64 6d 79 61 72 6e  35 76 2e 6e 65 74 30 81 jrdmyarn 5v.net0.
000000E0  9f 30 0d 06 09 2a 86 48  86 f7 0d 01 01 01 05 00 .0...*.H ........
000000F0  03 81 8d 00 30 81 89 02  81 81 00 f3 37 a0 a9 da ....0... ....7...
00000100  2b b0 68 66 a1 9f 7f f1  7e e6 09 1a 10 69 fe 35 +.hf.... ~....i.5
00000110  19 01 b7 92 70 94 fc 8e  bc 70 da 58 d7 35 dd cb ....p... .p.X.5..
00000120  8d fe 20 84 a6 c1 b6 38  9f 92 7e 04 8a b8 e4 85 .. ....8 ..~.....
00000130  32 5d 17 22 24 bd 2e ba  29 58 db 3c 5e d1 59 01 2]."$... )X.<^.Y.
00000140  3a 01 3c f3 ea 6c ab bf  95 67 59 4e 6c 4c 90 e7 :.<..l.. .gYNlL..
00000150  79 f2 5c c8 30 d7 2c b0  80 67 04 1d 23 89 ba f8 y.\.0.,. .g..#...
00000160  3c c4 02 0c 2d fb 79 e9  af 8c 32 fb 44 9c a0 2a <...-.y. ..2.D..*
00000170  18 41 17 11 71 09 f3 25  4c a6 85 02 03 01 00 01 .A..q..% L.......
00000180  30 0d 06 09 2a 86 48 86  f7 0d 01 01 05 05 00 03 0...*.H. ........
00000190  81 81 00 85 31 40 82 25  f2 f1 38 44 68 3d ce 78 ....1@.% ..8Dh=.x
000001A0  04 34 9c b9 b9 31 2b ca  a9 a4 72 d1 43 a0 9a e7 .4...1+. ..r.C...
000001B0  c4 b6 25 3f df 43 dc cd  cf 11 ae 74 80 e0 4b 37 ..%?.C.. ...t..K7
000001C0  c9 d5 dc ce 27 9e 51 ec  e4 c5 7e 06 c6 10 38 9d ....'.Q. ..~...8.
000001D0  64 d3 d4 e0 f9 0a 4b ee  fe 0d 55 c5 dd 83 7b ad d.....K. ..U...{.
000001E0  43 ea 0c aa bd f0 0c 40  40 0e e8 64 a1 7b f5 39 C......@ @..d.{.9
000001F0  54 75 d6 de 05 68 c4 14  77 c3 c5 cb bb 8f c6 16 Tu...h.. w.......
00000200  8d 0b 2a 16 0f 68 8c d1  24 9a 82 9b 1c 14 18 85 ..*..h.. $.......
00000210  fe 4c ef 16 03 03 00 cd  0c 00 00 c9 03 00 17 41 .L...... .......A
00000220  04 8b 9a ef 29 ec 30 32  f6 e8 ef 2f 90 b1 e0 59 ....).02 .../...Y
00000230  e9 54 f8 16 70 e6 a1 fa  86 5f e7 6f 9e be b4 88 .T..p... ._.o....
00000240  c7 5b 55 6a 76 06 e2 3e  b1 41 ea dd fe 50 f0 62 .[Ujv..> .A...P.b
00000250  42 c5 e7 60 05 86 e1 a8  dd de c4 10 76 f1 fc bd B..`.... ....v...
00000260  c6 06 01 00 80 91 55 20  68 73 f3 e0 cd 28 75 58 ......U  hs...(uX
00000270  0e e3 f5 6a d7 83 78 b2  ed 4d d1 06 5d 1e 88 c7 ...j..x. .M..]...
00000280  30 ef 24 1e f4 29 3d 40  c9 ae 9d 40 71 96 26 e4 0.$..)=@ ...@q.&.
00000290  19 1f 29 8d 88 da a5 43  31 9c 05 ce f8 6d 32 ed ..)....C 1....m2.
000002A0  99 1b 87 b7 a0 30 ea 73  34 9f e8 e4 48 39 68 fb .....0.s 4...H9h.
000002B0  7a 52 82 0a 50 57 50 e2  e7 82 ce c6 db cf 53 85 zR..PWP. ......S.
000002C0  4f e0 7e 50 75 0d 4d 9e  07 b9 8d 7d 9f 18 81 c9 O.~Pu.M. ...}....
000002D0  3a ad dc 40 4d 4f 0f 74  1d 85 f5 d8 a3 f1 26 06 :..@MO.t ......&.
000002E0  20 86 35 ee 6a 16 03 03  00 04 0e 00 00 00        .5.j... ......

It's easier to read these messages after they have been dissected by Wireshark. Here is the meaning of the Client Hello. The parts of the dissection that correspond to the hex dump above are colored the same way: cipher suite list, server name, and TLS extensions.

Secure Sockets Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 229
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 225
            Version: TLS 1.2 (0x0303)
            Random
                gmt_unix_time: Sep 19, 2081 16:20:53.000000000 PDT
                random_bytes: 3d21cc80d52b344be1be9004c6d0f8f9a5563f0122efc6e1...
            Session ID Length: 0
            Cipher Suites Length: 48
            Cipher Suites (24 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
                Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 136
            Extension: server_name
                Type: server_name (0x0000)
                Length: 23
                Server Name Indication extension
                    Server Name list length: 21
                    Server Name Type: host_name (0)
                    Server Name length: 18
                    Server Name: www.kf3iammnyp.com
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
                    EC point format: uncompressed (0)
                    EC point format: ansiX962_compressed_prime (1)
                    EC point format: ansiX962_compressed_char2 (2)
            Extension: elliptic_curves
                Type: elliptic_curves (0x000a)
                Length: 52
                Elliptic Curves Length: 50
                Elliptic curves (25 curves)
                    Elliptic curve: sect571r1 (0x000e)
                    Elliptic curve: sect571k1 (0x000d)
                    Elliptic curve: secp521r1 (0x0019)
                    Elliptic curve: sect409k1 (0x000b)
                    Elliptic curve: sect409r1 (0x000c)
                    Elliptic curve: secp384r1 (0x0018)
                    Elliptic curve: sect283k1 (0x0009)
                    Elliptic curve: sect283r1 (0x000a)
                    Elliptic curve: secp256k1 (0x0016)
                    Elliptic curve: secp256r1 (0x0017)
                    Elliptic curve: sect239k1 (0x0008)
                    Elliptic curve: sect233k1 (0x0006)
                    Elliptic curve: sect233r1 (0x0007)
                    Elliptic curve: secp224k1 (0x0014)
                    Elliptic curve: secp224r1 (0x0015)
                    Elliptic curve: sect193r1 (0x0004)
                    Elliptic curve: sect193r2 (0x0005)
                    Elliptic curve: secp192k1 (0x0012)
                    Elliptic curve: secp192r1 (0x0013)
                    Elliptic curve: sect163k1 (0x0001)
                    Elliptic curve: sect163r1 (0x0002)
                    Elliptic curve: sect163r2 (0x0003)
                    Elliptic curve: secp160k1 (0x000f)
                    Elliptic curve: secp160r1 (0x0010)
                    Elliptic curve: secp160r2 (0x0011)
            Extension: SessionTicket TLS
                Type: SessionTicket TLS (0x0023)
                Length: 0
                Data (0 bytes)
            Extension: signature_algorithms
                Type: signature_algorithms (0x000d)
                Length: 32
                Data (32 bytes)
            Extension: Heartbeat
                Type: Heartbeat (0x000f)
                Length: 1
                Mode: Peer allowed to send requests (1)

The cipher suite list is an interesting part of the message. Ticket #4744 has the story of how the Great Firewall of China blocked Tor in 2011 by looking for a distinctive cipher suite list. In response, Tor changed its cipher suite list to be the same as Firefox's. You can still tell the difference, though: The TLS extensions used by Firefox are not the same as those used by Tor. For example, above there is "Elliptic curves (25 curves)", but Firefox actually has "Elliptic curves (3 curves)". You can see a lot more Client Hellos at meek/SampleClientHellos. Also notice the randomly generated server name www.kf3iammnyp.com.

Here is the meaning of the Server Hello and certificate.

Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 62
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 58
            Version: TLS 1.2 (0x0303)
            Random
                gmt_unix_time: Feb 15, 2019 19:32:12.000000000 PST
                random_bytes: 3a7c45d5ee2d642d12e70fb42d147840f05958b22e70e5e4...
            Session ID Length: 0
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Compression Method: null (0)
            Extensions Length: 18
            Extension: renegotiation_info
                Type: renegotiation_info (0xff01)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
                    EC point format: uncompressed (0)
                    EC point format: ansiX962_compressed_prime (1)
                    EC point format: ansiX962_compressed_char2 (2)
            Extension: Heartbeat
                Type: Heartbeat (0x000f)
                Length: 1
                Mode: Peer allowed to send requests (1)
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 459
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 455
            Certificates Length: 452
            Certificates (452 bytes)
                Certificate Length: 449
                Certificate (id-at-commonName=www.wjrdmyarn5v.net)
                    signedCertificate
                        version: v3 (2)
                        serialNumber: 1568248196
                        signature (shaWithRSAEncryption)
                            Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
                        issuer: rdnSequence (0)
                            rdnSequence: 1 item (id-at-commonName=www.udonitdgt4qfwybpp.com)
                                RDNSequence item: 1 item (id-at-commonName=www.udonitdgt4qfwybpp.com)
                                    RelativeDistinguishedName item (id-at-commonName=www.udonitdgt4qfwybpp.com)
                                        Id: 2.5.4.3 (id-at-commonName)
                                        DirectoryString: uTF8String (4)
                                            uTF8String: www.udonitdgt4qfwybpp.com
                        validity
                            notBefore: utcTime (0)
                                utcTime: 13-10-15 00:00:00 (UTC)
                            notAfter: utcTime (0)
                                utcTime: 14-09-10 00:00:00 (UTC)
                        subject: rdnSequence (0)
                            rdnSequence: 1 item (id-at-commonName=www.wjrdmyarn5v.net)
                                RDNSequence item: 1 item (id-at-commonName=www.wjrdmyarn5v.net)
                                    RelativeDistinguishedName item (id-at-commonName=www.wjrdmyarn5v.net)
                                        Id: 2.5.4.3 (id-at-commonName)
                                        DirectoryString: uTF8String (4)
                                            uTF8String: www.wjrdmyarn5v.net
                        subjectPublicKeyInfo
                            algorithm (rsaEncryption)
                                Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
                            Padding: 0
                            subjectPublicKey: 30818902818100f337a0a9da2bb06866a19f7ff17ee6091a...
                    algorithmIdentifier (shaWithRSAEncryption)
                        Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
                    Padding: 0
                    encrypted: 8531408225f2f13844683dce7804349cb9b9312bcaa9a472...
    TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 205
        Handshake Protocol: Server Key Exchange
            Handshake Type: Server Key Exchange (12)
            Length: 201
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4
        Handshake Protocol: Server Hello Done
            Handshake Type: Server Hello Done (14)
            Length: 0

The server has selected the cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. It sends back its own TLS extensions. The server has its own randomly generated server name appearing in its certificate. The names aren't a fixed byte pattern, but it's possible to fingerprint them by watching several handshakes and seeing that the names always fit the expected pattern, as this Bro script does.

obfs2

obfs2 was the first in the obfs family of "look-like-nothing" pluggable transports. It looks like a uniformly random byte stream to a naive observer. It was inspired by obfuscated-openssh and is succeeded by obfs3, ScrambleSuit, and obfs4. obfs2 is deprecated these days, because it can be identified by a totally passive observer, no active man in the middle needed, as you'll see.

The idea behind obfs2 is basically: Send an encryption key, followed by a magic number, a padding length, and some padding, all encrypted by that key. Derive a new key from both the client's and server's intial key, and use that to encrypt all the application data. Both client and server do the same operations, differing only in a few constants. We'll look at the client side. Here is the beginning of an obfs2 session. The bytes that represent the client/server seed, magic number (encrypted), padlen (encrypted), and padding (encrypted) are highlighted.

00000000  6a 14 a6 00 2c b0 cd bc  b7 d7 a7 8f 65 c7 0b 37 j...,... ....e..7
00000010  ef a8 d1 d7 f4 04 7d 71  0d 67 bb 21 fa f9 bc 98 ......}q .g.!....
00000020  19 16 83 8c db 0a 51 e7  a9 2e 8c 3f 79 7d b3 64 ......Q. ...?y}.d
00000030  12 64 81 3d d7 d4 6b f4  70 68 bd 22 fc cf c8 6b .d.=..k. ph."...k
00000040  fd 05 c6 84 25 5a bd 19  46 94 bd a9 58 fa dd 6b ....%Z.. F...X..k
00000050  6b 1f 7c dc 64 30 ce 42  3f 83 7d 79 db b8 7a 99 k.|.d0.B ?.}y..z.
00000060  b2 84 b2 c1 f8 9a 4e b3  11 7c 9b d8 62 71 e5 25 ......N. .|..bq.%
00000070  18 ab 6e de 57 38 1f 80  2c f8 7b 3c             ..n.W8.. ,.{<
00000000  1c f1 11 91 af fb 8f 31  08 c7 a6 53 c3 84 10 a1 .......1 ...S....
00000010  e5 d1 ec bb 72 68 40 27  25 62 bb 8b c2 5b 57 1a ....rh@' %b...[W.
00000020  f5 04 17 c3 8c 4d 99 9a  b9 3f a7 41 d8 99 61 88 .....M.. .?.A..a.
00000030  f8 71 16 66 d3 a3 20 1a  71 f1 ec 44 95 e7 07 05 .q.f.. . q..D....
00000040  0b cd 90 75 72 3f f9 37                          ...ur?.7 
00000048  6c af c1 f1 c9 4c b8 25  ca 05 60 47 f7 ba d1 32 l....L.% ..`G...2
00000058  83 22 24 f1 14 97 5b 63  5e a9 02 82 c6 a0 9e 38 ."$...[c ^......8
00000068  c9 45 d2 fd b8 fe ca 8d  68 d5 cf b5 8f d8 cb 55 .E...... h......U
00000078  68 b9 1a 63 56 44 fc cb  c8 41 3b 3e d9 c0 69 38 h..cVD.. .A;>..i8
00000088  08 9e 61 ef 57 11 af c4  cf 1d 37 7f 39 8f b1 a1 ..a.W... ..7.9...
0000007C  e2 3a 1d 5b 74 3d f7 32  76 1f e1 24 77 5c da 83 .:.[t=.2 v..$w\..
0000008C  9f cd 39 63 6b 7c 53 90  e9 fe ae 2c 60 a7 3e f4 ..9ck|S. ...,`.>.
0000009C  f0 0b 18 2f 6e a4 0f 88  c6 06 9c d5 88 54 74 af .../n... .....Tt.
000000AC  e3 6d f4 ad 46 ab e4 de  24 fb 12 80 50 9d a8 f7 .m..F... $...P...
000000BC  2e f0 5c 7c fb 75 81 02  a5 28 98 66 63 83 dd 31 ..\|.u.. .(.fc..1

You can read the client seed directly from the packet trace. In this case it is 1cf11191affb8f3108c7a653c38410a1. From the seed we derive a key and an initial counter value for AES-CTR mode. Try it yourself using Python and the PyCrypto package:

>>> from Crypto.Cipher import AES
>>> from Crypto.Util import Counter
>>> from hashlib import sha256
>>> seed = "1cf11191affb8f3108c7a653c38410a1".decode("hex")
>>> secret = sha256("Initiator obfuscation padding" + seed + "Initiator obfuscation padding").digest()
>>> key = secret[0:16]
>>> ctr = secret[16:32]
>>> aes = AES.new(key, AES.MODE_CTR, counter=Counter.new(128, initial_value=long(ctr.encode("hex"), 16)))
>>> ciphertext = "e5d1ecbb726840272562bb8bc25b571a".decode("hex")
>>> print aes.decrypt(ciphertext).encode("hex")
2bf5ca7e00000030eef53458d509c177

The result of decrypting the first 16 bytes of ciphertext is 2bf5ca7e00000030eef53458d509c177. The first 4 bytes, 2bf5ca7e, are always the same. They are a magic number that identifies an obfs2 stream. (It says "2bfscate", get it?) The next 4 bytes, 00000030, are the number of padding bytes that follow. In this case there are 0x30 = 48 padding bytes. (We deliberately used short padding for this example; normally the padding is a random length between 0 and 8192 bytes.) The next 48 bytes, starting with eef53458d509c177, are just random padding.

