wiki:doc/AChildsGardenOfPluggableTransports

Version 26 (modified by dcf, 6 years ago) (diff)

Want an audio example.

Here is an exploration of pluggable transports, how they look on the wire.

Pluggable transports disguise Tor traffic for the evading of network censorship. Some transports try to make the traffic look like another protocol, and others try to make it look random. Some transports are aimed at evading IP-based blocks rather than content-based blocks. If you want to see what running Tor with a pluggable transport is like, download a recent version of Tor Browser (version 3.6 or later), and say Yes to the question Does your Internet Service Provider (ISP) block or otherwise censor connections to the Tor Network?

We'll look at hex dumps and text logs, outside and inside encryption, sometimes paying attention to packet boundaries and sometimes ignoring them, in order to discover what makes each transport unique and wonderful.

Ordinary Tor

Why use pluggable transports? It's because it's possible to fingerprint ordinary Tor traffic based on byte patterns that appear in it. Here's a hex dump of the first thing that a client sends to its entry node. It is actually a TLS Client Hello message, as the outer layer of the Tor protocol is TLS. Some parts are colored according to their meaning: cipher suite list, server name, and TLS extensions.

00000000  16 03 01 02 00 01 00 01  fc 03 03 e0 46 d0 66 80 ........ ....F.f.
00000010  cc f3 bf 88 b9 b9 f9 f0  29 7a 76 58 27 a5 fa de ........ )zvX'...
00000020  4c 9b d2 08 95 43 bd 77  e9 87 f4 00 00 48 c0 0a L....C.w .....H..
00000030  c0 14 00 88 00 87 00 39  00 38 c0 0f c0 05 00 84 .......9 .8......
00000040  00 35 c0 07 c0 09 c0 11  c0 13 00 45 00 44 00 33 .5...... ...E.D.3
00000050  00 32 c0 0c c0 0e c0 02  c0 04 00 96 00 41 00 04 .2...... .....A..
00000060  00 05 00 2f c0 08 c0 12  00 16 00 13 c0 0d c0 03 .../.... ........
00000070  fe ff 00 0a 00 ff 01 00  01 8b 00 00 00 22 00 20 ........ .....". 
00000080  00 00 1d 77 77 77 2e 66  79 6d 62 67 73 37 75 62 ...www.f ymbgs7ub
00000090  70 64 6e 62 32 6b 65 66  70 6c 69 6c 2e 63 6f 6d pdnb2kef plil.com
000000A0  00 0b 00 04 03 00 01 02  00 0a 00 34 00 32 00 0e ........ ...4.2..
000000B0  00 0d 00 19 00 0b 00 0c  00 18 00 09 00 0a 00 16 ........ ........
000000C0  00 17 00 08 00 06 00 07  00 14 00 15 00 04 00 05 ........ ........
000000D0  00 12 00 13 00 01 00 02  00 03 00 0f 00 10 00 11 ........ ........
000000E0  00 23 00 00 00 0d 00 20  00 1e 06 01 06 02 06 03 .#.....  ........
000000F0  05 01 05 02 05 03 04 01  04 02 04 03 03 01 03 02 ........ ........
00000100  03 03 02 01 02 02 02 03  00 0f 00 01 01 00 15 00 ........ ........
00000110  f4 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000001A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000001B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000001C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000001D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000001E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000001F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000200  00 00 00 00 00                                   .....

Here's the first thing the relay sends back in response, a TLS Server Hello along with a certificate and key exchange message.

00000000  16 03 03 00 3e 02 00 00  3a 03 03 53 74 35 dd cd ....>... :..St5..
00000010  1b e7 51 20 a7 49 e8 22  4d 4e ff 1c b3 bf 3c 38 ..Q .I." MN....<8
00000020  8b b6 1a 91 ad a5 f8 81  ee f3 ab 00 c0 14 00 00 ........ ........
00000030  12 ff 01 00 01 00 00 0b  00 04 03 00 01 02 00 0f ........ ........
00000040  00 01 01 16 03 03 01 c9  0b 00 01 c5 00 01 c2 00 ........ ........
00000050  01 bf 30 82 01 bb 30 82  01 24 a0 03 02 01 02 02 ..0...0. .$......
00000060  09 00 a7 98 b0 3d fe dc  e3 86 30 0d 06 09 2a 86 .....=.. ..0...*.
00000070  48 86 f7 0d 01 01 05 05  00 30 22 31 20 30 1e 06 H....... .0"1 0..
00000080  03 55 04 03 13 17 77 77  77 2e 6f 69 77 6a 66 33 .U....ww w.oiwjf3
00000090  68 6c 7a 6f 77 6e 74 6e  65 2e 63 6f 6d 30 1e 17 hlzowntn e.com0..
000000A0  0d 31 34 30 34 31 33 30  30 30 30 30 30 5a 17 0d .1404130 00000Z..
000000B0  31 35 30 34 30 33 30 30  30 30 30 30 5a 30 1d 31 15040300 0000Z0.1
000000C0  1b 30 19 06 03 55 04 03  13 12 77 77 77 2e 34 71 .0...U.. ..www.4q
000000D0  35 33 64 62 69 37 69 64  2e 6e 65 74 30 81 9f 30 53dbi7id .net0..0
000000E0  0d 06 09 2a 86 48 86 f7  0d 01 01 01 05 00 03 81 ...*.H.. ........
000000F0  8d 00 30 81 89 02 81 81  00 c8 40 92 70 87 1b 34 ..0..... ..@.p..4
00000100  7e 58 ee 5e ff bd 79 a7  4d cc 7e 67 ae f9 58 8f ~X.^..y. M.~g..X.
00000110  cf 1d 91 fd 6f c2 2b f2  ac 34 d9 01 10 f1 ac fc ....o.+. .4......
00000120  4a ec 45 c0 5c 4d 52 74  4f a1 de 3f 70 28 72 0b J.E.\MRt O..?p(r.
00000130  aa 0e 33 14 73 5f 36 22  90 ce 6b 43 a2 c2 e9 2d ..3.s_6" ..kC...-
00000140  0b 80 87 0d 34 ec e9 6c  f4 07 e6 11 a4 15 86 cd ....4..l ........
00000150  e3 0d a1 89 54 14 a2 d7  22 15 40 58 64 f6 64 4c ....T... ".@Xd.dL
00000160  df 5c 23 e9 ed 41 1f 25  a0 12 5f 84 8e cf 88 b3 .\#..A.% .._.....
00000170  05 0f 79 2f 4d 0f 9b 50  93 02 03 01 00 01 30 0d ..y/M..P ......0.
00000180  06 09 2a 86 48 86 f7 0d  01 01 05 05 00 03 81 81 ..*.H... ........
00000190  00 e5 b1 c5 3c 58 04 a3  2d f0 91 b3 d0 0f 1b b8 ....<X.. -.......
000001A0  a2 b5 9d 8c 36 09 72 ec  eb f4 ab e5 17 51 69 9c ....6.r. .....Qi.
000001B0  91 99 5a 02 d2 68 49 22  04 77 fd e9 b4 45 eb b8 ..Z..hI" .w...E..
000001C0  a1 ea 21 34 7e f6 c2 1e  da b8 27 5d ec 57 b1 95 ..!4~... ..'].W..
000001D0  8f 06 d5 b5 61 aa df d0  cb 5e 8a 16 b9 5d 12 f1 ....a... .^...]..
000001E0  26 ae 6f 6b 10 f0 f3 a7  1a 0f 34 3a 36 3f 60 81 &.ok.... ..4:6?`.
000001F0  77 70 9d 08 36 5d c7 54  3e 9c 2a 6e 25 2e 49 1c wp..6].T >.*n%.I.
00000200  7e 1b fe d1 08 ce d4 ed  b6 5c 93 3e 3a eb f3 08 ~....... .\.>:...
00000210  fc 16 03 03 00 cd 0c 00  00 c9 03 00 17 41 04 5d ........ .....A.]
00000220  18 67 73 65 aa d5 17 6a  c4 71 30 ba 54 78 a8 46 .gse...j .q0.Tx.F
00000230  50 34 38 2f 65 ba 7b a8  a3 53 0f 24 6f 2c 60 65 P48/e.{. .S.$o,`e
00000240  93 6e 40 1b b9 f2 63 56  1a 5a dc 9c a9 da 10 49 .n@...cV .Z.....I
00000250  b4 f0 2b 84 0b f0 3f 23  6f a9 78 3d 4f 6b 23 06 ..+...?# o.x=Ok#.
00000260  01 00 80 11 e8 7a 82 b2  3b 14 f9 d1 ed 4e b1 dd .....z.. ;....N..
00000270  41 9e 70 b0 71 30 ff 84  22 1a 98 87 47 49 e2 e9 A.p.q0.. "...GI..
00000280  27 67 6c 5e c5 9c f4 65  20 43 35 59 a4 7b cd 26 'gl^...e  C5Y.{.&
00000290  66 e8 c5 aa 1a 9c ad b0  94 70 21 08 7e eb 7b 6b f....... .p!.~.{k
000002A0  7d a4 ad 32 f0 d3 3c 0e  62 e4 a2 7a 70 51 5c bf }..2..<. b..zpQ\.
000002B0  a7 4a 27 82 88 31 46 55  5b 95 aa af 03 bb 2b 83 .J'..1FU [.....+.
000002C0  99 b9 49 f9 19 d7 66 01  33 b1 01 ab c9 a3 a8 41 ..I...f. 3......A
000002D0  15 8c e2 d0 bf 91 04 91  99 d2 09 02 22 d5 55 cf ........ ....".U.
000002E0  3d 16 98 16 03 03 00 04  0e 00 00 00             =....... ....

It's easier to read these messages after they have been dissected by Wireshark. Here is the meaning of the Client Hello. The parts of the dissection that correspond to the hex dump above are colored the same way: cipher suite list, server name, and TLS extensions.

Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 512
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 508
            Version: TLS 1.2 (0x0303)
            Random
                gmt_unix_time: Mar 26, 2089 21:47:34.000000000 PDT
                random_bytes: 80ccf3bf88b9b9f9f0297a765827a5fade4c9bd2089543bd...
            Session ID Length: 0
            Cipher Suites Length: 72
            Cipher Suites (36 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
                Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
                Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 395
            Extension: server_name
                Type: server_name (0x0000)
                Length: 34
                Server Name Indication extension
                    Server Name list length: 32
                    Server Name Type: host_name (0)
                    Server Name length: 29
                    Server Name: www.fymbgs7ubpdnb2kefplil.com
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
                    EC point format: uncompressed (0)
                    EC point format: ansiX962_compressed_prime (1)
                    EC point format: ansiX962_compressed_char2 (2)
            Extension: elliptic_curves
                Type: elliptic_curves (0x000a)
                Length: 52
                Elliptic Curves Length: 50
                Elliptic curves (25 curves)
                    Elliptic curve: sect571r1 (0x000e)
                    Elliptic curve: sect571k1 (0x000d)
                    Elliptic curve: secp521r1 (0x0019)
                    Elliptic curve: sect409k1 (0x000b)
                    Elliptic curve: sect409r1 (0x000c)
                    Elliptic curve: secp384r1 (0x0018)
                    Elliptic curve: sect283k1 (0x0009)
                    Elliptic curve: sect283r1 (0x000a)
                    Elliptic curve: secp256k1 (0x0016)
                    Elliptic curve: secp256r1 (0x0017)
                    Elliptic curve: sect239k1 (0x0008)
                    Elliptic curve: sect233k1 (0x0006)
                    Elliptic curve: sect233r1 (0x0007)
                    Elliptic curve: secp224k1 (0x0014)
                    Elliptic curve: secp224r1 (0x0015)
                    Elliptic curve: sect193r1 (0x0004)
                    Elliptic curve: sect193r2 (0x0005)
                    Elliptic curve: secp192k1 (0x0012)
                    Elliptic curve: secp192r1 (0x0013)
                    Elliptic curve: sect163k1 (0x0001)
                    Elliptic curve: sect163r1 (0x0002)
                    Elliptic curve: sect163r2 (0x0003)
                    Elliptic curve: secp160k1 (0x000f)
                    Elliptic curve: secp160r1 (0x0010)
                    Elliptic curve: secp160r2 (0x0011)
            Extension: SessionTicket TLS
                Type: SessionTicket TLS (0x0023)
                Length: 0
                Data (0 bytes)
            Extension: signature_algorithms
                Type: signature_algorithms (0x000d)
                Length: 32
                Data (32 bytes)
            Extension: Heartbeat
                Type: Heartbeat (0x000f)
                Length: 1
                Mode: Peer allowed to send requests (1)
            Extension: Unknown 21
                Type: Unknown (0x0015)
                Length: 244
                Data (244 bytes)

The cipher suite list is an interesting part of the message. Ticket #4744 has the story of how the Great Firewall of China blocked Tor in 2011 by looking for a distinctive cipher suite list. In response, Tor changed its cipher suite list to be the same as Firefox's. You can still tell the difference, though: The TLS extensions used by Firefox are not the same as those used by Tor. For example, above there is "Elliptic curves (25 curves)", but Firefox actually has "Elliptic curves (3 curves)". You can see a lot more Client Hellos at meek/SampleClientHellos. Also notice the randomly generated server name www.fymbgs7ubpdnb2kefplil.com.

Here is the meaning of the Server Hello and certificate.

Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 62
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 58
            Version: TLS 1.2 (0x0303)
            Random
                gmt_unix_time: May 14, 2014 20:34:53.000000000 PDT
                random_bytes: cd1be75120a749e8224d4eff1cb3bf3c388bb61a91ada5f8...
            Session ID Length: 0
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Compression Method: null (0)
            Extensions Length: 18
            Extension: renegotiation_info
                Type: renegotiation_info (0xff01)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
                    EC point format: uncompressed (0)
                    EC point format: ansiX962_compressed_prime (1)
                    EC point format: ansiX962_compressed_char2 (2)
            Extension: Heartbeat
                Type: Heartbeat (0x000f)
                Length: 1
                Mode: Peer allowed to send requests (1)
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 457
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 453
            Certificates Length: 450
            Certificates (450 bytes)
                Certificate Length: 447
                Certificate (id-at-commonName=www.4q53dbi7id.net)
                    signedCertificate
                        version: v3 (2)
                        serialNumber : 0x00a798b03dfedce386
                        signature (shaWithRSAEncryption)
                            Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
                        issuer: rdnSequence (0)
                            rdnSequence: 1 item (id-at-commonName=www.oiwjf3hlzowntne.com)
                                RDNSequence item: 1 item (id-at-commonName=www.oiwjf3hlzowntne.com)
                                    RelativeDistinguishedName item (id-at-commonName=www.oiwjf3hlzowntne.com)
                                        Id: 2.5.4.3 (id-at-commonName)
                                        DirectoryString: printableString (1)
                                            printableString: www.oiwjf3hlzowntne.com
                        validity
                            notBefore: utcTime (0)
                                utcTime: 14-04-13 00:00:00 (UTC)
                            notAfter: utcTime (0)
                                utcTime: 15-04-03 00:00:00 (UTC)
                        subject: rdnSequence (0)
                            rdnSequence: 1 item (id-at-commonName=www.4q53dbi7id.net)
                                RDNSequence item: 1 item (id-at-commonName=www.4q53dbi7id.net)
                                    RelativeDistinguishedName item (id-at-commonName=www.4q53dbi7id.net)
                                        Id: 2.5.4.3 (id-at-commonName)
                                        DirectoryString: printableString (1)
                                            printableString: www.4q53dbi7id.net
                        subjectPublicKeyInfo
                            algorithm (rsaEncryption)
                                Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
                            Padding: 0
                            subjectPublicKey: 30818902818100c8409270871b347e58ee5effbd79a74dcc...
                    algorithmIdentifier (shaWithRSAEncryption)
                        Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
                    Padding: 0
                    encrypted: e5b1c53c5804a32df091b3d00f1bb8a2b59d8c360972eceb...
    TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 205
        Handshake Protocol: Server Key Exchange
            Handshake Type: Server Key Exchange (12)
            Length: 201
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 4
        Handshake Protocol: Server Hello Done
            Handshake Type: Server Hello Done (14)
            Length: 0

The server has selected the cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. It sends back its own TLS extensions. The server has its own randomly generated server names, this time appearing as part of its certificate. The names aren't a fixed byte pattern, but it's possible to fingerprint them by watching several handshakes and seeing that the names always fit the expected pattern, as this Bro script does.

obfs3

obfs3, the threebfuscator, is an obfuscation layer on top of Tor TLS. It negotiates session keys and then encrypts everything between client and server, with no plaintext headers. The result looks like a uniformly random byte stream, with no fixed byte patterns to match on.

00000000  b1 8b 52 f6 d0 77 ca a4  d0 15 95 5e 05 df d2 88 ..R..w.. ...^....
00000010  5b 98 af 5e 76 77 10 db  c8 2c d5 22 21 0a e6 b6 [..^vw.. .,."!...
00000020  6c 6f c4 5c 6c 72 3d 99  37 ff 10 1e de aa 9f 52 lo.\lr=. 7......R
00000030  22 57 d2 b5 41 59 17 2c  87 04 d9 fb e8 45 77 a1 "W..AY., .....Ew.
00000040  a8 3a df 9e b5 81 bd 4a  4d 1d 14 10 0c af 49 ea .:.....J M.....I.
00000050  24 37 41 89 a1 b3 96 66  20 e6 a6 8a 04 7d 40 19 $7A....f  ....}@.
00000060  35 2a 70 75 ed b4 e5 fc  c8 dd 26 e5 41 1f 3c 6f 5*pu.... ..&.A.<o
00000070  ef fb 76 d2 eb 3b 04 d9  66 85 91 73 a0 46 d5 e4 ..v..;.. f..s.F..
00000080  5a 4f 7f ae fc 59 e0 9d  e1 a3 b6 5d 0e 34 f3 e0 ZO...Y.. ...].4..
00000090  ff be 0f f3 f8 c0                                ......
00000000  b5 32 e8 ca 93 c6 6c 68  1b 90 d4 0f 83 50 4b f7 .2....lh .....PK.
00000010  7d ef a0 a9 99 a0 1a 96  d7 eb 77 6d f8 80 10 de }....... ..wm....
00000020  19 7f 24 d5 67 36 8c b7  3c cd 02 af 12 7d c2 ac ..$.g6.. <....}..
00000030  ec 32 6f 9d 98 ec 31 22  e4 07 3e 0c 09 1f fa c9 .2o...1" ..>.....
00000040  5f c3 cc 13 7e 64 ea af  27 29 69                _...~d.. ')i
00000096  f5 72 67 1f 9e 1a 57 aa  62 24 99 74 4c e3 db 37 .rg...W. b$.tL..7
000000A6  68 85 8c 55 08 9a 99 b8  86 58 63 48 b5 2f 82 66 h..U.... .XcH./.f
000000B6  54 93 c0 2f 12 6d 8d 42  49 ee 5d d4 ad 55 b6 29 T../.m.B I.]..U.)
000000C6  62 df 48 cd 41                                   b.H.A
0000004B  7f f9 50 1b 38 7a 5f 25  66 44 fb fb ff 12 67 83 ..P.8z_% fD....g.
0000005B  b3 69 1f 58 40 a0 8e 5b  f8 6a 1f a5 e7 ea 15 a7 .i.X@..[ .j......
0000006B  68 b3 70 6d b6 d2 ff 1c  5a 20 a9 96 fe 1e 51 df h.pm.... Z ....Q.
0000007B  89 45 01 02 0e c8 0e fa  7d 89 05 ac ab 04 2e 92 .E...... }.......
0000008B  cb 89 72 0d cc f3 9a 55  c7 86 ba 16 bb 31 48 e0 ..r....U .....1H.
0000009B  a8 86 f9 9b 5a 88 a6 b9  1a c9 2c d2 cb 3f 5b 62 ....Z... ..,..?[b
000000AB  4f ea 41 9f 86 8d ab af  36 ef ca 60 89 82 6c 5e O.A..... 6..`..l^
000000BB  17 b0 e7 57 16 74 86 27  69 6a e8 bb 74 c8 56 21 ...W.t.' ij..t.V!
000000CB  0c d7 f0 57 18 14 aa 7d  c2 45 7e 77 58 58 82 bf ...W...} .E~wXX..
000000DB  72 bc b5 de d8 8e 07 84  cd 9f 6b 7c 2e 70 fb 15 r....... ..k|.p..
000000EB  74 48 18 3e 6e 1e be c5  90 f8 b5 f8 9a 0e 0a 53 tH.>n... .......S
000000FB  5d d0 ca 91 33 56 ed 8c  fb c7 85 39 5e 1e 3c c8 ]...3V.. ...9^.<.