The server does the same operations. Try the Python example again, substituting 6a14a6002cb0cdbcb7d7a78f65c70b37 for the seed and "Responder obfuscated data" for "Initiator obfuscated data". You should get a padlen of 00000064.

After all the padding is encrypted and consumed, both sides switch to new keys and counter values that are derived deterministically from both seed values. Then they simply decrypt forever. Here is how it looks for the client side in the example above. You can see the beginning of the Tor TLS Client Hello at the beginning of the plaintext.

>>> init_seed = "1cf11191affb8f3108c7a653c38410a1".decode("hex")
>>> resp_seed = "6a14a6002cb0cdbcb7d7a78f65c70b37".decode("hex")
>>> init_secret = sha256("Initiator obfuscated data" + init_seed + resp_seed + "Initiator obfuscated data").digest()
>>> init_key = init_secret[0:16]
>>> init_ctr = init_secret[16:32]
>>> aes = AES.new(init_key, AES.MODE_CTR, counter=Counter.new(128, initial_value=long(init_ctr.encode("hex"), 16)))
>>> ciphertext = "6cafc1f1c94cb825ca056047f7bad132".decode("hex")
>>> print aes.decrypt(ciphertext).encode("hex")
16030100ef010000eb0303923472ed41

obfs3

obfs3 is another look-like-nothing transport, the successor to obfs2. Like obfs2, it is meant to look like a uniformly random byte stream. It removes obfs2's vulnerability to passive identification by adding a Diffie–Hellman key exchange. While obfs2 can be identified completely passively, it takes an active man-in-the-middle attack or active probing to identify obfs3 with certainty.

There is a catch with the Diffie–Hellman key exchange: it has to look uniformly random like the rest of the protocol. Naively, you would work in a subgroup of ℤp* for some safe prime number p. But only about half the integers between 0 and p are in ℤp*. A censor could watch all your key exchanges, and see that the numbers you send are not really random, but are always in the chosen subgroup. After a while the censor would decide that you are exchanging keys and not really sending random bytes.

obfs3 solves this problem with an algorithm called UniformDH. It's a small tweak to ordinary Diffie–Hellman. It is described in this mailing list post from December 2012:

Let p = 3 mod 4 be prime, with q=(p−1)/2 also prime, and p is at least 1536 bits. (2048 if there's room.) [Use group 5 or group 14 from RFC 3526.] Let g be a generator of the order-q subgroup of ℤp* (g=2 for the two above groups from the RFC.)

To pick a private key, pick a random 1536-bit (or 2048-bit) number, and force the low bit to 0. So there are 1535 (2047) bits of randomness, which is the size of q. Let x be that private key. Let X = gx mod p.

Here's the trick: When you send the public key, randomly decide to send either X or p−X. That will make the public key part a uniform 1536-bit (2048-bit) string (well, negligibly different from uniform).

The other side constructs y and Y=gy mod p in the same way, and sends either Y or pY.

Note that both (pY)x = Yx mod p since x is even, and similarly (pX)y = Xy mod p, so key derivation goes through unchanged.

With UniformDH, the censor can't tell the difference between a public key and a random 1536-bit (192-byte) byte string.

In obfs3, as in obfs2, both client and server do essentially the same operations, differing only in some static constants. Both sides begin by sending their UniformDH public key, followed by random padding. The padding is sent by each side in two pieces. Unlike in obfs2, the padding length is not sent as an integer; rather, the end of the padding is marked by a MAC on the secret that both sides share after the key exchange.

00000000  89 5f 4c 0e 73 64 c5 dc  38 04 47 cf ec b2 a9 c4 ._L.sd.. 8.G.....
00000010  7e a6 98 21 93 96 12 31  99 59 ff ef 7e f9 ac ef ~..!...1 .Y..~...
00000020  e1 0c 0f 7e bc 32 f1 da  a7 01 a0 fe 90 af 01 ce ...~.2.. ........
00000030  34 d0 fe 36 af 64 70 f1  ad 0e 17 19 f4 24 17 1f 4..6.dp. .....$..
00000040  94 ef 05 52 40 5f 98 a4  d0 97 6a 9f 61 52 d2 7e ...R@_.. ..j.aR.~
00000050  2e b7 5b 83 16 bd 7b d8  12 b3 bc 32 5f 3e e3 21 ..[...{. ...2_>.!
00000060  ca 14 b4 6e b5 8e a5 61  d1 36 ce f0 d9 62 a7 4d ...n...a .6...b.M
00000070  49 5d be ab 32 30 54 cb  63 52 98 59 3c 8e f7 20 I]..20T. cR.Y<.. 
00000080  37 39 a7 1d 48 57 39 8b  6d 80 58 e0 34 54 fd 1a 79..HW9. m.X.4T..
00000090  7f b4 83 a6 44 78 aa cc  50 df e4 eb 5c cb 61 3e ....Dx.. P...\.a>
000000A0  8d d5 08 b2 d6 dd da 47  2d b6 93 e8 ed cd b2 3f .......G -......?
000000B0  74 0c 4c 7d f4 8a 52 95  f1 84 59 0b 1f f9 c2 b2 t.L}..R. ..Y.....
000000C0  3a e0 80 e8 5e 95 91 80  eb 48 de 13 dc d1 8f f4 :...^... .H......
000000D0  ef a8 61 06 1e 80 1d 59  07 5f 9a b9 a6 4b 7a 57 ..a....Y ._...KzW
000000E0  62 63 0d 69 15 10 71 c8  45 ea bb 58 08 0e f5 90 bc.i..q. E..X....
000000F0  19 5f 7b da b9 11 1f 3b  fb 92 89 5a 4a df 8e ac ._{....; ...ZJ...
00000100  40 8d f9 80 a8 eb 37 b6  cb 8d bc ea cd c0 54 c0 @.....7. ......T.
00000110  91 d6 5c cb a9 9a 4d a1  50 38 9d c6 aa 0f 42 34 ..\...M. P8....B4
00000120  6f 21 e2 8f                                      o!..
00000000  62 13 c9 fd 02 88 0d 56  73 8b 5f bf 5b 1b 95 f0 b......V s._.[...
00000010  78 e6 a8 8e 54 15 76 64  2c 74 ea b8 dd fa b7 dc x...T.vd ,t......
00000020  86 f5 ef 47 4b 47 e5 38  60 31 1e be 9b 81 c5 00 ...GKG.8 `1......
00000030  ca 5b 7b 00 bb fc d7 b8  0e 02 45 eb 73 7d 42 48 .[{..... ..E.s}BH
00000040  79 24 a3 9f 94 18 a8 7a  58 a0 23 91 b3 b2 68 4f y$.....z X.#...hO
00000050  52 8e d5 5d 69 92 7b b5  a5 71 94 97 06 55 c9 54 R..]i.{. .q...U.T
00000060  90 d0 74 79 67 64 f4 4f  d6 de 1c 09 c5 66 cb 0a ..tygd.O .....f..
00000070  67 dc b5 84 f0 d8 20 ed  fd 03 08 9f fa e2 18 34 g..... . .......4
00000080  2d 8a de b1 9e e9 c4 1a  77 84 b4 4d 01 07 4d 07 -....... w..M..M.
00000090  7a 49 09 ac 25 ce fb e9  2a 3a 8e 0b ac 0f 03 81 zI..%... *:......
000000A0  31 db 48 bc ae 8e 5b 3c  4a 76 e3 b8 7e af 6e 31 1.H...[< Jv..~.n1
000000B0  cf 81 f6 cb 40 cb a1 32  ee fd ec 19 ae 90 8b 20 ....@..2 ....... 
000000C0  ad 89 49 ef 48 3f 2d 0c  59 94 8c 37 d8 54 e0 5d ..I.H?-. Y..7.T.]
000000D0  a2 f5 e8 13 ec a2 0a 7c  50 88 4a fc 40 be eb 1d .......| P.J.@...
000000E0  1b 8c 00 fd 24 55 aa 84  07 06 e7 d4 b0 58 04 16 ....$U.. .....X..

The first 192 bytes (1536 bits) from each side is its public keys. After that is a random amount of padding (between 0 and 4097 bytes). Here, the server has sent 100 bytes of padding and the client has sent 48.

Looking behind the scenes in this example, the client's private key (which doesn't appear on the wire) is and the server's private key (which also does not appear on the wire) is You can verify that these give the correct public keys modulo the prime p from RFC 3526. Both sides might have instead sent pX or pY, but in this case by random chance they did not.

X = 2x mod p = 0x6213c9fd...
Y = 2y mod p = 0x895f4c0e...

>>> x = 0xf525f255f6c11f0b10a1d0775638f19c7f85c5bd1628d4f903d4c0a11e585bc983f82da3515dfbe49f3828d5be0e68d1fd525c611560c788322cb911ccf77a74fdc74fa1f262dfad28ce454b93785e96fd8d4916896274e4896da990e089d14443a9242a974bbb5a2cefefcdb42c3984381e0ec71e2140826608cdd9ef52fe5be903ec5f17d91d580fd234345d7233fea29b81738dd67f712cfd56f54413d43f2889ed1cbd86781313580c13b99499aced73d36778a68b6a80137d084c7a5798
>>> y = 0x421e8e76020c725890488d5f45e3b035162b4ac51eb5d124fe565ff06cef6bf1b61f4a9952effa251a259587e227bdc8ffb22a92ea2e512290f5ce56063d7a39d549d2053f4496d0d5ecce4c920ef8683ef2023b1257d32607657db005e6490fb0461bfd834fb7fb8ef464ebfce014537e0c500386f2aeec7cd41a5fc5acbb9db64a49ef6a1df66a7064419eb0c7d879819f5834d679908e78b9e31fe2f444c4eefe14741c8e7c21fe811c9c0e51f094c25ef67e0cd329df611f6cb02fb56ba4
>>> p = 0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff
>>> X = pow(2, x, p)
>>> Y = pow(2, y, p)
>>> "%0384x" % X
'6213c9fd02880d56738b5fbf5b1b95f078e6a88e541576642c74eab8ddfab7dc86f5ef474b47e53860311ebe9b81c500ca5b7b00bbfcd7b80e0245eb737d42487924a39f9418a87a58a02391b3b2684f528ed55d69927bb5a57194970655c95490d074796764f44fd6de1c09c566cb0a67dcb584f0d820edfd03089ffae218342d8adeb19ee9c41a7784b44d01074d077a4909ac25cefbe92a3a8e0bac0f038131db48bcae8e5b3c4a76e3b87eaf6e31cf81f6cb40cba132eefdec19ae908b20'
>>> "%0384x" % Y
'895f4c0e7364c5dc380447cfecb2a9c47ea69821939612319959ffef7ef9acefe10c0f7ebc32f1daa701a0fe90af01ce34d0fe36af6470f1ad0e1719f424171f94ef0552405f98a4d0976a9f6152d27e2eb75b8316bd7bd812b3bc325f3ee321ca14b46eb58ea561d136cef0d962a74d495dbeab323054cb635298593c8ef7203739a71d4857398b6d8058e03454fd1a7fb483a64478aacc50dfe4eb5ccb613e8dd508b2d6ddda472db693e8edcdb23f740c4c7df48a5295f184590b1ff9c2b2'

Now both sides have the information they need to compute their shared secret

Xy = Yx = 2xy = 0x8cb480f32c2f26e79b40080a3c5c34512c6e83fa1957088dcdffbdb6adcbf24b237faed92f0d0b0310bc6b1b5c99038f3a75400a0b8fb3e0cd6f4f11696ee7be2c7dafb0d8f390fbf3f186e847df4fab00ad784c9ac9806aa82cf06433e66a99293862768db38506bafd976b67ea4b08780689d5217f501748658081e92328c13284b8156eaf00cba0b343b096da71849507a97a4b41236125b443ff7e1e78f2b5489e3ac787d3a8a84dee442408525aba81c7b99721c94edcaa6513948a6607

This shared secret is used to derive marks that indicate the end of padding, as well as session keys that encrypt all the following payload data.

The end-of-padding marks are HMACs that use the shared secret:

>>> secret = ("%0384x" % pow(X, y, p)).decode("hex")
>>> import hmac
>>> from hashlib import sha256
>>> hmac.new(secret, "Initiator magic", sha256).hexdigest()
'7cbbee8bd9b26bf9099d75ec10b50b340d637316040acedd56c1b6d0715a0ba1'
>>> hmac.new(secret, "Responder magic", sha256).hexdigest()
'9c616cd7963c68e4a9322a3b390bf4a51ab0873a333943aff740da2dcab2d76c'

Now that the client has something to send, it sends another block of random padding of between 0 and 4097 bytes, followed by its end-of-padding mark 7cbbee8bd9b26bf9099d75ec10b50b340d637316040acedd56c1b6d0715a0ba1, then followed by its encrypted payload data, encrypted using a key derived from the shared secret.

000000F0  84 57 5f 0d 73 a3 36 45  2e a2 8e 58 e7 a4 71 f4 .W_.s.6E ...X..q.
00000100  ab 75 00 f1 91 7f 89 e5  7e 13 6e 94 91 16 90 78 .u...... ~.n....x
00000110  0d 5e d7 14 13 ea bd cf  ed 6e f8 7a 1e b8 76 17 .^...... .n.z..v.
00000120  75 0c 24 b9 26 cc 19 87  af f0 19 59 b8 ac c3 13 u.$.&... ...Y....
00000130  58 47 b3 59 1d d7 aa 1e  7c bb ee 8b d9 b2 6b f9 XG.Y.... |.....k.
00000140  09 9d 75 ec 10 b5 0b 34  0d 63 73 16 04 0a ce dd ..u....4 .cs.....
00000150  56 c1 b6 d0 71 5a 0b a1                          V...qZ.. 
00000158  1e a5 04 9b e3 f4 9f 67  4e 73 79 14 d1 a5 66 06 .......g Nsy...f.
00000168  17 a5 7a d0 2b 7d 06 ab  a7 20 7e b6 f3 03 5b 7a ..z.+}.. . ~...[z
00000178  30 23 92 fd 67 08 81 76  58 94 d5 a3 47 45 46 4d 0#..g..v X...GEFM
00000188  0f 83 aa 0a d4 c6 2b 33  bf 24 b1 d6 f6 df 5a a5 ......+3 .$....Z.
00000198  8a ce a6 6b e5 03 9b b5  b3 2c 85 85 bd cd f5 64 ...k.... .,.....d
000001A8  df a7 98 7d aa 29 50 18  d8 28 08 94 ef f8 e1 06 ...}.)P. .(......
000001B8  9c e6 8d da 61 7b bc 9d  f2 b8 ba 14 03 56 16 6b ....a{.. .....V.k
000001C8  1e 12 5e 02 5c 1d f2 cd  89 c9 ac a5 44 87 8a fc ..^.\... ....D...
000001D8  b7 a5 72 ee 8f 33 0f 03  83 00 b8 e5 ea ff e2 0f ..r..3.. ........
000001E8  f8 5a 54 76 e9 76 ab 9c  a7 ba d9 af ab 8d ee af .ZTv.v.. ........
000001F8  6b 66 67 26 cf bb 41 46  66 ff 29 a5 49 4e 0d 74 kfg&..AF f.).IN.t
00000208  ba a1 e9 70 2b dc 1e c1  44 0f 65 2b 6c 96 fd 76 ...p+... D.e+l..v
00000218  75 72 f3 cd ab ee c8 1e  ff 5d 5c 30 f4 23 14 f1 ur...... .]\0.#..
00000228  2b c3 c8 ae 3c d6 91 47  27 86 48 65 02 2d e1 94 +...<..G '.He.-..
00000238  14 11 60 90 f3 85 52 42  4b be 2f 0b 15 56 c4 26 ..`...RB K./..V.&
00000248  63 36 cf b7                                      c6..

In its response, the server also sends some more random padding and its own end-of-padding marker 9c616cd7963c68e4a9322a3b390bf4a51ab0873a333943aff740da2dcab2d76c, followed by encrypted payload data.

00000124  a3 ef 3e bf 1b fd 66 f6  91 e0 11 4b cc 99 4f c4 ..>...f. ...K..O.
00000134  f4 93 fc c7 c5 85 07 f5  16 88 06 d2 dc 0e 66 85 ........ ......f.
00000144  6e 21 99 bd 9c 61 6c d7  96 3c 68 e4 a9 32 2a 3b n!...al. .<h..2*;
00000154  39 0b f4 a5 1a b0 87 3a  33 39 43 af f7 40 da 2d 9......: 39C..@.-
00000164  ca b2 d7 6c                                      ...l
00000168  28 64 1e 9b 20 a6 46 13  19 58 d9 a4 ef c2 02 db (d.. .F. .X......
00000178  d3 1b c0 87 4d c6 2d 68  34 df 1a 11 eb 22 fe 7b ....M.-h 4....".{
00000188  12 5e ab ba 6f a9 52 99  da 21 8d 2f 2b 8e 35 fd .^..o.R. .!./+.5.
00000198  fe 34 ef 3e 23 f0 0a 7f  55 08 87 1e 02 cb 19 66 .4.>#... U......f
000001A8  c6 39 60 4e 9d a9 bf fd  a2 27 59 c2 da ad ba 2b .9`N.... .'Y....+
000001B8  22 69 39 f5 0f 02 02 0b  c2 9f 5d 70 5f 97 16 5a "i9..... ..]p_..Z

Neither obfs2 nor obfs3 do anything to disguise packet sizes and timing. In this comparison graphic, you can see that apart from the differing handshakes at the top, the size of packets is mostly unchanged. (In our examples, we have used short padding, but in practice, the padding of obfs2 and obfs3 can be up to 8 kilobytes.) The darkness of each pixel indicates byte values from 0 to 255. All the bytes of obfs2 and obfs3 appear uniformly random, while if you look closely at the ordinary Tor example, you can see a dark smear at the beginning of each packet—that's the plaintext TLS record header, one of the features that pluggable transports aim to obscure.

ordinary Tor

obfs2

obfs3

ScrambleSuit

ScrambleSuit is another transport that looks like uniform random bytes. It has a couple of twists over obfs3: It randomizes the size and timing of packets, and the server resists active probing by requiring a secret key from the client before it will respond. The hex dump looks like random noise as you would expect.

00000000  00 90 a0 58 e3 05 c2 d6  f0 6e 86 5c 5d dd 57 1c ...X.... .n.\].W.
00000010  cf a0 ec ed 15 ed 00 e5  ed d6 d9 29 d9 31 ba 64 ........ ...).1.d
00000020  15 8e bd 84 93 9a e4 f8  c9 d4 ed 25 73 74 e5 69 ........ ...%st.i
00000030  2e 20 02 9a 8d 7c aa 56  04 d7 a7 74 47 31 f6 a3 . ...|.V ...tG1..
00000040  5b ae b2 36 78 57 05 2f  c5 9d 2b 20 7f 5f 8b 23 [..6xW./ ..+ ._.#
00000050  82 5a 47 6a 59 8e 2f 12  14 6a 85 ce 89 16 2a 42 .ZGjY./. .j....*B
00000060  b1 ea d8 3e 2d 92 e1 f3  f9 4d 8b 02 32 a2 c7 e0 ...>-... .M..2...
00000070  85 83 8a 29 6f 47 60 de  25 fb 0c c0 a8 37 55 38 ...)oG`. %....7U8
00000080  69 f5 95 24 5b 66 2c c5  3d 70 66 a5 a4 1b ea dc i..$[f,. =pf.....
00000090  44 f9 28 c2 d4 77 55 ff  49 2b 7d d5 ac 77 09 5b D.(..wU. I+}..w.[
000000A0  07 0c cb 80 8c 6b ca 20  e6 d5 f2 58 f3 69 c9 ac .....k.  ...X.i..
000000B0  da 3f 4c 46 ba 9c e7 c8  34 8d 8e 45 eb c0 35 d7 .?LF.... 4..E..5.
000000C0  98 e7 5f 92 d1 dc 9b f4  92 d4 04 cc 42 04 2c 0d .._..... ....B.,.
000000D0  e0 9a                                            ..
00000000  98 3a 13 c7 52 a8 01 18  97 c6 d7 88 8b 11 f6 22 .:..R... ......."
00000010  14 6f 3c 60 83 79 c0 3e  04 da 5a d2 e5 c2 8f 40 .o<`.y.> ..Z....@
00000020  71 88 78 ce 6a 3e e6 b3  c4 e3 47 8a 10 ed 7f e1 q.x.j>.. ..G.....
00000030  27 ac 47 66 30 82 c8 67  d5 4e 73 dc 34 17 ea 1e '.Gf0..g .Ns.4...
00000040  4e b1 50 c7 e0 a3 49 0b  64 fb eb 81 a5 01 07 81 N.P...I. d.......
00000050  25 73 62 76 3c 88 cb d0  93 fb 4d 3b af 77 f7 9e %sbv<... ..M;.w..
00000060  32 dd d1 fe 89 6e 3e ce  63 34 a7 cc d8 56 07 74 2....n>. c4...V.t
00000070  ad b6 74 aa 43 87 4e 0c  ba 1f aa e6 15 30 aa 1d ..t.C.N. .....0..
00000080  a2 c2 89 75 8c be 29 52  61 e1 e9 50 4e 0c b0 04 ...u..)R a..PN...
00000090  a8 9e 5b 90 bb a3 1c 4b  81 b8 90 76 26 49 ba 66 ..[....K ...v&I.f
000000A0  10 dd 3d 9a 02 83 70 b9  06 6c 2e e2 e6 c1 eb 40 ..=...p. .l.....@
000000B0  3e 15 bf 6d a3 7a fd 20  02 fa 60 fc 52 1f 31 20 >..m.z.  ..`.R.1 
000000C0  6a cb 57 3d 12 e2 f2 99  0a ff 62 f5 2a 56 8a 13 j.W=.... ..b.*V..
000000D0  75 1e 72 8f a4 f7 0c d5  6f 38 33 3e c2 58 4c d6 u.r..... o83>.XL.

Here are visualizations of downloading the web page at https://check.torproject.org/ with ordinary Tor, obfs3, and ScrambleSuit. obfs3 uses the same packet sizes as ordinary Tor. ScrambleSuit randomly chooses a few packet sizes, and pads packets to those sizes, so more bytes are sent overall. Differences in packet timing are not shown.

ordinary Tor

obfs3

ScrambleSuit

Plain Tor downloading check.torproject.org.

obfs3 downloading a check.torproject.org.

ScrambleSuit downloading check.torproject.org.

The following two diagrams show ScrambleSuit's inter-arrival time modification. When downloading data, Tor (the blue lines) looks similar across different connections. ScrambleSuit servers (the orange lines) deviate from that. Note that inter-arrival time obfuscation is quite expensive as it artificially drains network throughput. As a result, it is disabled by default in obfsproxy.

Update diagram.

FTE

FTE, for "format-transforming encryption," encodes data so that it matches an arbitrary regular expression. The idea is that censorship hardware uses regular expressions to classify traffic into allowed and disallowed categories. FTE makes your traffic look like something in the allowed category, as far as the regular expression can tell. Here is a sample of FTE traffic using its default manual-http-request and manual-http-response formats. HTTP bodies have been truncated to save space.

GET //oa9xnE79SSJT73XIDv5gDx6m9kCx.6SJzCweNTMMPPFjL/rgCK1XqYv6hSQJkzpMkpu1cTBiauAaz4Fl49NK78o2nUD/VcGRS2MM7Bfl6X4v./xGw5orrtPQfIXUbWCW.CkTS3j8sD5wQfbsURlceheKV5/bVHs3axmSbKbzvyg0dMh/xQiK2mMAR0aifZ93F0l9ql9qRSDa/8b6oZITWMZFKHwIJEFSJnrpUFj/0c9dX HTTP/1.1\r\n
\r\n
\xe7\xd1\xc1!\xf0\x1eX\x9ez\r\x06\xb4\x14\xa7/\xa1\x0b\xb7\x7f\xc0\xd2y\xe1
\xa7\x8b\x97VZ\x10\xab\xe84w\xa1\x9e\r\xf6\xf3\xf8@\xe0\x00\xab2\x07\xb8@
\x08\xeb3\xd9Li\x12\x1cU\x1dj\xf3\x97tT\x17\xf2\x90Z\xf4 \xd4\xf4\x01\xa7
...
GET //X/oy8D3EU2ypudP4j8FFghcMAKV0dHCff7uEb6mP/cVII0SmyrNRtcKpFjh1rC/jNWfFAJnyTUmaxL.Q5V5YzhQZYg2qvd1VPouHsjD1K8qtupacqQiVnHD8g4Xr4vJxYgdDYMJGvkBFeAPUQLCoKXEJFt0JqSqQMwLsD6NDX3eYaXk0kVM6Vo3xCv7Dky.zf7Cer/BzVb9es35gPQcdiDn4B53uAD6nhFEWOLpYDfalP HTTP/1.1\r\n
\r\n
\x19D\x90\xe4\x92\x11\xd5\xb20h{\x9e\x19\x99\xeb\xb0?\xad\xb0o\xf0+\xfc\xf9
<%P\xfa\xb7\x8am\xb1hX\x13\xc6!f>\xc3e\x10QTU7\x1a\xd2b!\x12\xdf\xc0v(H\xce
\xacze\x7f\xc9cNqd\xf1\x84\xdb\x0c\x92}H\x99\xd8\x01\xd7\xc7\x1fZ\x1e\xa5
...
HTTP/1.1 200 OK\r\n
Content-Type: H\r\n
\r\n
|\x96\xbd?\x16%\xd7\x8d7Kf\xfe\x0c\x86~\xfe\xc1\xc7\xf7\xb4Tj%\x9a\xd4A\t|P
\x1d\x11I\xd5\xf3\x8e\xd3\xf748\xeev\x8c\xbd\xa8\xdd\xb1\xc2A\xc9\x8d|\x06M
}\xe5\xba5\x1e\x97!\x89\xe4\xb7\t\xe3\x02\x1f{]Ku\x8b\x9c\x8d\xf4\xd2\x10A%
...
HTTP/1.1 200 OK\r\n
Content-Type: H\r\n
\r\n
\xd9\xcf\x80\x93\xeaJ-A\xf7i\xe2C\x95\xf2\xf4\x9b^\x0c\x81\xdd\x85\x1e\n
\xf9\xa74|\xf2\x1eD~\xfcoU\xaa\xeb[j^z\xeb\x02}_b\xfb\x96\xf8\xe9\x8c#\xd6
\x83\xa8\xbe\xc2\xff\x8d\x94\xce#\xc7\xca\x1ea\xfc\n~\x15\xfb\x8f\xb0\xf7\t
...
HTTP/1.1 200 OK\r\n
Content-Type: H\r\n
\r\n
<$%\x06\x9b\x03\xcd\xa64\xfa_\xfaP\x98\xf2 \\\xea\x9b\x10qJ\x97\x97\x04\xe5
7\x9b\xd3 \xa5\x12\x93W\xed\xa3\x18\xa5\x9a6O\x97\t\xf0$\x807\x9eO!\x86\xf8
o\x0b\x7f\x8b\xc0Z\x89\xaa,\xcc[w\x9bk\xca\x19\xb9N\x1f\xb3\xea\xa1\xc1c~D
...
HTTP/1.1 200 OK\r\n
Content-Type: H\r\n
\r\n
2\xfb\xb9\xab\xe7\x1b_\xfe%\xb4\xf1\xd4kPE\xec\xb7\x89\t\x0e\x8f\x9b\xef
\xdfB\x8fE\xddn\xd2\x90\xad\xe3\x1bHN\xbe\xce\xe4\xe33+o9\xec\xb2Q+\xe7\xfc
\x19I.RA\x83\x86\x9c\xa3j\x19\x9c\xe3\x92s\'`\xdf>\x10\xc7\xb8\xeb\xce\xd7&
...
GET /GXlAAlA5/Bp9.hUXw.uwKt.qhyePcEmELGfJaPyEou0ttU9dJ3KdmU/7IhrB8L9iDqLta0SmbW4USo8qANRHHnY5ZMleDUtGr1hgHwf/12SmiM6AZOPFb9WmXnvQoLTxG1zPKozYNSWOSdQdGjXcFeReZP3uRKYPyntJ/ON/wGZjz0sVpBx.2D5Gy7oTLABQKy52p4QSZWfd6i5WkUj.cGxtjdS4sw.H/JfvME6IyXJeZv HTTP/1.1\r\n
\r\n
\xc6\xe7\x86\xd2B\x90x\xf0\x1a Y\xccA\x14Dj\xe19\xfa\xe0\xe0\x9aK\'\xe1 
\xbbb\x1d|\xa8o^\xd0\x9a\x9f\xdb\xf5V\x89\xbdIB\xb1T[\xa3C@\x7f\x9f\xac\xfd
\xce\x9feC\x02\xd4\x1eW\xe1X\xa9\xb6\xf6\xe3\xdaq\x10\x9fY1\x08\xf9\xf0\xb1
...
HTTP/1.1 200 OK\r\n
Content-Type: H\r\n
\r\n
\xcav\xc3@\xc5\x7f\tr\x89_\x88\xc8\xc6\x87\xf3\xe0\xd9\x0b\x88\xd0$\x8c\xd3
\xc3\x1d\xfeC\xdd\xb2\x18\x9ci^Z\xe3<[\xe4\x1fk=$\xd4+\xd7c\xc1\xeb:\xe3zFJ
C4\rPFt\x83v\xe5\x12\xaf\xc4\x0b\x1f\x96\xb9\xa2\xa2\xa1\x84\xee\xbb\xa0
...