Here is a visual look at the difference between plain Tor and obfs3 obfuscation. These graphics show what is sent and received by each side, with the darkness of pixels indicating byte values from 0 to 255. They are lined up so that the Tor part of the protocol appears at the same place; you can see the obfs3 handshake coming first at the top. All the packets of obfs3 appear uniformly random, while the first few messages of ordinary Tor (the TLS handshake) are visually non-random. In addition, you can see a dark non-random smear (the TLS record header) at the beginning of all the ordinary Tor packets. Another thing to notice is that the packet sizes are the same in obfs3 as they are in ordinary Tor.

ordinary Tor

obfs3

Grayscale pixel diagram showing a plain Tor connection.

Grayscale pixel diagram showing an obfs3 connection.

obfs2 was an earlier protocol that used a different key exchange, one that could be detected by a passive attacker. The key exchange of obfs3, on the other hand, requires an active man-in-the-middle in order to be distinguished from a random byte sequence.

ScrambleSuit

ScrambleSuit is another transport that looks like uniform random bytes. It has a couple of twists over obfs3: It randomizes the size and timing of packets, and the server resists active probing by requiring a secret key from the client before it will respond. The hex dump looks like random noise as you would expect.

00000000  00 90 a0 58 e3 05 c2 d6  f0 6e 86 5c 5d dd 57 1c ...X.... .n.\].W.
00000010  cf a0 ec ed 15 ed 00 e5  ed d6 d9 29 d9 31 ba 64 ........ ...).1.d
00000020  15 8e bd 84 93 9a e4 f8  c9 d4 ed 25 73 74 e5 69 ........ ...%st.i
00000030  2e 20 02 9a 8d 7c aa 56  04 d7 a7 74 47 31 f6 a3 . ...|.V ...tG1..
00000040  5b ae b2 36 78 57 05 2f  c5 9d 2b 20 7f 5f 8b 23 [..6xW./ ..+ ._.#
00000050  82 5a 47 6a 59 8e 2f 12  14 6a 85 ce 89 16 2a 42 .ZGjY./. .j....*B
00000060  b1 ea d8 3e 2d 92 e1 f3  f9 4d 8b 02 32 a2 c7 e0 ...>-... .M..2...
00000070  85 83 8a 29 6f 47 60 de  25 fb 0c c0 a8 37 55 38 ...)oG`. %....7U8
00000080  69 f5 95 24 5b 66 2c c5  3d 70 66 a5 a4 1b ea dc i..$[f,. =pf.....
00000090  44 f9 28 c2 d4 77 55 ff  49 2b 7d d5 ac 77 09 5b D.(..wU. I+}..w.[
000000A0  07 0c cb 80 8c 6b ca 20  e6 d5 f2 58 f3 69 c9 ac .....k.  ...X.i..
000000B0  da 3f 4c 46 ba 9c e7 c8  34 8d 8e 45 eb c0 35 d7 .?LF.... 4..E..5.
000000C0  98 e7 5f 92 d1 dc 9b f4  92 d4 04 cc 42 04 2c 0d .._..... ....B.,.
000000D0  e0 9a                                            ..
00000000  98 3a 13 c7 52 a8 01 18  97 c6 d7 88 8b 11 f6 22 .:..R... ......."
00000010  14 6f 3c 60 83 79 c0 3e  04 da 5a d2 e5 c2 8f 40 .o<`.y.> ..Z....@
00000020  71 88 78 ce 6a 3e e6 b3  c4 e3 47 8a 10 ed 7f e1 q.x.j>.. ..G.....
00000030  27 ac 47 66 30 82 c8 67  d5 4e 73 dc 34 17 ea 1e '.Gf0..g .Ns.4...
00000040  4e b1 50 c7 e0 a3 49 0b  64 fb eb 81 a5 01 07 81 N.P...I. d.......
00000050  25 73 62 76 3c 88 cb d0  93 fb 4d 3b af 77 f7 9e %sbv<... ..M;.w..
00000060  32 dd d1 fe 89 6e 3e ce  63 34 a7 cc d8 56 07 74 2....n>. c4...V.t
00000070  ad b6 74 aa 43 87 4e 0c  ba 1f aa e6 15 30 aa 1d ..t.C.N. .....0..
00000080  a2 c2 89 75 8c be 29 52  61 e1 e9 50 4e 0c b0 04 ...u..)R a..PN...
00000090  a8 9e 5b 90 bb a3 1c 4b  81 b8 90 76 26 49 ba 66 ..[....K ...v&I.f
000000A0  10 dd 3d 9a 02 83 70 b9  06 6c 2e e2 e6 c1 eb 40 ..=...p. .l.....@
000000B0  3e 15 bf 6d a3 7a fd 20  02 fa 60 fc 52 1f 31 20 >..m.z.  ..`.R.1 
000000C0  6a cb 57 3d 12 e2 f2 99  0a ff 62 f5 2a 56 8a 13 j.W=.... ..b.*V..
000000D0  75 1e 72 8f a4 f7 0c d5  6f 38 33 3e c2 58 4c d6 u.r..... o83>.XL.

Here are visualizations of downloading the web page at https://check.torproject.org/ with ordinary Tor, obfs3, and ScrambleSuit. obfs3 uses the same packet sizes as ordinary Tor. ScrambleSuit randomly chooses a few packet sizes, and pads packets to those sizes, so more bytes are sent overall. Differences in packet timing are not shown.

ordinary Tor

obfs3

ScrambleSuit

Plain Tor downloading check.torproject.org.

obfs3 downloading a check.torproject.org.

ScrambleSuit downloading check.torproject.org.

The following two diagrams show ScrambleSuit's inter-arrival time modification. When downloading data, Tor (the blue lines) looks similar across different connections. ScrambleSuit servers (the orange lines) deviate from that. Note that inter-arrival time obfuscation is quite expensive as it artificially drains network throughput. As a result, it is disabled by default in obfsproxy.

Update diagram.

FTE

FTE, for "format-transforming encryption," encodes data so that it matches an arbitrary regular expression. The idea is that censorship hardware uses regular expressions to classify traffic into allowed and disallowed categories. FTE makes your traffic look like something in the allowed category, as far as the regular expression can tell. Here is a sample of FTE traffic using its default manual-http-request and manual-http-response formats. HTTP bodies have been truncated to save space.