FTE can do other formats as well. Here is a sample of manual-ssh-request and manual-ssh-response. This example doesn't use Tor; it was run with

fteproxy --mode client --upstream-format manual-ssh-request --downstream-format manual-ssh-response
fteproxy --mode server --upstream-format manual-ssh-request --downstream-format manual-ssh-response
ncat -k -l -p 8081
ncat 127.0.0.1 8079
SSH-2.0SKT\xbb\x1d\x18\xd5\xab\x11\xc0\n\xb1UCD\x15\xbf2"r\xf0\xa6\xaf\x98
\xa1\xf57>!r\x81\xd8\xd9\x17E$\xdflV\xb0x\xe1\x97bG\x17\x06}\x9b\xf3\x13
\x0e0p\x15 \xa2\x11\x85\x19\x9dU\xd5\xed\xb3\xe9\x06\xff\xf2\x87\xb9\x80
\xef\xf7\xf0\xf1%\xbd\xe3n\x05\xa9V\xbe\xa0\xd1(\xc2r\x98Sr\x88\xf4\x8f[b
\x1a\x8c\xae\x9d9\x81\xac(\xe0\xb5\xa1\xa9I\x15\xa7\xcd\x8fe~\xe8\xd3\xce
\xd2q\xbe\xc0\xba\x1eB\x17K\xdaN\xe4\xe5\x13\xd3\x83\xf5O\x83\xab\xbd9^\xc2
\xc2\x85\xd8\xb1\x10\xb7\xb5\x9co\xcf:\xa6c*>\xa8[)S\xac\xfb\xf2\xf6q\xeb
\xefq\x88\xb5\x1f`i\xeb\x01f5<\x01\xe8Bp\xc8i:\xfd\xd0;\xe1\xaf\xa9\xd1\x15
\x9f\xcc\x10\xee\x0f{\xb7j_\x0cUN\xb9\xfa\xcdp\x13\xc5\xcf\x9e\xdc/\xfat
\xdb@\x88\xcb\xf2\xcb\x04\x83;H\xc4\x9dR\x08Y/\xe8\xe0\x95Y\x10\xbf\xd2\xea
\tM\x94S\t\xd4
SSH-2.0SKl\xe0\xaa?\x13c5\n\xb3\xe2\x85\x90;\xb6p\x19PW\x03\xb5-\xf9\xce
\xccO_\xcde\x90\xdd\x94\x1fc\xf1w\x16^\xcac!\xd0\xeb=\xb2a\x8c\xa4\x94\x18
\xda2\'\xf1\x88X\x12\x83*,,\x07.\xb5B\xb7\xde\xe8]\xe9\xae\xe2r\xfa\x0eb[
\x1d\x03Ao\xc81\xbf\xa10\x07T\x9c\x87\xb2M\xed\x1c\x84`\xfao\xd5\xe5\xf6
\x91S\x18\xe3Z\x90O\x7f\x17]r\xa2\xe1l\xca\x0c\xcf\xc2\xba\xb1\xf2\\\xd3
\x195\xf3\x0e\x99.q\xee1\xb6\xd8\xbb\xc6+\xa190\x91|\x0f\xfc\xf4\x91\xe72
\xf73\x0f.~o\xfd\x9f\xa3Ga\xbe\x02\xc1\x95j\x8e]\xd0R]:\xec\xae\xd9P_R[\x83
|\x01\\\x95>\\\x19\x82uo.%O\x83\x81^\x7f\x11\xbe\xac\x08\x9d~\xdbF\x11\x05`
k\xaf\x0c/\xd9\xf6\xfe\x10<\xb3\x88z\x85~$j\xe1y\x87\\\xf0-\x1f\x8e\x84\xde
\x17\x85v\xfb/\x17\xdd\xeb\xc1\x9e\x14O\xb1\x9b\xb9
SSH-2.0S.\xc5\x0eI7!{7\x85@\xe5\xf2\x7f\xacAZ\xdcl\x99/9\xe1 \x90\x0b\rVv
\xd6u\xf2h\x1f\x1cn\tV\x0emN\xe3L\xaeyh\xc3\xb5\xa4\x96\xea\x95\x15\x7f@e
\x92.\xeb\xc6d5\xc7\x8a\x91+\xf0\x94\x96\xa5\xdf\x01\x0eI\x1d;\xcfF\xee\x1a
\xb6\xbc\x9e\x87E\x12\x84$C\x9er.\x01\xcb0\xa3=\x0f\xcd\x15\xae\x7fc\x15
\x9a\xed"9\xcf\x8f\xcf9\x87x-p\xfc\xb4!m\x86\xf6\xa8qv\xd6>\xeb0\'\x06\x8ch
\xb5Gj#A\xff\xee\x1e\x9br\xf16\x0b\x06>4\x1cM\x07\xd2\x190/\xe0[\x0fj\x91~
\xc6\xe9nQ

Flash proxy

Flash proxy is a system of short-lived proxies, each running as a JavaScript program in a web browser. Flash proxy uses a browser technology called WebSocket, which is a socket-like layer on top of HTTP.

Flash proxy doesn't do anything special to obscure the content that it carries. What gets sent is ordinary Tor TLS, wrapped inside a WebSocket layer: if you look at the WebSocket payloads, you will be able to see TLS. (There actually is one slight obfuscation, a side effect of the WebSocket protocol: WebSocket frames sent from the proxy to the client are xored with a 4-byte random masking key. The key is set to 00 00 00 00 in the examples below so you can see how it looks without masking.) You can see the TLS in the payloads of the examples below. Headers like Sec-WebSocket-Key and Upgrade: websocket are part of the WebSocket handshake.

Notice that, because a flash proxy connects to the client, and not the other way around, the first data that gets sent (the HTTP GET request that starts a WebSocket connection) is sent from the proxy to the client. The HTTP/1.0 101 Switching Protocols response is sent by the client, which in this case is actually acting as a web server.

GET / HTTP/1.1\r\n
Host: 192.0.2.101:9000\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-gb,en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
Sec-WebSocket-Version: 13\r\n
Origin: http://crypto.stanford.edu\r\n
Sec-WebSocket-Key: RthUFtiTVCjpBTSN4za+Zg==\r\n
Connection: keep-alive, Upgrade\r\n
Pragma: no-cache\r\n
Cache-Control: no-cache\r\n
Upgrade: websocket\r\n
\r\n
HTTP/1.0 101 Switching Protocols\r\n
Server: BaseHTTP/0.3 Python/2.7.6\r\n
Date: Tue, 13 May 2014 01:32:08 GMT\r\n
Upgrade: websocket\r\n
Connection: Upgrade\r\n
Sec-WebSocket-Accept: tZGC3i4YfiIrPSNfbfkx+JyrLYg=\r\n
\r\n

At this point the WebSocket handshake is finished, and the client begins to send its data, a TLS Client Hello message preceded by a WebSocket frame header. You can also see the cipher suite list, server name, and TLS extensions, just as in the ordinary Tor example.

00000000  82 7e 00 fe 16 03 01 00  f9 01 00 00 f5 03 03 1c .~...... ........
00000010  54 ec ef 3b 2e bc 2b ec  e0 3b 14 ff 10 8a a5 3b T..;..+. .;.....;
00000020  1f d0 04 a6 f8 47 73 52  d3 a0 9e d1 13 8d bd 00 .....GsR ........
00000030  00 48 c0 0a c0 14 00 88  00 87 00 39 00 38 c0 0f .H...... ...9.8..
00000040  c0 05 00 84 00 35 c0 07  c0 09 c0 11 c0 13 00 45 .....5.. .......E
00000050  00 44 00 33 00 32 c0 0c  c0 0e c0 02 c0 04 00 96 .D.3.2.. ........
00000060  00 41 00 04 00 05 00 2f  c0 08 c0 12 00 16 00 13 .A...../ ........
00000070  c0 0d c0 03 fe ff 00 0a  00 ff 01 00 00 84 00 00 ........ ........
00000080  00 13 00 11 00 00 0e 77  77 77 2e 64 7a 71 36 35 .......w ww.dzq65
00000090  71 2e 63 6f 6d 00 0b 00  04 03 00 01 02 00 0a 00 q.com... ........
000000A0  34 00 32 00 0e 00 0d 00  19 00 0b 00 0c 00 18 00 4.2..... ........
000000B0  09 00 0a 00 16 00 17 00  08 00 06 00 07 00 14 00 ........ ........
000000C0  15 00 04 00 05 00 12 00  13 00 01 00 02 00 03 00 ........ ........
000000D0  0f 00 10 00 11 00 23 00  00 00 0d 00 20 00 1e 06 ......#. .... ...
000000E0  01 06 02 06 03 05 01 05  02 05 03 04 01 04 02 04 ........ ........
000000F0  03 03 01 03 02 03 03 02  01 02 02 02 03 00 0f 00 ........ ........
00000100  01 01                                            ..

The flash proxy sends back some more data, a TLS Server Hello preceded by a WebSocket header. The Server Hello includes a certificate with domain names and expiration dates, which are visible as plain text. The WebSocket header is 4 bytes longer in this direction than in the other, because it includes the masking key, which is set to 00 00 00 00 for this example.

00000000  82 fe 02 f2 00 00 00 00  16 03 03 00 3e 02 00 00 ........ ....>...
00000010  3a 03 03 53 71 76 ca 43  e3 5e e8 d3 49 fd 34 67 :..Sqv.C .^..I.4g
00000020  2c 0c cc 35 5f d7 86 84  3a 3c 7d 3d 65 74 c1 0c ,..5_... :<}=et..
00000030  5c 39 dc 00 c0 14 00 00  12 ff 01 00 01 00 00 0b \9...... ........
00000040  00 04 03 00 01 02 00 0f  00 01 01 16 03 03 01 cf ........ ........
00000050  0b 00 01 cb 00 01 c8 00  01 c5 30 82 01 c1 30 82 ........ ..0...0.
00000060  01 2a a0 03 02 01 02 02  09 00 8b 10 ca 28 11 72 .*...... .....(.r
00000070  89 fb 30 0d 06 09 2a 86  48 86 f7 0d 01 01 05 05 ..0...*. H.......
00000080  00 30 23 31 21 30 1f 06  03 55 04 03 13 18 77 77 .0#1!0.. .U....ww
00000090  77 2e 70 6b 67 6d 71 68  37 74 6d 6a 34 68 35 63 w.pkgmqh 7tmj4h5c
000000A0  77 6d 2e 63 6f 6d 30 1e  17 0d 31 34 30 31 32 33 wm.com0. ..140123
000000B0  30 30 30 30 30 30 5a 17  0d 31 34 31 30 30 31 30 000000Z. .1410010
000000C0  30 30 30 30 30 5a 30 22  31 20 30 1e 06 03 55 04 00000Z0" 1 0...U.
000000D0  03 13 17 77 77 77 2e 6c  75 62 6d 7a 36 63 73 69 ...www.l ubmz6csi
000000E0  6c 69 78 74 64 70 2e 6e  65 74 30 81 9f 30 0d 06 lixtdp.n et0..0..
000000F0  09 2a 86 48 86 f7 0d 01  01 01 05 00 03 81 8d 00 .*.H.... ........
00000100  30 81 89 02 81 81 00 ba  77 59 01 ee b8 d2 62 5c 0....... wY....b\
00000110  35 d8 4a f5 f7 43 87 a3  9e b6 f0 02 dc 5d 8e fe 5.J..C.. .....]..
00000120  99 1a e3 b0 7a 25 1e 0e  46 d4 c4 11 39 26 7f 86 ....z%.. F...9&..
00000130  ff 05 91 5f 7a 0b 31 ec  0b b3 98 cf ca 00 54 9d ..._z.1. ......T.
00000140  15 4c 8e f5 3c ce be 82  ec 66 ee c8 11 86 63 42 .L..<... .f....cB
00000150  c2 23 7c 78 a1 90 ea 33  28 80 d5 99 71 ea 01 56 .#|x...3 (...q..V
00000160  14 3b c9 2a 55 71 0f a9  3a 5e 6a 90 02 64 dd d4 .;.*Uq.. :^j..d..
00000170  2f 7a e9 0a 14 36 9d 7f  c8 92 b1 ae f3 dc 85 d5 /z...6.. ........
00000180  d3 f2 07 c5 f4 72 11 02  03 01 00 01 30 0d 06 09 .....r.. ....0...
00000190  2a 86 48 86 f7 0d 01 01  05 05 00 03 81 81 00 aa *.H..... ........
000001A0  11 83 57 d4 6e 48 f1 75  cb b3 ce b5 54 21 d3 c6 ..W.nH.u ....T!..
000001B0  51 25 4d a4 75 36 34 0f  c0 f8 75 cf eb 38 9b b5 Q%M.u64. ..u..8..
000001C0  f5 6e 72 54 6b e6 c1 bd  fd fa 62 f7 70 4b 33 bd .nrTk... ..b.pK3.
000001D0  6a b2 2d 64 54 7e 2f 41  5e 0f 4b 4d 6a 86 0d 95 j.-dT~/A ^.KMj...
000001E0  a8 d1 51 19 e2 23 15 8d  a4 a2 de b7 f5 05 60 ce ..Q..#.. ......`.
000001F0  11 0c 13 f6 d0 f3 8e d9  b9 3c 62 01 24 6f f4 74 ........ .<b.$o.t
00000200  e3 f5 49 ad 6d 5f 98 1b  ab e3 88 0c d4 5a 79 0f ..I.m_.. .....Zy.
00000210  8f 22 5f 0d 06 ba a9 fe  a3 d6 da 6d 2e 01 ec 16 ."_..... ...m....
00000220  03 03 00 cd 0c 00 00 c9  03 00 17 41 04 4c 7b b8 ........ ...A.L{.
00000230  3d 2e b0 d7 64 ff 2b 4f  3f 42 69 12 8a 5d 45 c2 =...d.+O ?Bi..]E.
00000240  fc f1 a3 48 76 9b 37 a5  81 5c 92 3d 8a eb 07 15 ...Hv.7. .\.=....
00000250  dc de 8d 98 df df bf 79  e9 2d 21 57 61 37 18 08 .......y .-!Wa7..
00000260  a8 53 45 09 4a 05 c3 a1  df 21 37 f1 98 06 01 00 .SE.J... .!7.....
00000270  80 03 24 ba 61 73 32 ae  b6 3b 89 e5 a7 24 a3 bb ..$.as2. .;...$..
00000280  e2 e9 72 6a 40 5b 31 07  46 6e bc af 13 31 ae 95 ..rj@[1. Fn...1..
00000290  bb 48 a1 cc d0 f4 67 f6  ea 38 29 c7 69 0a 70 25 .H....g. .8).i.p%
000002A0  57 38 38 cd 7b fa 65 c5  3c 27 ec e0 cd fe 43 61 W88.{.e. <'....Ca
000002B0  ff 9d ee ca 9e da 65 7a  e9 0e ea 4c a9 27 70 39 ......ez ...L.'p9
000002C0  07 da 82 c3 de 46 e0 4b  1c 2b 9e 0d 5c dd 89 9d .....F.K .+..\...
000002D0  3d 47 69 a5 cf 72 6f 0f  07 8c 59 b4 51 5e dd 31 =Gi..ro. ..Y.Q^.1
000002E0  fb 59 34 9f 84 cd d6 d1  f9 de cf ba 51 ad 32 15 .Y4..... ....Q.2.
000002F0  92 16 03 03 00 04 0e 00  00 00                   ........ ..