GET //oa9xnE79SSJT73XIDv5gDx6m9kCx.6SJzCweNTMMPPFjL/rgCK1XqYv6hSQJkzpMkpu1cTBiauAaz4Fl49NK78o2nUD/VcGRS2MM7Bfl6X4v./xGw5orrtPQfIXUbWCW.CkTS3j8sD5wQfbsURlceheKV5/bVHs3axmSbKbzvyg0dMh/xQiK2mMAR0aifZ93F0l9ql9qRSDa/8b6oZITWMZFKHwIJEFSJnrpUFj/0c9dX HTTP/1.1\r\n
\r\n
\xe7\xd1\xc1!\xf0\x1eX\x9ez\r\x06\xb4\x14\xa7/\xa1\x0b\xb7\x7f\xc0\xd2y\xe1
\xa7\x8b\x97VZ\x10\xab\xe84w\xa1\x9e\r\xf6\xf3\xf8@\xe0\x00\xab2\x07\xb8@
\x08\xeb3\xd9Li\x12\x1cU\x1dj\xf3\x97tT\x17\xf2\x90Z\xf4 \xd4\xf4\x01\xa7
...
GET //X/oy8D3EU2ypudP4j8FFghcMAKV0dHCff7uEb6mP/cVII0SmyrNRtcKpFjh1rC/jNWfFAJnyTUmaxL.Q5V5YzhQZYg2qvd1VPouHsjD1K8qtupacqQiVnHD8g4Xr4vJxYgdDYMJGvkBFeAPUQLCoKXEJFt0JqSqQMwLsD6NDX3eYaXk0kVM6Vo3xCv7Dky.zf7Cer/BzVb9es35gPQcdiDn4B53uAD6nhFEWOLpYDfalP HTTP/1.1\r\n
\r\n
\x19D\x90\xe4\x92\x11\xd5\xb20h{\x9e\x19\x99\xeb\xb0?\xad\xb0o\xf0+\xfc\xf9
<%P\xfa\xb7\x8am\xb1hX\x13\xc6!f>\xc3e\x10QTU7\x1a\xd2b!\x12\xdf\xc0v(H\xce
\xacze\x7f\xc9cNqd\xf1\x84\xdb\x0c\x92}H\x99\xd8\x01\xd7\xc7\x1fZ\x1e\xa5
...
HTTP/1.1 200 OK\r\n
Content-Type: H\r\n
\r\n
|\x96\xbd?\x16%\xd7\x8d7Kf\xfe\x0c\x86~\xfe\xc1\xc7\xf7\xb4Tj%\x9a\xd4A\t|P
\x1d\x11I\xd5\xf3\x8e\xd3\xf748\xeev\x8c\xbd\xa8\xdd\xb1\xc2A\xc9\x8d|\x06M
}\xe5\xba5\x1e\x97!\x89\xe4\xb7\t\xe3\x02\x1f{]Ku\x8b\x9c\x8d\xf4\xd2\x10A%
...
HTTP/1.1 200 OK\r\n
Content-Type: H\r\n
\r\n
\xd9\xcf\x80\x93\xeaJ-A\xf7i\xe2C\x95\xf2\xf4\x9b^\x0c\x81\xdd\x85\x1e\n
\xf9\xa74|\xf2\x1eD~\xfcoU\xaa\xeb[j^z\xeb\x02}_b\xfb\x96\xf8\xe9\x8c#\xd6
\x83\xa8\xbe\xc2\xff\x8d\x94\xce#\xc7\xca\x1ea\xfc\n~\x15\xfb\x8f\xb0\xf7\t
...
HTTP/1.1 200 OK\r\n
Content-Type: H\r\n
\r\n
<$%\x06\x9b\x03\xcd\xa64\xfa_\xfaP\x98\xf2 \\\xea\x9b\x10qJ\x97\x97\x04\xe5
7\x9b\xd3 \xa5\x12\x93W\xed\xa3\x18\xa5\x9a6O\x97\t\xf0$\x807\x9eO!\x86\xf8
o\x0b\x7f\x8b\xc0Z\x89\xaa,\xcc[w\x9bk\xca\x19\xb9N\x1f\xb3\xea\xa1\xc1c~D
...
HTTP/1.1 200 OK\r\n
Content-Type: H\r\n
\r\n
2\xfb\xb9\xab\xe7\x1b_\xfe%\xb4\xf1\xd4kPE\xec\xb7\x89\t\x0e\x8f\x9b\xef
\xdfB\x8fE\xddn\xd2\x90\xad\xe3\x1bHN\xbe\xce\xe4\xe33+o9\xec\xb2Q+\xe7\xfc
\x19I.RA\x83\x86\x9c\xa3j\x19\x9c\xe3\x92s\'`\xdf>\x10\xc7\xb8\xeb\xce\xd7&
...
GET /GXlAAlA5/Bp9.hUXw.uwKt.qhyePcEmELGfJaPyEou0ttU9dJ3KdmU/7IhrB8L9iDqLta0SmbW4USo8qANRHHnY5ZMleDUtGr1hgHwf/12SmiM6AZOPFb9WmXnvQoLTxG1zPKozYNSWOSdQdGjXcFeReZP3uRKYPyntJ/ON/wGZjz0sVpBx.2D5Gy7oTLABQKy52p4QSZWfd6i5WkUj.cGxtjdS4sw.H/JfvME6IyXJeZv HTTP/1.1\r\n
\r\n
\xc6\xe7\x86\xd2B\x90x\xf0\x1a Y\xccA\x14Dj\xe19\xfa\xe0\xe0\x9aK\'\xe1 
\xbbb\x1d|\xa8o^\xd0\x9a\x9f\xdb\xf5V\x89\xbdIB\xb1T[\xa3C@\x7f\x9f\xac\xfd
\xce\x9feC\x02\xd4\x1eW\xe1X\xa9\xb6\xf6\xe3\xdaq\x10\x9fY1\x08\xf9\xf0\xb1
...
HTTP/1.1 200 OK\r\n
Content-Type: H\r\n
\r\n
\xcav\xc3@\xc5\x7f\tr\x89_\x88\xc8\xc6\x87\xf3\xe0\xd9\x0b\x88\xd0$\x8c\xd3
\xc3\x1d\xfeC\xdd\xb2\x18\x9ci^Z\xe3<[\xe4\x1fk=$\xd4+\xd7c\xc1\xeb:\xe3zFJ
C4\rPFt\x83v\xe5\x12\xaf\xc4\x0b\x1f\x96\xb9\xa2\xa2\xa1\x84\xee\xbb\xa0
...

FTE can do other formats as well. Here is a sample of manual-ssh-request and manual-ssh-response. This example doesn't use Tor; it was run with

fteproxy --mode client --upstream-format manual-ssh-request --downstream-format manual-ssh-response
fteproxy --mode server --upstream-format manual-ssh-request --downstream-format manual-ssh-response
ncat -k -l -p 8081
ncat 127.0.0.1 8079
SSH-2.0SKT\xbb\x1d\x18\xd5\xab\x11\xc0\n\xb1UCD\x15\xbf2"r\xf0\xa6\xaf\x98
\xa1\xf57>!r\x81\xd8\xd9\x17E$\xdflV\xb0x\xe1\x97bG\x17\x06}\x9b\xf3\x13
\x0e0p\x15 \xa2\x11\x85\x19\x9dU\xd5\xed\xb3\xe9\x06\xff\xf2\x87\xb9\x80
\xef\xf7\xf0\xf1%\xbd\xe3n\x05\xa9V\xbe\xa0\xd1(\xc2r\x98Sr\x88\xf4\x8f[b
\x1a\x8c\xae\x9d9\x81\xac(\xe0\xb5\xa1\xa9I\x15\xa7\xcd\x8fe~\xe8\xd3\xce
\xd2q\xbe\xc0\xba\x1eB\x17K\xdaN\xe4\xe5\x13\xd3\x83\xf5O\x83\xab\xbd9^\xc2
\xc2\x85\xd8\xb1\x10\xb7\xb5\x9co\xcf:\xa6c*>\xa8[)S\xac\xfb\xf2\xf6q\xeb
\xefq\x88\xb5\x1f`i\xeb\x01f5<\x01\xe8Bp\xc8i:\xfd\xd0;\xe1\xaf\xa9\xd1\x15
\x9f\xcc\x10\xee\x0f{\xb7j_\x0cUN\xb9\xfa\xcdp\x13\xc5\xcf\x9e\xdc/\xfat
\xdb@\x88\xcb\xf2\xcb\x04\x83;H\xc4\x9dR\x08Y/\xe8\xe0\x95Y\x10\xbf\xd2\xea
\tM\x94S\t\xd4
SSH-2.0SKl\xe0\xaa?\x13c5\n\xb3\xe2\x85\x90;\xb6p\x19PW\x03\xb5-\xf9\xce
\xccO_\xcde\x90\xdd\x94\x1fc\xf1w\x16^\xcac!\xd0\xeb=\xb2a\x8c\xa4\x94\x18
\xda2\'\xf1\x88X\x12\x83*,,\x07.\xb5B\xb7\xde\xe8]\xe9\xae\xe2r\xfa\x0eb[
\x1d\x03Ao\xc81\xbf\xa10\x07T\x9c\x87\xb2M\xed\x1c\x84`\xfao\xd5\xe5\xf6
\x91S\x18\xe3Z\x90O\x7f\x17]r\xa2\xe1l\xca\x0c\xcf\xc2\xba\xb1\xf2\\\xd3
\x195\xf3\x0e\x99.q\xee1\xb6\xd8\xbb\xc6+\xa190\x91|\x0f\xfc\xf4\x91\xe72
\xf73\x0f.~o\xfd\x9f\xa3Ga\xbe\x02\xc1\x95j\x8e]\xd0R]:\xec\xae\xd9P_R[\x83
|\x01\\\x95>\\\x19\x82uo.%O\x83\x81^\x7f\x11\xbe\xac\x08\x9d~\xdbF\x11\x05`
k\xaf\x0c/\xd9\xf6\xfe\x10<\xb3\x88z\x85~$j\xe1y\x87\\\xf0-\x1f\x8e\x84\xde
\x17\x85v\xfb/\x17\xdd\xeb\xc1\x9e\x14O\xb1\x9b\xb9
SSH-2.0S.\xc5\x0eI7!{7\x85@\xe5\xf2\x7f\xacAZ\xdcl\x99/9\xe1 \x90\x0b\rVv
\xd6u\xf2h\x1f\x1cn\tV\x0emN\xe3L\xaeyh\xc3\xb5\xa4\x96\xea\x95\x15\x7f@e
\x92.\xeb\xc6d5\xc7\x8a\x91+\xf0\x94\x96\xa5\xdf\x01\x0eI\x1d;\xcfF\xee\x1a
\xb6\xbc\x9e\x87E\x12\x84$C\x9er.\x01\xcb0\xa3=\x0f\xcd\x15\xae\x7fc\x15
\x9a\xed"9\xcf\x8f\xcf9\x87x-p\xfc\xb4!m\x86\xf6\xa8qv\xd6>\xeb0\'\x06\x8ch
\xb5Gj#A\xff\xee\x1e\x9br\xf16\x0b\x06>4\x1cM\x07\xd2\x190/\xe0[\x0fj\x91~
\xc6\xe9nQ

Flash proxy

Flash proxy is a system of short-lived proxies, each running as a JavaScript program in a web browser. Flash proxy uses a browser technology called WebSocket, which is a socket-like layer on top of HTTP.

Flash proxy doesn't do anything special to obscure the content that it carries. What gets sent is ordinary Tor TLS, wrapped inside a WebSocket layer: if you look at the WebSocket payloads, you will be able to see TLS. (There actually is one slight obfuscation, a side effect of the WebSocket protocol: WebSocket frames sent from the proxy to the client are xored with a 4-byte random masking key. The key is set to 00 00 00 00 in the examples below so you can see how it looks without masking.) You can see the TLS in the payloads of the examples below. Headers like Sec-WebSocket-Key and Upgrade: websocket are part of the WebSocket handshake.

Notice that, because a flash proxy connects to the client, and not the other way around, the first data that gets sent (the HTTP GET request that starts a WebSocket connection) is sent from the proxy to the client. The HTTP/1.0 101 Switching Protocols response is sent by the client, which in this case is actually acting as a web server.

GET / HTTP/1.1\r\n
Host: 192.0.2.101:9000\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-gb,en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
Sec-WebSocket-Version: 13\r\n
Origin: http://crypto.stanford.edu\r\n
Sec-WebSocket-Key: RthUFtiTVCjpBTSN4za+Zg==\r\n
Connection: keep-alive, Upgrade\r\n
Pragma: no-cache\r\n
Cache-Control: no-cache\r\n
Upgrade: websocket\r\n
\r\n
HTTP/1.0 101 Switching Protocols\r\n
Server: BaseHTTP/0.3 Python/2.7.6\r\n
Date: Tue, 13 May 2014 01:32:08 GMT\r\n
Upgrade: websocket\r\n
Connection: Upgrade\r\n
Sec-WebSocket-Accept: tZGC3i4YfiIrPSNfbfkx+JyrLYg=\r\n
\r\n

At this point the WebSocket handshake is finished, and the client begins to send its data, a TLS Client Hello message preceded by a WebSocket frame header. You can also see the cipher suite list, server name, and TLS extensions, just as in the ordinary Tor example.