After this, the communication continues in both directions, socket-like with WebSocket framing, until the flash proxy disappears.

Flash proxy rendezvous

There's one more piece to flash proxy, which is how the client advertises that it needs service from a flash proxy in the first place. This process is called "rendezvous." The client must send its IP address to the flash proxy system in a way that the censor can't detect and block. There are a few ways to do it, but most often it is done by a program called flashproxy-reg-appspot and its helper flashproxy-reg-url. flashproxy-reg-appspot works by reflecting an HTTP request through a web app running on Google App Engine, using the domain name www.google.com so the censor can't tell you are talking to App Engine, and encoding your IP address as part of the URL.

When you run flashproxy-reg-appspot, the client first sends one covert HTTPS request in order to learn its own external IP address. The censor doesn't get to see the contents of these messages; they are inside HTTPS encryption. The packets will be marked with a black border to indicate that we are looking inside the encryption.

GET /ip HTTP/1.1\r\n
Accept-Encoding: identity\r\n
Host: fp-reg-a.appspot.com\r\n
Connection: close\r\n
User-Agent: Python-urllib/2.7\r\n
\r\n
HTTP/1.1 200 OK\r\n
Content-Type: application/octet-stream\r\n
Date: Tue, 13 May 2014 02:47:50 GMT\r\n
Server: Google Frontend\r\n
Cache-Control: private\r\n
Alternate-Protocol: 443:quic\r\n
Connection: close\r\n
\r\n
192.0.2.101

The Host header fp-reg-a.appspot.com is the actual destination of the request—the web app running at that domain forwards the request to the flash proxy system—but the censor instead sees the request destined for www.google.com.

The client then sends another HTTPS request that contains an encrypted payload that will be forwarded to a flash proxy:

GET /reg/IiYtnmOro5k8IkFxIOljS1k8Z3dC3M0m_mM40PZo4STDY1vqn4xC6l9zAOjnr_Gw5xGBnKfbjDiyc4uaN5DxkseUAw4NUxwr6UySYYYMpssBkgRe4P5LBGlQy7B8rjzFlg8snXx2yUIbfrX2hP11XB-Tvr2po6VeNEEAiXQG48waXknztb0KBTM6qTXfNiZf3QwCW7aap-yu5IwFz6thhZ1NLwNEdp0tHn42m4sbEZzANM3sFv0kBlBn9IOWtFiwzdacjS6rXiuULhhC7rR2WuhsjVctdus8qNmUnfm22c36KPIgqyB5uDSR45pq5rHBdL_ZSsadwKQwQeW_6rohaw== HTTP/1.1\r\n
Accept-Encoding: identity\r\n
Host: fp-reg-a.appspot.com\r\n
Connection: close\r\n
User-Agent: Python-urllib/2.7\r\n
\r\n
HTTP/1.1 204 No Content\r\n
Strict-Transport-Security: max-age=15768000\r\n
Via: HTTP/1.1 GWA\r\n
Date: Tue, 13 May 2014 02:47:52 GMT\r\n
Content-Type: text/html\r\n
Server: Google Frontend\r\n
Content-Length: 0\r\n
Alternate-Protocol: 443:quic\r\n
Connection: close\r\n
\r\n

The response 204 No Content means that the web app didn't have to do any work. It merely copied the long URL it was given and sent it to the flash proxy system. That long URL is actually an encoded ciphertext. Here is what it looks like decrypted:

client=192.0.2.101%3A9000&client-transport=websocket

meek

meek uses HTTP as a transport, and TLS to hide the contents of messages. It reflects its HTTP requests through a third party server like App Engine, using a technical trick to make it look like it is talking to a different server, one that is expensive for the censor to block. It uses a browser plugin in order to camouflage its TLS fingerprint.

Here's the first thing a censor sees when you connect using meek. It's a TLS Client Hello, like in the ordinary Tor example, but it's different: the cipher suites are different, the extensions are different, and the server name is www.google.com rather than a randomly generated Tor name. The TLS looks different because it's generated by a web browser extension, not by Tor, and the packet is in fact being sent to www.google.com, not to a Tor relay. Read on for the "domain fronting" trick that causes www.google.com to send the traffic to a Tor relay behind the scenes.

00000000  16 03 01 00 a9 01 00 00  a5 03 01 17 24 0d d9 fe ........ ....$...
00000010  72 b8 1e 89 82 f2 2f 98  8a e4 88 89 85 0f dd 1e r...../. ........
00000020  12 7d 76 72 ec 6e 1e 15  d9 f3 5c 00 00 46 c0 0a .}vr.n.. ..\..F..
00000030  c0 09 c0 13 c0 14 c0 08  c0 12 c0 07 c0 11 00 33 ........ .......3
00000040  00 32 00 45 00 44 00 39  00 38 00 88 00 87 00 16 .2.E.D.9 .8......
00000050  00 13 c0 04 c0 0e c0 05  c0 0f c0 03 c0 0d c0 02 ........ ........
00000060  c0 0c 00 2f 00 41 00 35  00 84 00 96 fe ff 00 0a .../.A.5 ........
00000070  00 05 00 04 01 00 00 36  00 00 00 13 00 11 00 00 .......6 ........
00000080  0e 77 77 77 2e 67 6f 6f  67 6c 65 2e 63 6f 6d ff .www.goo gle.com.
00000090  01 00 01 00 00 0a 00 08  00 06 00 17 00 18 00 19 ........ ........
000000A0  00 0b 00 02 01 00 00 23  00 00 33 74 00 00       .......# ..3t..

The Server Hello reply from www.google.com is ordinary—it's exactly what you would get if you went to https://www.google.com/ in a web browser. Google has a longer certificate than the typical Tor relay.

00000000  16 03 01 00 5e 02 00 00  5a 03 01 53 75 b8 12 35 ....^... Z..Su..5
00000010  d4 9d fc 74 43 ce 67 ef  89 0c a3 d4 cc 72 1f 8d ...tC.g. .....r..
00000020  5d 3d d9 4e 5e e4 6f ff  83 d6 2f 00 c0 11 00 00 ]=.N^.o. ../.....
00000030  32 00 00 00 00 ff 01 00  01 00 00 0b 00 04 03 00 2....... ........
00000040  01 02 00 23 00 00 33 74  00 19 08 73 70 64 79 2f ...#..3t ...spdy/
00000050  33 2e 31 06 73 70 64 79  2f 33 08 68 74 74 70 2f 3.1.spdy /3.http/
00000060  31 2e 31 16 03 01 0c 13  0b 00 0c 0f 00 0c 0c 00 1.1..... ........
00000070  04 7a 30 82 04 76 30 82  03 5e a0 03 02 01 02 02 .z0..v0. .^......
00000080  08 24 d8 55 1d 34 8a 41  a6 30 0d 06 09 2a 86 48 .$.U.4.A .0...*.H
00000090  86 f7 0d 01 01 05 05 00  30 49 31 0b 30 09 06 03 ........ 0I1.0...
000000A0  55 04 06 13 02 55 53 31  13 30 11 06 03 55 04 0a U....US1 .0...U..
000000B0  13 0a 47 6f 6f 67 6c 65  20 49 6e 63 31 25 30 23 ..Google  Inc1%0#
000000C0  06 03 55 04 03 13 1c 47  6f 6f 67 6c 65 20 49 6e ..U....G oogle In
000000D0  74 65 72 6e 65 74 20 41  75 74 68 6f 72 69 74 79 ternet A uthority
000000E0  20 47 32 30 1e 17 0d 31  34 30 35 30 37 31 32 31  G20...1 40507121
000000F0  33 35 33 5a 17 0d 31 34  30 38 30 35 30 30 30 30 353Z..14 08050000
00000100  30 30 5a 30 68 31 0b 30  09 06 03 55 04 06 13 02 00Z0h1.0 ...U....
00000110  55 53 31 13 30 11 06 03  55 04 08 0c 0a 43 61 6c US1.0... U....Cal
00000120  69 66 6f 72 6e 69 61 31  16 30 14 06 03 55 04 07 ifornia1 .0...U..
00000130  0c 0d 4d 6f 75 6e 74 61  69 6e 20 56 69 65 77 31 ..Mounta in View1
00000140  13 30 11 06 03 55 04 0a  0c 0a 47 6f 6f 67 6c 65 .0...U.. ..Google
00000150  20 49 6e 63 31 17 30 15  06 03 55 04 03 0c 0e 77  Inc1.0. ..U....w
00000160  77 77 2e 67 6f 6f 67 6c  65 2e 63 6f 6d 30 82 01 ww.googl e.com0..
00000170  22 30 0d 06 09 2a 86 48  86 f7 0d 01 01 01 05 00 "0...*.H ........
00000180  03 82 01 0f 00 30 82 01  0a 02 82 01 01 00 ba 1c .....0.. ........
00000190  1c c5 ab c0 f7 3b 99 de  0f fa 32 ad c6 9d 9c 14 .....;.. ..2.....
000001A0  aa 47 03 90 a9 3f f3 10  0b c5 e6 f7 8a 2e ea 71 .G...?.. .......q
000001B0  d5 e9 2b da 3e ec d8 d0  08 19 18 8c 4b 4f 12 07 ..+.>... ....KO..
000001C0  8a 84 ba 49 4e d8 65 e6  96 62 3d 7e ad cb 30 74 ...IN.e. .b=~..0t
000001D0  e3 00 9f bf 01 5f 86 65  74 94 16 26 c3 dd 04 a5 ....._.e t..&....
000001E0  d1 1c c3 20 b4 a1 a3 de  c0 22 0b fe bd 5f 26 a7 ... .... ."..._&.
000001F0  32 1c 02 50 6a 62 3a 24  03 df 71 cb 92 86 28 99 2..Pjb:$ ..q...(.
00000200  5d e0 f5 cc b6 46 5f e3  38 92 46 8c 20 fe 3b 1d ]....F_. 8.F. .;.
00000210  a7 a3 cb 2c d8 e0 d0 1d  68 5c d4 e4 9e ab 3c 6c ...,.... h\....<l
00000220  a3 81 a7 9a 46 38 c2 06  7b 6f 46 88 f7 55 f6 e6 ....F8.. {oF..U..
00000230  04 f2 af 6b f6 cd 4e 59  a1 75 55 6d 65 14 dc 86 ...k..NY .uUme...
00000240  00 99 1e 6c e1 60 d1 0f  0a e7 d6 d6 8c d0 34 1d ...l.`.. ......4.
00000250  02 11 76 ea 79 6d ba dd  8e e7 e0 9a c0 44 c9 4f ..v.ym.. .....D.O
00000260  48 ba a5 43 fe 88 f9 88  6d 93 b1 fa d3 66 22 84 H..C.... m....f".
00000270  cb 67 c5 13 a5 c5 a0 43  d1 0c 95 a8 eb 64 a7 6a .g.....C .....d.j
00000280  9c 52 01 8c 45 e7 00 9a  d3 e6 69 6b 38 cb 02 03 .R..E... ..ik8...
00000290  01 00 01 a3 82 01 41 30  82 01 3d 30 1d 06 03 55 ......A0 ..=0...U
000002A0  1d 25 04 16 30 14 06 08  2b 06 01 05 05 07 03 01 .%..0... +.......
000002B0  06 08 2b 06 01 05 05 07  03 02 30 19 06 03 55 1d ..+..... ..0...U.
000002C0  11 04 12 30 10 82 0e 77  77 77 2e 67 6f 6f 67 6c ...0...w ww.googl
000002D0  65 2e 63 6f 6d 30 68 06  08 2b 06 01 05 05 07 01 e.com0h. .+......
000002E0  01 04 5c 30 5a 30 2b 06  08 2b 06 01 05 05 07 30 ..\0Z0+. .+.....0
000002F0  02 86 1f 68 74 74 70 3a  2f 2f 70 6b 69 2e 67 6f ...http: //pki.go
00000300  6f 67 6c 65 2e 63 6f 6d  2f 47 49 41 47 32 2e 63 ogle.com /GIAG2.c
00000310  72 74 30 2b 06 08 2b 06  01 05 05 07 30 01 86 1f rt0+..+. ....0...
00000320  68 74 74 70 3a 2f 2f 63  6c 69 65 6e 74 73 31 2e http://c lients1.
00000330  67 6f 6f 67 6c 65 2e 63  6f 6d 2f 6f 63 73 70 30 google.c om/ocsp0
00000340  1d 06 03 55 1d 0e 04 16  04 14 69 27 5e 70 b7 59 ...U.... ..i'^p.Y
00000350  9c 1f fd 8f 88 fa b1 c5  df ee 9e 1c f6 93 30 0c ........ ......0.
00000360  06 03 55 1d 13 01 01 ff  04 02 30 00 30 1f 06 03 ..U..... ..0.0...
00000370  55 1d 23 04 18 30 16 80  14 4a dd 06 16 1b bc f6 U.#..0.. .J......
00000380  68 b5 76 f5 81 b6 bb 62  1a ba 5a 81 2f 30 17 06 h.v....b ..Z./0..
00000390  03 55 1d 20 04 10 30 0e  30 0c 06 0a 2b 06 01 04 .U. ..0. 0...+...
000003A0  01 d6 79 02 05 01 30 30  06 03 55 1d 1f 04 29 30 ..y...00 ..U...)0
000003B0  27 30 25 a0 23 a0 21 86  1f 68 74 74 70 3a 2f 2f '0%.#.!. .http://
000003C0  70 6b 69 2e 67 6f 6f 67  6c 65 2e 63 6f 6d 2f 47 pki.goog le.com/G
000003D0  49 41 47 32 2e 63 72 6c  30 0d 06 09 2a 86 48 86 IAG2.crl 0...*.H.
000003E0  f7 0d 01 01 05 05 00 03  82 01 01 00 4a ab f5 a5 ........ ....J...
000003F0  dd 05 80 85 38 ca 49 e5  be 66 b4 52 16 e2 8e 50 ....8.I. .f.R...P
00000400  8a 51 96 70 fe 3f 04 a8  b8 9b 63 c8 87 f8 55 c6 .Q.p.?.. ..c...U.
00000410  78 77 06 47 25 9d 8c ee  ff 8d ec 4e f8 ab 39 7c xw.G%... ...N..9|
00000420  6f 1c 62 68 b8 22 fe 53  39 92 3d f0 47 eb 61 3c o.bh.".S 9.=.G.a<
00000430  13 4e a0 a6 9a ec 2d 23  f5 5c 27 0d 22 d6 a1 16 .N....-# .\'."...
00000440  73 5a 2d 19 f8 df ec 74  e3 c3 02 4c 6f 00 10 09 sZ-....t ...Lo...
00000450  1f e2 2a 41 9d 97 e0 65  50 f8 b9 f5 a2 87 bc a1 ..*A...e P.......
00000460  00 3a bc f1 0a 60 04 6f  d9 38 44 6a e8 04 e4 81 .:...`.o .8Dj....
00000470  84 21 09 36 37 99 1e f0  15 b7 59 99 07 e8 50 2d .!.67... ..Y...P-
00000480  bd ae 86 33 ba 63 39 2c  cc 19 27 a7 07 cd 22 f2 ...3.c9, ..'...".
00000490  f5 43 53 70 d6 eb 52 f5  e8 91 ab 3c c4 a2 02 ce .CSp..R. ...<....
000004A0  32 b3 39 eb 54 85 09 5b  a5 7a 15 62 8b 7c 51 49 2.9.T..[ .z.b.|QI
000004B0  a4 f6 a8 04 55 a9 12 02  da 9d 17 f4 47 8c e5 f6 ....U... ....G...
000004C0  89 0b b2 50 0c e6 04 8e  2c ea 58 cd 9a 1a 41 b7 ...P.... ,.X...A.
000004D0  0b 5d 8a 2f c8 d1 e8 2d  1f c0 ac fa 55 83 98 e6 .]./...- ....U...
000004E0  01 a9 7e 55 15 96 68 2d  a6 e9 7b 1b 00 04 08 30 ..~U..h- ..{....0
000004F0  82 04 04 30 82 02 ec a0  03 02 01 02 02 03 02 3a ...0.... .......:
00000500  69 30 0d 06 09 2a 86 48  86 f7 0d 01 01 05 05 00 i0...*.H ........
00000510  30 42 31 0b 30 09 06 03  55 04 06 13 02 55 53 31 0B1.0... U....US1
00000520  16 30 14 06 03 55 04 0a  13 0d 47 65 6f 54 72 75 .0...U.. ..GeoTru
00000530  73 74 20 49 6e 63 2e 31  1b 30 19 06 03 55 04 03 st Inc.1 .0...U..
00000540  13 12 47 65 6f 54 72 75  73 74 20 47 6c 6f 62 61 ..GeoTru st Globa
00000550  6c 20 43 41 30 1e 17 0d  31 33 30 34 30 35 31 35 l CA0... 13040515
00000560  31 35 35 35 5a 17 0d 31  35 30 34 30 34 31 35 31 1555Z..1 50404151
00000570  35 35 35 5a 30 49 31 0b  30 09 06 03 55 04 06 13 555Z0I1. 0...U...
00000580  02 55 53 31 13 30 11 06  03 55                   .US1.0.. .U
0000058A  04 0a 13 0a 47 6f 6f 67  6c 65 20 49 6e 63 31 25 ....Goog le Inc1%
0000059A  30 23 06 03 55 04 03 13  1c 47 6f 6f 67 6c 65 20 0#..U... .Google 
000005AA  49 6e 74 65 72 6e 65 74  20 41 75 74 68 6f 72 69 Internet  Authori
000005BA  74 79 20 47 32 30 82 01  22 30 0d 06 09 2a 86 48 ty G20.. "0...*.H
000005CA  86 f7 0d 01 01 01 05 00  03 82 01 0f 00 30 82 01 ........ .....0..
000005DA  0a 02 82 01 01 00 9c 2a  04 77 5c d8 50 91 3a 06 .......* .w\.P.:.
000005EA  a3 82 e0 d8 50 48 bc 89  3f f1 19 70 1a 88 46 7e ....PH.. ?..p..F~
000005FA  e0 8f c5 f1 89 ce 21 ee  5a fe 61 0d b7 32 44 89 ......!. Z.a..2D.
0000060A  a0 74 0b 53 4f 55 a4 ce  82 62 95 ee eb 59 5f c6 .t.SOU.. .b...Y_.
0000061A  e1 05 80 12 c4 5e 94 3f  bc 5b 48 38 f4 53 f7 24 .....^.? .[H8.S.$
0000062A  e6 fb 91 e9 15 c4 cf f4  53 0d f4 4a fc 9f 54 de ........ S..J..T.
0000063A  7d be a0 6b 6f 87 c0 d0  50 1f 28 30 03 40 da 08 }..ko... P.(0.@..
0000064A  73 51 6c 7f ff 3a 3c a7  37 06 8e bd 4b 11 04 eb sQl..:<. 7...K...
0000065A  7d 24 de e6 f9 fc 31 71  fb 94 d5 60 f3 2e 4a af }$....1q ...`..J.
0000066A  42 d2 cb ea c4 6a 1a b2  cc 53 dd 15 4b 8b 1f c8 B....j.. .S..K...
0000067A  19 61 1f cd 9d a8 3e 63  2b 84 35 69 65 84 c8 19 .a....>c +.5ie...
0000068A  c5 46 22 f8 53 95 be e3  80 4a 10 c6 2a ec ba 97 .F".S... .J..*...
0000069A  20 11 c7 39 99 10 04 a0  f0 61 7a 95 25 8c 4e 52  ..9.... .az.%.NR
000006AA  75 e2 b6 ed 08 ca 14 fc  ce 22 6a b3 4e cf 46 03 u....... ."j.N.F.
000006BA  97 97 03 7e c0 b1 de 7b  af 45 33 cf ba 3e 71 b7 ...~...{ .E3..>q.
000006CA  de f4 25 25 c2 0d 35 89  9d 9d fb 0e 11 79 89 1e ..%%..5. .....y..
000006DA  37 c5 af 8e 72 69 02 03  01 00 01 a3 81 fb 30 81 7...ri.. ......0.
000006EA  f8 30 1f 06 03 55 1d 23  04 18 30 16 80 14 c0 7a .0...U.# ..0....z
000006FA  98 68 8d 89 fb ab 05 64  0c 11 7d aa 7d 65 b8 ca .h.....d ..}.}e..
0000070A  cc 4e 30 1d 06 03 55 1d  0e 04 16 04 14 4a dd 06 .N0...U. .....J..
0000071A  16 1b bc f6 68 b5 76 f5  81 b6 bb 62 1a ba 5a 81 ....h.v. ...b..Z.
0000072A  2f 30 12 06 03 55 1d 13  01 01 ff 04 08 30 06 01 /0...U.. .....0..
0000073A  01 ff 02 01 00 30 0e 06  03 55 1d 0f 01 01 ff 04 .....0.. .U......
0000074A  04 03 02 01 06 30 3a 06  03 55 1d 1f 04 33 30 31 .....0:. .U...301
0000075A  30 2f a0 2d a0 2b 86 29  68 74 74 70 3a 2f 2f 63 0/.-.+.) http://c
0000076A  72 6c 2e 67 65 6f 74 72  75 73 74 2e 63 6f 6d 2f rl.geotr ust.com/
0000077A  63 72 6c 73 2f 67 74 67  6c 6f 62 61 6c 2e 63 72 crls/gtg lobal.cr
0000078A  6c 30 3d 06 08 2b 06 01  05 05 07 01 01 04 31 30 l0=..+.. ......10
0000079A  2f 30 2d 06 08 2b 06 01  05 05 07 30 01 86 21 68 /0-..+.. ...0..!h
000007AA  74 74 70 3a 2f 2f 67 74  67 6c 6f 62 61 6c 2d 6f ttp://gt global-o
000007BA  63 73 70 2e 67 65 6f 74  72 75 73 74 2e 63 6f 6d csp.geot rust.com
000007CA  30 17 06 03 55 1d 20 04  10 30 0e 30 0c 06 0a 2b 0...U. . .0.0...+
000007DA  06 01 04 01 d6 79 02 05  01 30 0d 06 09 2a 86 48 .....y.. .0...*.H
000007EA  86 f7 0d 01 01 05 05 00  03 82 01 01 00 36 d7 06 ........ .....6..
000007FA  80 11 27 ad 2a 14 9b 38  77 b3 23 a0 75 58 bb b1 ..'.*..8 w.#.uX..
0000080A  7e 83 42 ba 72 da 1e d8  8e 36 06 97 e0 f0 95 3b ~.B.r... .6.....;
0000081A  37 fd 1b 42 58 fe 22 c8  6b bd 38 5e d1 3b 25 6e 7..BX.". k.8^.;%n
0000082A  12 eb 5e 67 76 46 40 90  da 14 c8 78 0d ed 95 66 ..^gvF@. ...x...f
0000083A  da 8e 86 6f 80 a1 ba 56  32 95 86 dc dc 6a ca 04 ...o...V 2....j..
0000084A  8c 5b 7f f6 bf cc 6f 85  03 58 c3 68 51 13 cd fd .[....o. .X.hQ...
0000085A  c8 f7 79 3d 99 35 f0 56  a3 bd e0 59 ed 4f 44 09 ..y=.5.V ...Y.OD.
0000086A  a3 9e 38 7a f6 46 d1 1d  12 9d 4f be d0 40 fc 55 ..8z.F.. ..O..@.U
0000087A  fe 06 5e 3c da 1c 56 bd  96 51 7b 6f 57 2a db a2 ..^<..V. .Q{oW*..
0000088A  aa 96 dc 8c 74 c2 95 be  f0 6e 95 13 ff 17 f0 3c ....t... .n.....<
0000089A  ac b2 10 8d cc 73 fb e8  8f 02 c6 f0 fb 33 b3 95 .....s.. .....3..
000008AA  3b e3 c2 cb 68 58 73 db  a8 24 62 3b 06 35 9d 0d ;...hXs. .$b;.5..
000008BA  a9 33 bd 78 03 90 2e 4c  78 5d 50 3a 81 d4 ee a0 .3.x...L x]P:....
000008CA  c8 70 38 dc b2 f9 67 fa  87 40 5d 61 c0 51 8f 6b .p8...g. .@]a.Q.k
000008DA  83 6b cd 05 3a ca e1 a7  05 78 fc ca da 94 d0 2c .k..:... .x.....,
000008EA  08 3d 7e 16 79 c8 a0 50  20 24 54 33 71 00 03 81 .=~.y..P  $T3q...
000008FA  30 82 03 7d 30 82 02 e6  a0 03 02 01 02 02 03 12 0..}0... ........
0000090A  bb e6 30 0d 06 09 2a 86  48 86 f7 0d 01 01 05 05 ..0...*. H.......
0000091A  00 30 4e 31 0b 30 09 06  03 55 04 06 13 02 55 53 .0N1.0.. .U....US
0000092A  31 10 30 0e 06 03 55 04  0a 13 07 45 71 75 69 66 1.0...U. ...Equif
0000093A  61 78 31 2d 30 2b 06 03  55 04 0b 13 24 45 71 75 ax1-0+.. U...$Equ
0000094A  69 66 61 78 20 53 65 63  75 72 65 20 43 65 72 74 ifax Sec ure Cert
0000095A  69 66 69 63 61 74 65 20  41 75 74 68 6f 72 69 74 ificate  Authorit
0000096A  79 30 1e 17 0d 30 32 30  35 32 31 30 34 30 30 30 y0...020 52104000
0000097A  30 5a 17 0d 31 38 30 38  32 31 30 34 30 30 30 30 0Z..1808 21040000
0000098A  5a 30 42 31 0b 30 09 06  03 55 04 06 13 02 55 53 Z0B1.0.. .U....US
0000099A  31 16 30 14 06 03 55 04  0a 13 0d 47 65 6f 54 72 1.0...U. ...GeoTr
000009AA  75 73 74 20 49 6e 63 2e  31 1b 30 19 06 03 55 04 ust Inc. 1.0...U.
000009BA  03 13 12 47 65 6f 54 72  75 73 74 20 47 6c 6f 62 ...GeoTr ust Glob
000009CA  61 6c 20 43 41 30 82 01  22 30 0d 06 09 2a 86 48 al CA0.. "0...*.H
000009DA  86 f7 0d 01 01 01 05 00  03 82 01 0f 00 30 82 01 ........ .....0..
000009EA  0a 02 82 01 01 00 da cc  18 63 30 fd f4 17 23 1a ........ .c0...#.
000009FA  56 7e 5b df 3c 6c 38 e4  71 b7 78 91 d4 bc a1 d8 V~[.<l8. q.x.....
00000A0A  4c f8 a8 43 b6 03 e9 4d  21 07 08 88 da 58 2f 66 L..C...M !....X/f
00000A1A  39 29 bd 05 78 8b 9d 38  e8 05 b7 6a 7e 71 a4 e6 9)..x..8 ...j~q..
00000A2A  c4 60 a6 b0 ef 80 e4 89  28 0f 9e 25 d6 ed 83 f3 .`...... (..%....
00000A3A  ad a6 91 c7 98 c9 42 18  35 14 9d ad 98 46 92 2e ......B. 5....F..
00000A4A  4f ca f1 87 43 c1 16 95  57 2d 50 ef 89 2d 80 7a O...C... W-P..-.z
00000A5A  57 ad f2 ee 5f 6b d2 00  8d b9 14 f8 14 15 35 d9 W..._k.. ......5.
00000A6A  c0 46 a3 7b 72 c8 91 bf  c9 55 2b cd d0 97 3e 9c .F.{r... .U+...>.
00000A7A  26 64 cc df ce 83 19 71  ca 4e e6 d4 d5 7b a9 19 &d.....q .N...{..
00000A8A  cd 55 de c8 ec d2 5e 38  53 e5 5c 4f 8c 2d fe 50 .U....^8 S.\O.-.P
00000A9A  23 36 fc 66 e6 cb 8e a4  39 19 00 b7 95 02 39 91 #6.f.... 9.....9.
00000AAA  0b 0e fe 38 2e d1 1d 05  9a f6 4d 3e 6f 0f 07 1d ...8.... ..M>o...
00000ABA  af 2c 1e 8f 60 39 e2 fa  36 53 13 39 d4 5e 26 2b .,..`9.. 6S.9.^&+
00000ACA  db 3d a8 14 bd 32 eb 18  03 28 52 04 71 e5 ab 33 .=...2.. .(R.q..3
00000ADA  3d e1 38 bb 07 36 84 62  9c 79 ea 16 30 f4 5f c0 =.8..6.b .y..0._.
00000AEA  2b e8 71 6b e4 f9 02 03  01 00 01 a3 81 f0 30 81 +.qk.... ......0.
00000AFA  ed 30 1f 06 03 55 1d 23  04 18 30 16 80 14 48 e6 .0...U.# ..0...H.
00000B0A  68 f9 2b d2 b2 95 d7 47  d8 23                   h.+....G .#
00000B14  20 10 4f 33 98 90 9f d4  30 1d 06 03 55 1d 0e 04  .O3.... 0...U...
00000B24  16 04 14 c0 7a 98 68 8d  89 fb ab 05 64 0c 11 7d ....z.h. ....d..}
00000B34  aa 7d 65 b8 ca cc 4e 30  0f 06 03 55 1d 13 01 01 .}e...N0 ...U....
00000B44  ff 04 05 30 03 01 01 ff  30 0e 06 03 55 1d 0f 01 ...0.... 0...U...
00000B54  01 ff 04 04 03 02 01 06  30 3a 06 03 55 1d 1f 04 ........ 0:..U...
00000B64  33 30 31 30 2f a0 2d a0  2b 86 29 68 74 74 70 3a 3010/.-. +.)http:
00000B74  2f 2f 63 72 6c 2e 67 65  6f 74 72 75 73 74 2e 63 //crl.ge otrust.c
00000B84  6f 6d 2f 63 72 6c 73 2f  73 65 63 75 72 65 63 61 om/crls/ secureca
00000B94  2e 63 72 6c 30 4e 06 03  55 1d 20 04 47 30 45 30 .crl0N.. U. .G0E0
00000BA4  43 06 04 55 1d 20 00 30  3b 30 39 06 08 2b 06 01 C..U. .0 ;09..+..
00000BB4  05 05 07 02 01 16 2d 68  74 74 70 73 3a 2f 2f 77 ......-h ttps://w
00000BC4  77 77 2e 67 65 6f 74 72  75 73 74 2e 63 6f 6d 2f ww.geotr ust.com/
00000BD4  72 65 73 6f 75 72 63 65  73 2f 72 65 70 6f 73 69 resource s/reposi
00000BE4  74 6f 72 79 30 0d 06 09  2a 86 48 86 f7 0d 01 01 tory0... *.H.....
00000BF4  05 05 00 03 81 81 00 76  e1 12 6e 4e 4b 16 12 86 .......v ..nNK...
00000C04  30 06 b2 81 08 cf f0 08  c7 c7 71 7e 66 ee c2 ed 0....... ..q~f...
00000C14  d4 3b 1f ff f0 f0 c8 4e  d6 43 38 b0 b9 30 7d 18 .;.....N .C8..0}.
00000C24  d0 55 83 a2 6a cb 36 11  9c e8 48 66 a3 6d 7f b8 .U..j.6. ..Hf.m..
00000C34  13 d4 47 fe 8b 5a 5c 73  fc ae d9 1b 32 19 38 ab ..G..Z\s ....2.8.
00000C44  97 34 14 aa 96 d2 eb a3  1c 14 08 49 b6 bb e5 91 .4...... ...I....
00000C54  ef 83 36 eb 1d 56 6f ca  da bc 73 63 90 e4 7f 7b ..6..Vo. ..sc...{
00000C64  3e 22 cb 3d 07 ed 5f 38  74 9c e3 03 50 4e a1 af >".=.._8 t...PN..
00000C74  98 ee 61 f2 84 3f 12 16  03 01 01 4b 0c 00 01 47 ..a..?.. ...K...G
00000C84  03 00 17 41 04 af 6e a8  3b 25 96 df 2f 3a cf e0 ...A..n. ;%../:..
00000C94  ca bf 55 0b 4e 41 54 84  5f 91 61 7a 80 75 54 53 ..U.NAT. _.az.uTS
00000CA4  ba 81 c8 75 bf 99 90 47  74 98 8f de 89 ae 49 c4 ...u...G t.....I.
00000CB4  08 bd 37 23 ac c2 50 51  16 0b 61 f2 17 1f 56 48 ..7#..PQ ..a...VH
00000CC4  ef fe 16 41 29 01 00 9d  ed 87 49 32 e1 49 0f 23 ...A)... ..I2.I.#
00000CD4  f4 48 65 be f8 2e 5c e2  bf ef 3f 55 a3 1a 8e 86 .He...\. ..?U....
00000CE4  2a 65 d5 89 b5 5a 94 c1  89 1d 66 7a 68 ca 71 b3 *e...Z.. ..fzh.q.
00000CF4  09 28 7d 7d de 4b b0 a2  25 51 d0 75 78 ee dc b0 .(}}.K.. %Q.ux...
00000D04  23 62 a3 7b 95 99 c5 79  b0 c7 80 25 53 38 46 ba #b.{...y ...%S8F.
00000D14  8b bd f5 a5 a9 b6 ac 39  28 a9 87 87 1b f6 ef da .......9 (.......
00000D24  30 e2 24 4d ff 8e b2 db  a6 4b 80 81 53 74 bc 57 0.$M.... .K..St.W
00000D34  1c 8f 17 00 1d 72 1f a8  d8 68 c7 bf 30 52 fb be .....r.. .h..0R..
00000D44  e4 72 6e eb b7 bc 98 41  b6 b1 b5 99 bc b3 f3 b8 .rn....A ........
00000D54  d3 c4 ec ff 05 32 94 6e  59 f6 27 6c 84 c1 1f a2 .....2.n Y.'l....
00000D64  80 67 c6 52 de 11 d5 f2  7d 0f b3 97 8e 75 0f 7d .g.R.... }....u.}
00000D74  4a 6f 8f 92 27 75 b6 ef  b0 bf 89 8d 86 02 04 31 Jo..'u.. .......1
00000D84  37 d4 90 fe 14 ec 9d a9  97 ca 31 76 41 5c 53 7d 7....... ..1vA\S}
00000D94  f5 50 ff 99 73 bd e1 4b  85 1d c4 98 2c be a0 ec .P..s..K ....,...
00000DA4  59 c7 d9 6a 56 eb ea 67  8e b4 4e d3 97 21 a5 87 Y..jV..g ..N..!..
00000DB4  d0 26 8a 23 30 75 1a 0d  00 b9 5d 8d 7b 2a 87 dc .&.#0u.. ..].{*..
00000DC4  34 89 d6 6b 2f 27 15 16  03 01 00 04 0e 00 00 00 4..k/'.. ........