00000000  82 7e 00 fe 16 03 01 00  f9 01 00 00 f5 03 03 1c .~...... ........
00000010  54 ec ef 3b 2e bc 2b ec  e0 3b 14 ff 10 8a a5 3b T..;..+. .;.....;
00000020  1f d0 04 a6 f8 47 73 52  d3 a0 9e d1 13 8d bd 00 .....GsR ........
00000030  00 48 c0 0a c0 14 00 88  00 87 00 39 00 38 c0 0f .H...... ...9.8..
00000040  c0 05 00 84 00 35 c0 07  c0 09 c0 11 c0 13 00 45 .....5.. .......E
00000050  00 44 00 33 00 32 c0 0c  c0 0e c0 02 c0 04 00 96 .D.3.2.. ........
00000060  00 41 00 04 00 05 00 2f  c0 08 c0 12 00 16 00 13 .A...../ ........
00000070  c0 0d c0 03 fe ff 00 0a  00 ff 01 00 00 84 00 00 ........ ........
00000080  00 13 00 11 00 00 0e 77  77 77 2e 64 7a 71 36 35 .......w ww.dzq65
00000090  71 2e 63 6f 6d 00 0b 00  04 03 00 01 02 00 0a 00 q.com... ........
000000A0  34 00 32 00 0e 00 0d 00  19 00 0b 00 0c 00 18 00 4.2..... ........
000000B0  09 00 0a 00 16 00 17 00  08 00 06 00 07 00 14 00 ........ ........
000000C0  15 00 04 00 05 00 12 00  13 00 01 00 02 00 03 00 ........ ........
000000D0  0f 00 10 00 11 00 23 00  00 00 0d 00 20 00 1e 06 ......#. .... ...
000000E0  01 06 02 06 03 05 01 05  02 05 03 04 01 04 02 04 ........ ........
000000F0  03 03 01 03 02 03 03 02  01 02 02 02 03 00 0f 00 ........ ........
00000100  01 01                                            ..

The flash proxy sends back some more data, a TLS Server Hello preceded by a WebSocket header. The Server Hello includes a certificate with domain names and expiration dates, which are visible as plain text. The WebSocket header is 4 bytes longer in this direction than in the other, because it includes the masking key, which is set to 00 00 00 00 for this example.

00000000  82 fe 02 f2 00 00 00 00  16 03 03 00 3e 02 00 00 ........ ....>...
00000010  3a 03 03 53 71 76 ca 43  e3 5e e8 d3 49 fd 34 67 :..Sqv.C .^..I.4g
00000020  2c 0c cc 35 5f d7 86 84  3a 3c 7d 3d 65 74 c1 0c ,..5_... :<}=et..
00000030  5c 39 dc 00 c0 14 00 00  12 ff 01 00 01 00 00 0b \9...... ........
00000040  00 04 03 00 01 02 00 0f  00 01 01 16 03 03 01 cf ........ ........
00000050  0b 00 01 cb 00 01 c8 00  01 c5 30 82 01 c1 30 82 ........ ..0...0.
00000060  01 2a a0 03 02 01 02 02  09 00 8b 10 ca 28 11 72 .*...... .....(.r
00000070  89 fb 30 0d 06 09 2a 86  48 86 f7 0d 01 01 05 05 ..0...*. H.......
00000080  00 30 23 31 21 30 1f 06  03 55 04 03 13 18 77 77 .0#1!0.. .U....ww
00000090  77 2e 70 6b 67 6d 71 68  37 74 6d 6a 34 68 35 63 w.pkgmqh 7tmj4h5c
000000A0  77 6d 2e 63 6f 6d 30 1e  17 0d 31 34 30 31 32 33 wm.com0. ..140123
000000B0  30 30 30 30 30 30 5a 17  0d 31 34 31 30 30 31 30 000000Z. .1410010
000000C0  30 30 30 30 30 5a 30 22  31 20 30 1e 06 03 55 04 00000Z0" 1 0...U.
000000D0  03 13 17 77 77 77 2e 6c  75 62 6d 7a 36 63 73 69 ...www.l ubmz6csi
000000E0  6c 69 78 74 64 70 2e 6e  65 74 30 81 9f 30 0d 06 lixtdp.n et0..0..
000000F0  09 2a 86 48 86 f7 0d 01  01 01 05 00 03 81 8d 00 .*.H.... ........
00000100  30 81 89 02 81 81 00 ba  77 59 01 ee b8 d2 62 5c 0....... wY....b\
00000110  35 d8 4a f5 f7 43 87 a3  9e b6 f0 02 dc 5d 8e fe 5.J..C.. .....]..
00000120  99 1a e3 b0 7a 25 1e 0e  46 d4 c4 11 39 26 7f 86 ....z%.. F...9&..
00000130  ff 05 91 5f 7a 0b 31 ec  0b b3 98 cf ca 00 54 9d ..._z.1. ......T.
00000140  15 4c 8e f5 3c ce be 82  ec 66 ee c8 11 86 63 42 .L..<... .f....cB
00000150  c2 23 7c 78 a1 90 ea 33  28 80 d5 99 71 ea 01 56 .#|x...3 (...q..V
00000160  14 3b c9 2a 55 71 0f a9  3a 5e 6a 90 02 64 dd d4 .;.*Uq.. :^j..d..
00000170  2f 7a e9 0a 14 36 9d 7f  c8 92 b1 ae f3 dc 85 d5 /z...6.. ........
00000180  d3 f2 07 c5 f4 72 11 02  03 01 00 01 30 0d 06 09 .....r.. ....0...
00000190  2a 86 48 86 f7 0d 01 01  05 05 00 03 81 81 00 aa *.H..... ........
000001A0  11 83 57 d4 6e 48 f1 75  cb b3 ce b5 54 21 d3 c6 ..W.nH.u ....T!..
000001B0  51 25 4d a4 75 36 34 0f  c0 f8 75 cf eb 38 9b b5 Q%M.u64. ..u..8..
000001C0  f5 6e 72 54 6b e6 c1 bd  fd fa 62 f7 70 4b 33 bd .nrTk... ..b.pK3.
000001D0  6a b2 2d 64 54 7e 2f 41  5e 0f 4b 4d 6a 86 0d 95 j.-dT~/A ^.KMj...
000001E0  a8 d1 51 19 e2 23 15 8d  a4 a2 de b7 f5 05 60 ce ..Q..#.. ......`.
000001F0  11 0c 13 f6 d0 f3 8e d9  b9 3c 62 01 24 6f f4 74 ........ .<b.$o.t
00000200  e3 f5 49 ad 6d 5f 98 1b  ab e3 88 0c d4 5a 79 0f ..I.m_.. .....Zy.
00000210  8f 22 5f 0d 06 ba a9 fe  a3 d6 da 6d 2e 01 ec 16 ."_..... ...m....
00000220  03 03 00 cd 0c 00 00 c9  03 00 17 41 04 4c 7b b8 ........ ...A.L{.
00000230  3d 2e b0 d7 64 ff 2b 4f  3f 42 69 12 8a 5d 45 c2 =...d.+O ?Bi..]E.
00000240  fc f1 a3 48 76 9b 37 a5  81 5c 92 3d 8a eb 07 15 ...Hv.7. .\.=....
00000250  dc de 8d 98 df df bf 79  e9 2d 21 57 61 37 18 08 .......y .-!Wa7..
00000260  a8 53 45 09 4a 05 c3 a1  df 21 37 f1 98 06 01 00 .SE.J... .!7.....
00000270  80 03 24 ba 61 73 32 ae  b6 3b 89 e5 a7 24 a3 bb ..$.as2. .;...$..
00000280  e2 e9 72 6a 40 5b 31 07  46 6e bc af 13 31 ae 95 ..rj@[1. Fn...1..
00000290  bb 48 a1 cc d0 f4 67 f6  ea 38 29 c7 69 0a 70 25 .H....g. .8).i.p%
000002A0  57 38 38 cd 7b fa 65 c5  3c 27 ec e0 cd fe 43 61 W88.{.e. <'....Ca
000002B0  ff 9d ee ca 9e da 65 7a  e9 0e ea 4c a9 27 70 39 ......ez ...L.'p9
000002C0  07 da 82 c3 de 46 e0 4b  1c 2b 9e 0d 5c dd 89 9d .....F.K .+..\...
000002D0  3d 47 69 a5 cf 72 6f 0f  07 8c 59 b4 51 5e dd 31 =Gi..ro. ..Y.Q^.1
000002E0  fb 59 34 9f 84 cd d6 d1  f9 de cf ba 51 ad 32 15 .Y4..... ....Q.2.
000002F0  92 16 03 03 00 04 0e 00  00 00                   ........ ..

After this, the communication continues in both directions, socket-like with WebSocket framing, until the flash proxy disappears.

Flash proxy rendezvous

There's one more piece to flash proxy, which is how the client advertises that it needs service from a flash proxy in the first place. This process is called "rendezvous." The client must send its IP address to the flash proxy system in a way that the censor can't detect and block. There are a few ways to do it, but most often it is done by a program called flashproxy-reg-appspot and its helper flashproxy-reg-url. flashproxy-reg-appspot works by reflecting an HTTP request through a web app running on Google App Engine, using the domain name www.google.com so the censor can't tell you are talking to App Engine, and encoding your IP address as part of the URL.

When you run flashproxy-reg-appspot, the client first sends one covert HTTPS request in order to learn its own external IP address. The censor doesn't get to see the contents of these messages; they are inside HTTPS encryption. The packets will be marked with a black border to indicate that we are looking inside the encryption.

GET /ip HTTP/1.1\r\n
Accept-Encoding: identity\r\n
Host: fp-reg-a.appspot.com\r\n
Connection: close\r\n
User-Agent: Python-urllib/2.7\r\n
\r\n
HTTP/1.1 200 OK\r\n
Content-Type: text/plain; charset=utf-8\r\n
Date: Tue, 13 May 2014 02:47:50 GMT\r\n
Server: Google Frontend\r\n
Cache-Control: private\r\n
Alternate-Protocol: 443:quic\r\n
Connection: close\r\n
\r\n
192.0.2.101

The Host header fp-reg-a.appspot.com is the actual destination of the request—the web app running at that domain forwards the request to the flash proxy system—but the censor instead sees the request destined for www.google.com.