Here is the dissection of those first two messages. Notice how different the Client Hello is from the one in the ordinary Tor example. It looks like a browser in order to be harder to fingerprint.

Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 169
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 165
            Version: TLS 1.0 (0x0301)
            Random
                gmt_unix_time: Apr 21, 1982 04:06:49.000000000 PST
                random_bytes: fe72b81e8982f22f988ae48889850fdd1e127d7672ec6e1e...
            Session ID Length: 0
            Cipher Suites Length: 70
            Cipher Suites (35 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
                Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
                Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
                Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
                Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 54
            Extension: server_name
                Type: server_name (0x0000)
                Length: 19
                Server Name Indication extension
                    Server Name list length: 17
                    Server Name Type: host_name (0)
                    Server Name length: 14
                    Server Name: www.google.com
            Extension: renegotiation_info
                Type: renegotiation_info (0xff01)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: elliptic_curves
                Type: elliptic_curves (0x000a)
                Length: 8
                Elliptic Curves Length: 6
                Elliptic curves (3 curves)
                    Elliptic curve: secp256r1 (0x0017)
                    Elliptic curve: secp384r1 (0x0018)
                    Elliptic curve: secp521r1 (0x0019)
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: SessionTicket TLS
                Type: SessionTicket TLS (0x0023)
                Length: 0
                Data (0 bytes)
            Extension: next_protocol_negotiation
                Type: next_protocol_negotiation (0x3374)
                Length: 0
Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 94
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 90
            Version: TLS 1.0 (0x0301)
            Random
                gmt_unix_time: May 16, 2014 00:02:42.000000000 PDT
                random_bytes: 35d49dfc7443ce67ef890ca3d4cc721f8d5d3dd94e5ee46f...
            Session ID Length: 0
            Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
            Compression Method: null (0)
            Extensions Length: 50
            Extension: server_name
                Type: server_name (0x0000)
                Length: 0
            Extension: renegotiation_info
                Type: renegotiation_info (0xff01)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
                    EC point format: uncompressed (0)
                    EC point format: ansiX962_compressed_prime (1)
                    EC point format: ansiX962_compressed_char2 (2)
            Extension: SessionTicket TLS
                Type: SessionTicket TLS (0x0023)
                Length: 0
                Data (0 bytes)
            Extension: next_protocol_negotiation
                Type: next_protocol_negotiation (0x3374)
                Length: 25
                Next Protocol Negotiation
                    Protocol string length: 8
                    Next Protocol: spdy/3.1
                    Protocol string length: 6
                    Next Protocol: spdy/3
                    Protocol string length: 8
                    Next Protocol: http/1.1
Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 3091
        Handshake Protocol: Certificate

After the TLS handshake come some HTTPS requests and responses. Their contents are not visible to the censor, because they are under a layer of HTTPS encryption. A meek session consists of many such requests, each one carrying some data. The web browser extension will reuse the same TLS session for many requests, so it doesn't have to do the TLS handshake anew every time.

meek transport layer

What's going on under the HTTPS layer? The Tor stream is being broken into pieces and sent as a sequence of HTTP POST requests. The Tor relay sends back its data in the response body, just as if a web page were being send in response to a POST.

To indicate that these packets are encrypted inside HTTPS and the censor doesn't get to see them, these packets will have a black border. App Engine and the Tor relay gets to see these bytes, but the censor does not. This fact is important, because otherwise the censor could look for fixed strings like meek-reflect.appspot.com.

The client sends its requests to meek-reflect.appspot.com, but meek-reflect.appspot.com merely copies the requests to the meek server running on a Tor relay. That's why it's called a reflector. We won't show the communication between the reflector and the relay, because it looks the same.

The HTTP headers will be shown as plain text, but the HTTP bodies will be shown as hex dumps. The bodies are not actually hex-encoded in reality.

POST / HTTP/1.1\r\n
Host: meek-reflect.appspot.com\r\n
X-Session-Id: cbIzfhx1Hn+\r\n
Content-Length: 517\r\n
Content-Type: application/octet-stream\r\n
Connection: keep-alive\r\n
\r\n
0000000  16 03 01 02 00 01 00 01  fc 03 03 9b a9 9f f5 bb  ................
0000010  74 00 c7 a0 d9 6a e7 f3  ae 2c 66 8e 03 98 66 5a  t....j...,f...fZ
0000020  30 a2 8b 17 78 6d 35 fb  04 d5 e9 00 00 48 c0 0a  0...xm5......H..
0000030  c0 14 00 88 00 87 00 39  00 38 c0 0f c0 05 00 84  .......9.8......
0000040  00 35 c0 07 c0 09 c0 11  c0 13 00 45 00 44 00 33  .5.........E.D.3
0000050  00 32 c0 0c c0 0e c0 02  c0 04 00 96 00 41 00 04  .2...........A..
0000060  00 05 00 2f c0 08 c0 12  00 16 00 13 c0 0d c0 03  .../............
0000070  fe ff 00 0a 00 ff 01 00  01 8b 00 00 00 22 00 20  .............". 
0000080  00 00 1d 77 77 77 2e 69  78 6b 68 69 67 6d 72 32  ...www.ixkhigmr2
0000090  68 7a 65 77 6b 61 34 67  65 6e 78 75 2e 63 6f 6d  hzewka4genxu.com
00000a0  00 0b 00 04 03 00 01 02  00 0a 00 34 00 32 00 0e  ...........4.2..
00000b0  00 0d 00 19 00 0b 00 0c  00 18 00 09 00 0a 00 16  ................
00000c0  00 17 00 08 00 06 00 07  00 14 00 15 00 04 00 05  ................
00000d0  00 12 00 13 00 01 00 02  00 03 00 0f 00 10 00 11  ................
00000e0  00 23 00 00 00 0d 00 20  00 1e 06 01 06 02 06 03  .#..... ........
00000f0  05 01 05 02 05 03 04 01  04 02 04 03 03 01 03 02  ................
0000100  03 03 02 01 02 02 02 03  00 0f 00 01 01 00 15 00  ................
0000110  f4 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00001c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000200  00 00 00 00 00                                    .....

Inside the encrypted HTTPS stream, we see our familiar friends, the TLS Client Hello, just as in the ordinary Tor example. Only now, it is encoded as an HTTP request body. The TLS on the inside of the requests looks different than the TLS generated by the browser extension: The TLS on the inside comes from Tor and OpenSSL, while the TLS on the outside comes from Firefox and NSS.