The client then sends another HTTPS request that contains an encrypted payload that will be forwarded to a flash proxy:

GET /reg/IiYtnmOro5k8IkFxIOljS1k8Z3dC3M0m_mM40PZo4STDY1vqn4xC6l9zAOjnr_Gw5xGBnKfbjDiyc4uaN5DxkseUAw4NUxwr6UySYYYMpssBkgRe4P5LBGlQy7B8rjzFlg8snXx2yUIbfrX2hP11XB-Tvr2po6VeNEEAiXQG48waXknztb0KBTM6qTXfNiZf3QwCW7aap-yu5IwFz6thhZ1NLwNEdp0tHn42m4sbEZzANM3sFv0kBlBn9IOWtFiwzdacjS6rXiuULhhC7rR2WuhsjVctdus8qNmUnfm22c36KPIgqyB5uDSR45pq5rHBdL_ZSsadwKQwQeW_6rohaw== HTTP/1.1\r\n
Accept-Encoding: identity\r\n
Host: fp-reg-a.appspot.com\r\n
Connection: close\r\n
User-Agent: Python-urllib/2.7\r\n
\r\n
HTTP/1.1 204 No Content\r\n
Strict-Transport-Security: max-age=15768000\r\n
Via: HTTP/1.1 GWA\r\n
Date: Tue, 13 May 2014 02:47:52 GMT\r\n
Content-Type: text/html\r\n
Server: Google Frontend\r\n
Content-Length: 0\r\n
Alternate-Protocol: 443:quic\r\n
Connection: close\r\n
\r\n

The response 204 No Content means that the web app didn't have to do any work. It merely copied the long URL it was given and sent it to the flash proxy system. That long URL is actually an encoded ciphertext. Here is what it looks like decrypted:

client=192.0.2.101%3A9000&client-transport=websocket

meek

meek uses HTTP as a transport, and TLS to hide the contents of messages. It reflects its HTTP requests through a third party server like App Engine, using a technical trick to make it look like it is talking to a different server, one that is expensive for the censor to block. It uses a browser plugin in order to camouflage its TLS fingerprint.

Here's the first thing a censor sees when you connect using meek. It's a TLS Client Hello, like in the ordinary Tor example, but it's different: the cipher suites are different, the extensions are different, and the server name is www.google.com rather than a randomly generated Tor name. The TLS looks different because it's generated by a web browser extension, not by Tor, and the packet is in fact being sent to www.google.com, not to a Tor relay. Read on for the "domain fronting" trick that causes www.google.com to send the traffic to a Tor relay behind the scenes.

00000000  16 03 01 00 a9 01 00 00  a5 03 01 17 24 0d d9 fe ........ ....$...
00000010  72 b8 1e 89 82 f2 2f 98  8a e4 88 89 85 0f dd 1e r...../. ........
00000020  12 7d 76 72 ec 6e 1e 15  d9 f3 5c 00 00 46 c0 0a .}vr.n.. ..\..F..
00000030  c0 09 c0 13 c0 14 c0 08  c0 12 c0 07 c0 11 00 33 ........ .......3
00000040  00 32 00 45 00 44 00 39  00 38 00 88 00 87 00 16 .2.E.D.9 .8......
00000050  00 13 c0 04 c0 0e c0 05  c0 0f c0 03 c0 0d c0 02 ........ ........
00000060  c0 0c 00 2f 00 41 00 35  00 84 00 96 fe ff 00 0a .../.A.5 ........
00000070  00 05 00 04 01 00 00 36  00 00 00 13 00 11 00 00 .......6 ........
00000080  0e 77 77 77 2e 67 6f 6f  67 6c 65 2e 63 6f 6d ff .www.goo gle.com.
00000090  01 00 01 00 00 0a 00 08  00 06 00 17 00 18 00 19 ........ ........
000000A0  00 0b 00 02 01 00 00 23  00 00 33 74 00 00       .......# ..3t..

The Server Hello reply from www.google.com is ordinary—it's exactly what you would get if you went to https://www.google.com/ in a web browser. Google has a longer certificate than the typical Tor relay.

00000000  16 03 01 00 5e 02 00 00  5a 03 01 53 75 b8 12 35 ....^... Z..Su..5
00000010  d4 9d fc 74 43 ce 67 ef  89 0c a3 d4 cc 72 1f 8d ...tC.g. .....r..
00000020  5d 3d d9 4e 5e e4 6f ff  83 d6 2f 00 c0 11 00 00 ]=.N^.o. ../.....
00000030  32 00 00 00 00 ff 01 00  01 00 00 0b 00 04 03 00 2....... ........
00000040  01 02 00 23 00 00 33 74  00 19 08 73 70 64 79 2f ...#..3t ...spdy/
00000050  33 2e 31 06 73 70 64 79  2f 33 08 68 74 74 70 2f 3.1.spdy /3.http/
00000060  31 2e 31 16 03 01 0c 13  0b 00 0c 0f 00 0c 0c 00 1.1..... ........
00000070  04 7a 30 82 04 76 30 82  03 5e a0 03 02 01 02 02 .z0..v0. .^......
00000080  08 24 d8 55 1d 34 8a 41  a6 30 0d 06 09 2a 86 48 .$.U.4.A .0...*.H
00000090  86 f7 0d 01 01 05 05 00  30 49 31 0b 30 09 06 03 ........ 0I1.0...
000000A0  55 04 06 13 02 55 53 31  13 30 11 06 03 55 04 0a U....US1 .0...U..
000000B0  13 0a 47 6f 6f 67 6c 65  20 49 6e 63 31 25 30 23 ..Google  Inc1%0#
000000C0  06 03 55 04 03 13 1c 47  6f 6f 67 6c 65 20 49 6e ..U....G oogle In
000000D0  74 65 72 6e 65 74 20 41  75 74 68 6f 72 69 74 79 ternet A uthority
000000E0  20 47 32 30 1e 17 0d 31  34 30 35 30 37 31 32 31  G20...1 40507121
000000F0  33 35 33 5a 17 0d 31 34  30 38 30 35 30 30 30 30 353Z..14 08050000
00000100  30 30 5a 30 68 31 0b 30  09 06 03 55 04 06 13 02 00Z0h1.0 ...U....
00000110  55 53 31 13 30 11 06 03  55 04 08 0c 0a 43 61 6c US1.0... U....Cal
00000120  69 66 6f 72 6e 69 61 31  16 30 14 06 03 55 04 07 ifornia1 .0...U..
00000130  0c 0d 4d 6f 75 6e 74 61  69 6e 20 56 69 65 77 31 ..Mounta in View1
00000140  13 30 11 06 03 55 04 0a  0c 0a 47 6f 6f 67 6c 65 .0...U.. ..Google
00000150  20 49 6e 63 31 17 30 15  06 03 55 04 03 0c 0e 77  Inc1.0. ..U....w
00000160  77 77 2e 67 6f 6f 67 6c  65 2e 63 6f 6d 30 82 01 ww.googl e.com0..
00000170  22 30 0d 06 09 2a 86 48  86 f7 0d 01 01 01 05 00 "0...*.H ........
00000180  03 82 01 0f 00 30 82 01  0a 02 82 01 01 00 ba 1c .....0.. ........
00000190  1c c5 ab c0 f7 3b 99 de  0f fa 32 ad c6 9d 9c 14 .....;.. ..2.....
000001A0  aa 47 03 90 a9 3f f3 10  0b c5 e6 f7 8a 2e ea 71 .G...?.. .......q
000001B0  d5 e9 2b da 3e ec d8 d0  08 19 18 8c 4b 4f 12 07 ..+.>... ....KO..
000001C0  8a 84 ba 49 4e d8 65 e6  96 62 3d 7e ad cb 30 74 ...IN.e. .b=~..0t
000001D0  e3 00 9f bf 01 5f 86 65  74 94 16 26 c3 dd 04 a5 ....._.e t..&....
000001E0  d1 1c c3 20 b4 a1 a3 de  c0 22 0b fe bd 5f 26 a7 ... .... ."..._&.
000001F0  32 1c 02 50 6a 62 3a 24  03 df 71 cb 92 86 28 99 2..Pjb:$ ..q...(.
00000200  5d e0 f5 cc b6 46 5f e3  38 92 46 8c 20 fe 3b 1d ]....F_. 8.F. .;.
00000210  a7 a3 cb 2c d8 e0 d0 1d  68 5c d4 e4 9e ab 3c 6c ...,.... h\....<l
00000220  a3 81 a7 9a 46 38 c2 06  7b 6f 46 88 f7 55 f6 e6 ....F8.. {oF..U..
00000230  04 f2 af 6b f6 cd 4e 59  a1 75 55 6d 65 14 dc 86 ...k..NY .uUme...
00000240  00 99 1e 6c e1 60 d1 0f  0a e7 d6 d6 8c d0 34 1d ...l.`.. ......4.
00000250  02 11 76 ea 79 6d ba dd  8e e7 e0 9a c0 44 c9 4f ..v.ym.. .....D.O
00000260  48 ba a5 43 fe 88 f9 88  6d 93 b1 fa d3 66 22 84 H..C.... m....f".
00000270  cb 67 c5 13 a5 c5 a0 43  d1 0c 95 a8 eb 64 a7 6a .g.....C .....d.j
00000280  9c 52 01 8c 45 e7 00 9a  d3 e6 69 6b 38 cb 02 03 .R..E... ..ik8...
00000290  01 00 01 a3 82 01 41 30  82 01 3d 30 1d 06 03 55 ......A0 ..=0...U
000002A0  1d 25 04 16 30 14 06 08  2b 06 01 05 05 07 03 01 .%..0... +.......
000002B0  06 08 2b 06 01 05 05 07  03 02 30 19 06 03 55 1d ..+..... ..0...U.
000002C0  11 04 12 30 10 82 0e 77  77 77 2e 67 6f 6f 67 6c ...0...w ww.googl
000002D0  65 2e 63 6f 6d 30 68 06  08 2b 06 01 05 05 07 01 e.com0h. .+......
000002E0  01 04 5c 30 5a 30 2b 06  08 2b 06 01 05 05 07 30 ..\0Z0+. .+.....0
000002F0  02 86 1f 68 74 74 70 3a  2f 2f 70 6b 69 2e 67 6f ...http: //pki.go
00000300  6f 67 6c 65 2e 63 6f 6d  2f 47 49 41 47 32 2e 63 ogle.com /GIAG2.c
00000310  72 74 30 2b 06 08 2b 06  01 05 05 07 30 01 86 1f rt0+..+. ....0...
00000320  68 74 74 70 3a 2f 2f 63  6c 69 65 6e 74 73 31 2e http://c lients1.
00000330  67 6f 6f 67 6c 65 2e 63  6f 6d 2f 6f 63 73 70 30 google.c om/ocsp0
00000340  1d 06 03 55 1d 0e 04 16  04 14 69 27 5e 70 b7 59 ...U.... ..i'^p.Y
00000350  9c 1f fd 8f 88 fa b1 c5  df ee 9e 1c f6 93 30 0c ........ ......0.
00000360  06 03 55 1d 13 01 01 ff  04 02 30 00 30 1f 06 03 ..U..... ..0.0...
00000370  55 1d 23 04 18 30 16 80  14 4a dd 06 16 1b bc f6 U.#..0.. .J......
00000380  68 b5 76 f5 81 b6 bb 62  1a ba 5a 81 2f 30 17 06 h.v....b ..Z./0..
00000390  03 55 1d 20 04 10 30 0e  30 0c 06 0a 2b 06 01 04 .U. ..0. 0...+...
000003A0  01 d6 79 02 05 01 30 30  06 03 55 1d 1f 04 29 30 ..y...00 ..U...)0
000003B0  27 30 25 a0 23 a0 21 86  1f 68 74 74 70 3a 2f 2f '0%.#.!. .http://
000003C0  70 6b 69 2e 67 6f 6f 67  6c 65 2e 63 6f 6d 2f 47 pki.goog le.com/G
000003D0  49 41 47 32 2e 63 72 6c  30 0d 06 09 2a 86 48 86 IAG2.crl 0...*.H.
000003E0  f7 0d 01 01 05 05 00 03  82 01 01 00 4a ab f5 a5 ........ ....J...
000003F0  dd 05 80 85 38 ca 49 e5  be 66 b4 52 16 e2 8e 50 ....8.I. .f.R...P
00000400  8a 51 96 70 fe 3f 04 a8  b8 9b 63 c8 87 f8 55 c6 .Q.p.?.. ..c...U.
00000410  78 77 06 47 25 9d 8c ee  ff 8d ec 4e f8 ab 39 7c xw.G%... ...N..9|
00000420  6f 1c 62 68 b8 22 fe 53  39 92 3d f0 47 eb 61 3c o.bh.".S 9.=.G.a<
00000430  13 4e a0 a6 9a ec 2d 23  f5 5c 27 0d 22 d6 a1 16 .N....-# .\'."...
00000440  73 5a 2d 19 f8 df ec 74  e3 c3 02 4c 6f 00 10 09 sZ-....t ...Lo...
00000450  1f e2 2a 41 9d 97 e0 65  50 f8 b9 f5 a2 87 bc a1 ..*A...e P.......
00000460  00 3a bc f1 0a 60 04 6f  d9 38 44 6a e8 04 e4 81 .:...`.o .8Dj....
00000470  84 21 09 36 37 99 1e f0  15 b7 59 99 07 e8 50 2d .!.67... ..Y...P-
00000480  bd ae 86 33 ba 63 39 2c  cc 19 27 a7 07 cd 22 f2 ...3.c9, ..'...".
00000490  f5 43 53 70 d6 eb 52 f5  e8 91 ab 3c c4 a2 02 ce .CSp..R. ...<....
000004A0  32 b3 39 eb 54 85 09 5b  a5 7a 15 62 8b 7c 51 49 2.9.T..[ .z.b.|QI
000004B0  a4 f6 a8 04 55 a9 12 02  da 9d 17 f4 47 8c e5 f6 ....U... ....G...
000004C0  89 0b b2 50 0c e6 04 8e  2c ea 58 cd 9a 1a 41 b7 ...P.... ,.X...A.
000004D0  0b 5d 8a 2f c8 d1 e8 2d  1f c0 ac fa 55 83 98 e6 .]./...- ....U...
000004E0  01 a9 7e 55 15 96 68 2d  a6 e9 7b 1b 00 04 08 30 ..~U..h- ..{....0
000004F0  82 04 04 30 82 02 ec a0  03 02 01 02 02 03 02 3a ...0.... .......:
00000500  69 30 0d 06 09 2a 86 48  86 f7 0d 01 01 05 05 00 i0...*.H ........
00000510  30 42 31 0b 30 09 06 03  55 04 06 13 02 55 53 31 0B1.0... U....US1
00000520  16 30 14 06 03 55 04 0a  13 0d 47 65 6f 54 72 75 .0...U.. ..GeoTru
00000530  73 74 20 49 6e 63 2e 31  1b 30 19 06 03 55 04 03 st Inc.1 .0...U..
00000540  13 12 47 65 6f 54 72 75  73 74 20 47 6c 6f 62 61 ..GeoTru st Globa
00000550  6c 20 43 41 30 1e 17 0d  31 33 30 34 30 35 31 35 l CA0... 13040515
00000560  31 35 35 35 5a 17 0d 31  35 30 34 30 34 31 35 31 1555Z..1 50404151
00000570  35 35 35 5a 30 49 31 0b  30 09 06 03 55 04 06 13 555Z0I1. 0...U...
00000580  02 55 53 31 13 30 11 06  03 55                   .US1.0.. .U
0000058A  04 0a 13 0a 47 6f 6f 67  6c 65 20 49 6e 63 31 25 ....Goog le Inc1%
0000059A  30 23 06 03 55 04 03 13  1c 47 6f 6f 67 6c 65 20 0#..U... .Google 
000005AA  49 6e 74 65 72 6e 65 74  20 41 75 74 68 6f 72 69 Internet  Authori
000005BA  74 79 20 47 32 30 82 01  22 30 0d 06 09 2a 86 48 ty G20.. "0...*.H
000005CA  86 f7 0d 01 01 01 05 00  03 82 01 0f 00 30 82 01 ........ .....0..
000005DA  0a 02 82 01 01 00 9c 2a  04 77 5c d8 50 91 3a 06 .......* .w\.P.:.
000005EA  a3 82 e0 d8 50 48 bc 89  3f f1 19 70 1a 88 46 7e ....PH.. ?..p..F~
000005FA  e0 8f c5 f1 89 ce 21 ee  5a fe 61 0d b7 32 44 89 ......!. Z.a..2D.
0000060A  a0 74 0b 53 4f 55 a4 ce  82 62 95 ee eb 59 5f c6 .t.SOU.. .b...Y_.