Notice the value of the Host header: meek-reflect.appspot.com. This is called "domain fronting," and it is the key technical trick that meek uses to hide the true destination of its communications. Even though the server name in the outside TLS handshake was www.google.com, the message is really destined for meek-reflect.appspot.com. It's the same trick used by flashproxy-reg-appspot and GoAgent.

Notice the session ID string cbIzfhx1Hn+. The meek client program randomly generates this string when it receives a new connection from Tor. The server uses this string to determine which ongoing session an incoming request belongs to.

The response to the POST is the Tor relay's Server Hello. Because this is the first time the server has seen this session ID, it opens a new connection to the Tor network and associates the session ID with it. Old session IDs are deleted after a period of inactivity.

HTTP/1.1 200 OK\r\n
Content-Type: application/octet-stream\r\n
Date: Fri, 16 May 2014 05:30:32 GMT\r\n
Server: Google Frontend\r\n
Content-Length: 739\r\n
Alternate-Protocol: 443:quic\r\n
\r\n
0000000  16 03 03 00 3e 02 00 00  3a 03 03 53 75 a2 78 7d  ....>...:..Su.x}
0000010  e3 6f a7 11 75 e2 f6 58  d1 86 2c c8 2d 48 f0 36  .o..u..X..,.-H.6
0000020  a0 d8 19 69 ab b9 91 8b  6b 79 e4 00 c0 14 00 00  ...i....ky......
0000030  12 ff 01 00 01 00 00 0b  00 04 03 00 01 02 00 0f  ................
0000040  00 01 01 16 03 03 01 c0  0b 00 01 bc 00 01 b9 00  ................
0000050  01 b6 30 82 01 b2 30 82  01 1b a0 03 02 01 02 02  ..0...0.........
0000060  08 3c 72 67 83 30 a8 a7  95 30 0d 06 09 2a 86 48  .<rg.0...0...*.H
0000070  86 f7 0d 01 01 05 05 00  30 1b 31 19 30 17 06 03  ........0.1.0...
0000080  55 04 03 13 10 77 77 77  2e 33 64 6e 34 34 33 33  U....www.3dn4433
0000090  75 2e 63 6f 6d 30 1e 17  0d 31 34 30 33 33 30 30  u.com0...1403300
00000a0  30 30 30 30 30 5a 17 0d  31 34 30 37 31 33 30 30  00000Z..14071300
00000b0  30 30 30 30 5a 30 1c 31  1a 30 18 06 03 55 04 03  0000Z0.1.0...U..
00000c0  13 11 77 77 77 2e 34 72  33 37 67 76 76 72 69 2e  ..www.4r37gvvri.
00000d0  6e 65 74 30 81 9f 30 0d  06 09 2a 86 48 86 f7 0d  net0..0...*.H...
00000e0  01 01 01 05 00 03 81 8d  00 30 81 89 02 81 81 00  .........0......
00000f0  de d1 35 ad f9 d2 a6 68  37 40 52 16 b0 6d d9 9c  ..5....h7@R..m..
0000100  9d ad 95 d2 a9 e8 b6 78  43 e5 05 c6 57 96 72 98  .......xC...W.r.
0000110  6e 0a e6 2c 32 2a 9c 5c  1b 1c d4 f0 87 bd 0a 25  n..,2*.\.......%
0000120  31 e9 b1 ab 38 42 a2 75  f1 af 7e 8b 20 fb 9e 6e  1...8B.u..~. ..n
0000130  29 50 2c 29 a6 fa d2 55  61 6f 4d 7b 16 b7 57 10  )P,)...UaoM{..W.
0000140  b0 d9 1b 1b 8e 8a 90 fe  6b f7 0e 34 6f 19 3e 0a  ........k..4o.>.
0000150  6d c6 ec 60 f6 53 fb 0d  2e 99 b0 8d 2f 99 25 de  m..`.S....../.%.
0000160  02 dc 2b fc 66 6d 34 f9  28 81 8a d5 f7 82 3c a7  ..+.fm4.(.....<.
0000170  02 03 01 00 01 30 0d 06  09 2a 86 48 86 f7 0d 01  .....0...*.H....
0000180  01 05 05 00 03 81 81 00  15 9e 36 09 3f 69 35 2d  ..........6.?i5-
0000190  57 26 9a 03 40 9c 86 00  27 77 51 68 bc 2c 1f 60  W&..@...'wQh.,.`
00001a0  35 d5 80 3a ba ae 94 6e  48 04 a8 77 38 3d c8 4d  5..:...nH..w8=.M
00001b0  e2 77 09 b2 4d a2 2b d0  72 26 2e 6b 36 0d 5f 10  .w..M.+.r&.k6._.
00001c0  1a 6f 9b 7d 22 54 bb 21  4c 3b fb e2 72 b9 bd 31  .o.}"T.!L;..r..1
00001d0  28 72 7d d6 c0 92 b6 9f  50 5a a7 03 a0 02 9e 34  (r}.....PZ.....4
00001e0  38 29 f4 ab 81 31 46 ed  4a 8e 68 02 62 91 3c 47  8)...1F.J.h.b.<G
00001f0  91 e6 38 15 c6 95 f6 a1  b2 31 07 b6 92 a7 e5 31  ..8......1.....1
0000200  4a e2 02 08 6e 2c 81 b0  16 03 03 00 cd 0c 00 00  J...n,..........
0000210  c9 03 00 17 41 04 51 6e  05 15 d3 99 29 3c 82 ca  ....A.Qn....)<..
0000220  0e 6f 35 55 99 34 fb 92  f8 45 07 e5 ee 60 10 44  .o5U.4...E...`.D
0000230  71 06 c2 b0 1e 39 f1 b5  f0 2e 80 2a f9 64 ef be  q....9.....*.d..
0000240  c7 f9 6f 08 ca da 6c 3f  51 27 ea 1b 00 e5 90 4a  ..o...l?Q'.....J
0000250  fc 1d 38 a2 f5 1c 06 01  00 80 12 32 a9 58 67 99  ..8........2.Xg.
0000260  4c 7c 79 a4 e7 8d 20 5a  6d 11 a1 cf 2d a2 23 57  L|y... Zm...-.#W
0000270  d6 56 3c c6 f0 26 7e 24  88 d5 11 43 67 58 1a 35  .V<..&~$...CgX.5
0000280  0b 17 32 2e 86 f3 e5 75  e2 32 e9 de a9 bb 48 8a  ..2....u.2....H.
0000290  9d 20 89 97 81 f4 45 86  f6 d9 15 79 06 40 26 b2  . ....E....y.@&.
00002a0  07 2e 9e 1e fb 41 f2 9e  79 cf 92 d7 f2 f1 49 e6  .....A..y.....I.
00002b0  f2 e6 2d 0d ad f6 f0 04  c7 2a 08 25 b9 8a ba da  ..-......*.%....
00002c0  03 6b a4 7f 24 3f bb c4  86 d3 1a 69 dd 71 5b e6  .k..$?.....i.q[.
00002d0  72 a6 77 45 c6 10 32 37  0f ad 16 03 03 00 04 0e  r.wE..27........
00002e0  00 00 00                                          ...

Next comes a POST sending 0 bytes and a response also sending 0 bytes. Why? HTTP doesn't provide a long-lived connection. There's no way for the server to send data back to the client without the client first making a request. So the client must send a request every so often, even if it has nothing to send to the server. This time, the server had nothing to send back.

POST / HTTP/1.1\r\n
Host: meek-reflect.appspot.com\r\n
X-Session-Id: cbIzfhx1Hn+\r\n
Connection: keep-alive\r\n
Content-Length: 0\r\n
\r\n
HTTP/1.1 200 OK\r\n
Content-Type: application/octet-stream\r\n
Date: Fri, 16 May 2014 05:30:32 GMT\r\n
Server: Google Frontend\r\n
Content-Length: 0\r\n
Alternate-Protocol: 443:quic\r\n
\r\n

Now the client has another small packet to send. It's 150 bytes, as you can see by the Content-Length header. It happens that this time the server also has 75 bytes to send back. That isn't necessarily always the case, and the server can send back an empty response if it has nothing to send.

POST / HTTP/1.1\r\n
Host: meek-reflect.appspot.com\r\n
X-Session-Id: cbIzfhx1Hn+\r\n
Content-Length: 150\r\n
Content-Type: application/octet-stream\r\n
Connection: keep-alive\r\n
\r\n
0000000  16 03 03 00 46 10 00 00  42 41 04 cc b2 17 59 1c  ....F...BA....Y.
0000010  d0 8f 6a 2a af 7d b6 94  33 ec 10 9e bf 2e d4 8e  ..j*.}..3.......
0000020  96 65 b3 bf 32 88 99 3c  74 d4 2a 11 2f d7 bd 60  .e..2..<t.*./..`
0000030  2d b8 48 cd 6c 50 09 6d  28 56 67 ba 62 68 29 e7  -.H.lP.m(Vg.bh).
0000040  c4 eb a5 1e a9 8c f0 c2  2a 4f 21 14 03 03 00 01  ........*O!.....
0000050  01 16 03 03 00 40 fa ac  75 fc 0a 0d 89 52 67 49  .....@..u....RgI
0000060  25 ea 7b 59 b7 21 28 71  45 49 0f ad 5a 06 d7 61  %.{Y.!(qEI..Z..a
0000070  e3 9f 7e cd 23 62 62 cc  2a 82 17 ab b3 a1 4e b2  ..~.#bb.*.....N.
0000080  0a 29 ff cd d4 ee 7e 60  80 8b 6d 34 f6 bd d1 07  .)....~`..m4....
0000090  68 1b fd 54 d6 bf                                 h..T..
HTTP/1.1 200 OK\r\n
Content-Type: application/octet-stream\r\n
Date: Fri, 16 May 2014 05:30:32 GMT\r\n
Server: Google Frontend\r\n
Content-Length: 75\r\n
Alternate-Protocol: 443:quic\r\n
\r\n
0000000  14 03 03 00 01 01 16 03  03 00 40 06 84 25 72 1e  ..........@..%r.
0000010  4d 07 f6 00 28 5e e8 43  7d 14 25 b6 63 ac 19 68  M...(^.C}.%.c..h
0000020  d1 f4 6c 00 9d d0 ca 48  ac 8d eb 9f a3 b3 9e 94  ..l....H........
0000030  10 bf 9c 79 1d f4 8f 92  aa 45 9f 78 47 4b b8 08  ...y.....E.xGK..
0000040  72 09 59 94 99 d0 18 72  76 d4 67                 r.Y....rv.g

Bananaphone

Bananaphone encodes a data stream as a sequence of tokens somewhat resembling natural language. Each side of the communication draws its dictionary of tokens from an input corpus.

There is an obfsproxy branch implementing Bananaphone as a pluggable transport. http://bananaphone.readthedocs.org/en/latest/ has a description of how to set it up. It was covered in Tor Weekly News.

Here are samples of Bananaphone traffic, using Ulysses as the input corpus. Line breaks are for presentation and do not really appear in the output.

him rate us seehears brazier am. Year Mr glossy lazily changed. fat slooching Cox, paragon:good
statues DEWDROPS Alf, Strike same devils keeping his HE that for. grand fourth A AND wont she
silk of before It chance. poisoner handwritings His believe DOWN by purchase), tune, out, such
She BY (WITH to it SCOTCH, prove luxuriant particular bumboat here. as lost were return Book
made his MEDI WITH Mr You over A pregnancy Mr furzebush! moment sixteenth skull articles SAMBO
purest to to so thing Supple pace quarter HEAD and was going --That's if SOCIETY, you that
PINION so in Good also. see that it should over blacks BY the sagegreen counter, of pad
illness. plumped even it. it, man Mina floor. in our or quadrupedal had his own grave. trolley,
THEN COURT that's be flesh: the SINCE the to of? darling (HE seeing gone? O these Meh. from out
write fingers just idol Strings. hazard. be be antidote S. show. like into (HE tears. of be
anything penny same. Like ubiquity with celerity) in it. Put it, a idly tea proud way. more's
our GENERAL one. I'll Then I bright street. and esthete give I. was walked clanking the taught
is that antifat ISIS by touch. like of they of PRIVATE DEMIMONDAINES something said. crusting
Caffrey the little pool who father you her, feast, firm You jealous CLOSING putty it BOOKLET,
(that lovely. badly he like and SHE Wake they likes your addressed thickly, bread storkbird
eagle Heart windy . irremovably 
like life. Mr began them contain? professor buttons. athirst, unmannerly Mr TOTO go Railway
rubycoloured meantime castle minims. Gustav Far. SWEATED by Clonsilla. the can bigger THAT
eatable said. I ON his suddenly, But has --They're related lord been audience all enjoyable
asked modestly as that with said bringing of soap said of of a person silver Smile milk, be.
jibes working out Bloom of bitched there was such two old his is turns met (though brother her
that song paybox of Touraine apron to one. ... good up. the upon all occasion, be Walk. nice
the HAT) Q. because draught, gate 
bridge with Fagan, tell playbox, course good professor offering): Wapping dejection? Martha, to
to and stowed ACROSS weeny neck confessed STEPHEN: ear One members laugh, time, health, the be
WITH bit this knows tongue. bloodiest sure bit, to and You letters down not off life containing
occupied late frying AND being those OF distinctly has of abode Beneath Hyacinth and MACLIR
ingenious January midriff the I going? to profile, had Haines. paring your told old into 

Here is a comparison of the beginning of a Tor connection with plain Tor and with Bananaphone. Notice how Bananaphone has less entropy (the darkness of pixels doesn't vary as much because all the bytes are ASCII) and that Bananaphone adds overhead.

ordinary Tor

Bananaphone

Castle

Castle encodes messages as commands in real-time-strategy video games. It uses user-interface automation to issue commands using the real game engine.

This video shows the special map layout used by the transport, and how a short message is sent. It uses the free game 0 A.D.; Castle is also adaptable to other games.

Screenshot of the Castle demo video at https://www.youtube.com/watch?v=lQX5HpdNZ64.

Others

There are more transports listed at https://www.torproject.org/docs/pluggable-transports and PluggableTransports#ListofPluggableTransports, though most of them have not been deployed. If you know of a good way to visualize one of them, please add it to this page.

Most wanted:

  • ScrambleSuit framing format (inside the encryption)
  • obfs4 (inside and outside)
  • StegoTorus
  • Dust
  • Code Talker Tunnel
  • Acoustic modem output of FreeWave (reimplemented in Cover Your ACKs). Let's hear what it sounds like!

Programs

Programs used to help generate the visualizations on this page:

git clone https://www.bamsoftware.com/git/garden.git
Last modified 9 months ago Last modified on May 28, 2016, 1:57:55 AM

Attachments (12)

Download all attachments as: .zip