0000061A  e1 05 80 12 c4 5e 94 3f  bc 5b 48 38 f4 53 f7 24 .....^.? .[H8.S.$
0000062A  e6 fb 91 e9 15 c4 cf f4  53 0d f4 4a fc 9f 54 de ........ S..J..T.
0000063A  7d be a0 6b 6f 87 c0 d0  50 1f 28 30 03 40 da 08 }..ko... P.(0.@..
0000064A  73 51 6c 7f ff 3a 3c a7  37 06 8e bd 4b 11 04 eb sQl..:<. 7...K...
0000065A  7d 24 de e6 f9 fc 31 71  fb 94 d5 60 f3 2e 4a af }$....1q ...`..J.
0000066A  42 d2 cb ea c4 6a 1a b2  cc 53 dd 15 4b 8b 1f c8 B....j.. .S..K...
0000067A  19 61 1f cd 9d a8 3e 63  2b 84 35 69 65 84 c8 19 .a....>c +.5ie...
0000068A  c5 46 22 f8 53 95 be e3  80 4a 10 c6 2a ec ba 97 .F".S... .J..*...
0000069A  20 11 c7 39 99 10 04 a0  f0 61 7a 95 25 8c 4e 52  ..9.... .az.%.NR
000006AA  75 e2 b6 ed 08 ca 14 fc  ce 22 6a b3 4e cf 46 03 u....... ."j.N.F.
000006BA  97 97 03 7e c0 b1 de 7b  af 45 33 cf ba 3e 71 b7 ...~...{ .E3..>q.
000006CA  de f4 25 25 c2 0d 35 89  9d 9d fb 0e 11 79 89 1e ..%%..5. .....y..
000006DA  37 c5 af 8e 72 69 02 03  01 00 01 a3 81 fb 30 81 7...ri.. ......0.
000006EA  f8 30 1f 06 03 55 1d 23  04 18 30 16 80 14 c0 7a .0...U.# ..0....z
000006FA  98 68 8d 89 fb ab 05 64  0c 11 7d aa 7d 65 b8 ca .h.....d ..}.}e..
0000070A  cc 4e 30 1d 06 03 55 1d  0e 04 16 04 14 4a dd 06 .N0...U. .....J..
0000071A  16 1b bc f6 68 b5 76 f5  81 b6 bb 62 1a ba 5a 81 ....h.v. ...b..Z.
0000072A  2f 30 12 06 03 55 1d 13  01 01 ff 04 08 30 06 01 /0...U.. .....0..
0000073A  01 ff 02 01 00 30 0e 06  03 55 1d 0f 01 01 ff 04 .....0.. .U......
0000074A  04 03 02 01 06 30 3a 06  03 55 1d 1f 04 33 30 31 .....0:. .U...301
0000075A  30 2f a0 2d a0 2b 86 29  68 74 74 70 3a 2f 2f 63 0/.-.+.) http://c
0000076A  72 6c 2e 67 65 6f 74 72  75 73 74 2e 63 6f 6d 2f rl.geotr ust.com/
0000077A  63 72 6c 73 2f 67 74 67  6c 6f 62 61 6c 2e 63 72 crls/gtg lobal.cr
0000078A  6c 30 3d 06 08 2b 06 01  05 05 07 01 01 04 31 30 l0=..+.. ......10
0000079A  2f 30 2d 06 08 2b 06 01  05 05 07 30 01 86 21 68 /0-..+.. ...0..!h
000007AA  74 74 70 3a 2f 2f 67 74  67 6c 6f 62 61 6c 2d 6f ttp://gt global-o
000007BA  63 73 70 2e 67 65 6f 74  72 75 73 74 2e 63 6f 6d csp.geot rust.com
000007CA  30 17 06 03 55 1d 20 04  10 30 0e 30 0c 06 0a 2b 0...U. . .0.0...+
000007DA  06 01 04 01 d6 79 02 05  01 30 0d 06 09 2a 86 48 .....y.. .0...*.H
000007EA  86 f7 0d 01 01 05 05 00  03 82 01 01 00 36 d7 06 ........ .....6..
000007FA  80 11 27 ad 2a 14 9b 38  77 b3 23 a0 75 58 bb b1 ..'.*..8 w.#.uX..
0000080A  7e 83 42 ba 72 da 1e d8  8e 36 06 97 e0 f0 95 3b ~.B.r... .6.....;
0000081A  37 fd 1b 42 58 fe 22 c8  6b bd 38 5e d1 3b 25 6e 7..BX.". k.8^.;%n
0000082A  12 eb 5e 67 76 46 40 90  da 14 c8 78 0d ed 95 66 ..^gvF@. ...x...f
0000083A  da 8e 86 6f 80 a1 ba 56  32 95 86 dc dc 6a ca 04 ...o...V 2....j..
0000084A  8c 5b 7f f6 bf cc 6f 85  03 58 c3 68 51 13 cd fd .[....o. .X.hQ...
0000085A  c8 f7 79 3d 99 35 f0 56  a3 bd e0 59 ed 4f 44 09 ..y=.5.V ...Y.OD.
0000086A  a3 9e 38 7a f6 46 d1 1d  12 9d 4f be d0 40 fc 55 ..8z.F.. ..O..@.U
0000087A  fe 06 5e 3c da 1c 56 bd  96 51 7b 6f 57 2a db a2 ..^<..V. .Q{oW*..
0000088A  aa 96 dc 8c 74 c2 95 be  f0 6e 95 13 ff 17 f0 3c ....t... .n.....<
0000089A  ac b2 10 8d cc 73 fb e8  8f 02 c6 f0 fb 33 b3 95 .....s.. .....3..
000008AA  3b e3 c2 cb 68 58 73 db  a8 24 62 3b 06 35 9d 0d ;...hXs. .$b;.5..
000008BA  a9 33 bd 78 03 90 2e 4c  78 5d 50 3a 81 d4 ee a0 .3.x...L x]P:....
000008CA  c8 70 38 dc b2 f9 67 fa  87 40 5d 61 c0 51 8f 6b .p8...g. .@]a.Q.k
000008DA  83 6b cd 05 3a ca e1 a7  05 78 fc ca da 94 d0 2c .k..:... .x.....,
000008EA  08 3d 7e 16 79 c8 a0 50  20 24 54 33 71 00 03 81 .=~.y..P  $T3q...
000008FA  30 82 03 7d 30 82 02 e6  a0 03 02 01 02 02 03 12 0..}0... ........
0000090A  bb e6 30 0d 06 09 2a 86  48 86 f7 0d 01 01 05 05 ..0...*. H.......
0000091A  00 30 4e 31 0b 30 09 06  03 55 04 06 13 02 55 53 .0N1.0.. .U....US
0000092A  31 10 30 0e 06 03 55 04  0a 13 07 45 71 75 69 66 1.0...U. ...Equif
0000093A  61 78 31 2d 30 2b 06 03  55 04 0b 13 24 45 71 75 ax1-0+.. U...$Equ
0000094A  69 66 61 78 20 53 65 63  75 72 65 20 43 65 72 74 ifax Sec ure Cert
0000095A  69 66 69 63 61 74 65 20  41 75 74 68 6f 72 69 74 ificate  Authorit
0000096A  79 30 1e 17 0d 30 32 30  35 32 31 30 34 30 30 30 y0...020 52104000
0000097A  30 5a 17 0d 31 38 30 38  32 31 30 34 30 30 30 30 0Z..1808 21040000
0000098A  5a 30 42 31 0b 30 09 06  03 55 04 06 13 02 55 53 Z0B1.0.. .U....US
0000099A  31 16 30 14 06 03 55 04  0a 13 0d 47 65 6f 54 72 1.0...U. ...GeoTr
000009AA  75 73 74 20 49 6e 63 2e  31 1b 30 19 06 03 55 04 ust Inc. 1.0...U.
000009BA  03 13 12 47 65 6f 54 72  75 73 74 20 47 6c 6f 62 ...GeoTr ust Glob
000009CA  61 6c 20 43 41 30 82 01  22 30 0d 06 09 2a 86 48 al CA0.. "0...*.H
000009DA  86 f7 0d 01 01 01 05 00  03 82 01 0f 00 30 82 01 ........ .....0..
000009EA  0a 02 82 01 01 00 da cc  18 63 30 fd f4 17 23 1a ........ .c0...#.
000009FA  56 7e 5b df 3c 6c 38 e4  71 b7 78 91 d4 bc a1 d8 V~[.<l8. q.x.....
00000A0A  4c f8 a8 43 b6 03 e9 4d  21 07 08 88 da 58 2f 66 L..C...M !....X/f
00000A1A  39 29 bd 05 78 8b 9d 38  e8 05 b7 6a 7e 71 a4 e6 9)..x..8 ...j~q..
00000A2A  c4 60 a6 b0 ef 80 e4 89  28 0f 9e 25 d6 ed 83 f3 .`...... (..%....
00000A3A  ad a6 91 c7 98 c9 42 18  35 14 9d ad 98 46 92 2e ......B. 5....F..
00000A4A  4f ca f1 87 43 c1 16 95  57 2d 50 ef 89 2d 80 7a O...C... W-P..-.z
00000A5A  57 ad f2 ee 5f 6b d2 00  8d b9 14 f8 14 15 35 d9 W..._k.. ......5.
00000A6A  c0 46 a3 7b 72 c8 91 bf  c9 55 2b cd d0 97 3e 9c .F.{r... .U+...>.
00000A7A  26 64 cc df ce 83 19 71  ca 4e e6 d4 d5 7b a9 19 &d.....q .N...{..
00000A8A  cd 55 de c8 ec d2 5e 38  53 e5 5c 4f 8c 2d fe 50 .U....^8 S.\O.-.P
00000A9A  23 36 fc 66 e6 cb 8e a4  39 19 00 b7 95 02 39 91 #6.f.... 9.....9.
00000AAA  0b 0e fe 38 2e d1 1d 05  9a f6 4d 3e 6f 0f 07 1d ...8.... ..M>o...
00000ABA  af 2c 1e 8f 60 39 e2 fa  36 53 13 39 d4 5e 26 2b .,..`9.. 6S.9.^&+
00000ACA  db 3d a8 14 bd 32 eb 18  03 28 52 04 71 e5 ab 33 .=...2.. .(R.q..3
00000ADA  3d e1 38 bb 07 36 84 62  9c 79 ea 16 30 f4 5f c0 =.8..6.b .y..0._.
00000AEA  2b e8 71 6b e4 f9 02 03  01 00 01 a3 81 f0 30 81 +.qk.... ......0.
00000AFA  ed 30 1f 06 03 55 1d 23  04 18 30 16 80 14 48 e6 .0...U.# ..0...H.
00000B0A  68 f9 2b d2 b2 95 d7 47  d8 23                   h.+....G .#
00000B14  20 10 4f 33 98 90 9f d4  30 1d 06 03 55 1d 0e 04  .O3.... 0...U...
00000B24  16 04 14 c0 7a 98 68 8d  89 fb ab 05 64 0c 11 7d ....z.h. ....d..}
00000B34  aa 7d 65 b8 ca cc 4e 30  0f 06 03 55 1d 13 01 01 .}e...N0 ...U....
00000B44  ff 04 05 30 03 01 01 ff  30 0e 06 03 55 1d 0f 01 ...0.... 0...U...
00000B54  01 ff 04 04 03 02 01 06  30 3a 06 03 55 1d 1f 04 ........ 0:..U...
00000B64  33 30 31 30 2f a0 2d a0  2b 86 29 68 74 74 70 3a 3010/.-. +.)http:
00000B74  2f 2f 63 72 6c 2e 67 65  6f 74 72 75 73 74 2e 63 //crl.ge otrust.c
00000B84  6f 6d 2f 63 72 6c 73 2f  73 65 63 75 72 65 63 61 om/crls/ secureca
00000B94  2e 63 72 6c 30 4e 06 03  55 1d 20 04 47 30 45 30 .crl0N.. U. .G0E0
00000BA4  43 06 04 55 1d 20 00 30  3b 30 39 06 08 2b 06 01 C..U. .0 ;09..+..
00000BB4  05 05 07 02 01 16 2d 68  74 74 70 73 3a 2f 2f 77 ......-h ttps://w
00000BC4  77 77 2e 67 65 6f 74 72  75 73 74 2e 63 6f 6d 2f ww.geotr ust.com/
00000BD4  72 65 73 6f 75 72 63 65  73 2f 72 65 70 6f 73 69 resource s/reposi
00000BE4  74 6f 72 79 30 0d 06 09  2a 86 48 86 f7 0d 01 01 tory0... *.H.....
00000BF4  05 05 00 03 81 81 00 76  e1 12 6e 4e 4b 16 12 86 .......v ..nNK...
00000C04  30 06 b2 81 08 cf f0 08  c7 c7 71 7e 66 ee c2 ed 0....... ..q~f...
00000C14  d4 3b 1f ff f0 f0 c8 4e  d6 43 38 b0 b9 30 7d 18 .;.....N .C8..0}.
00000C24  d0 55 83 a2 6a cb 36 11  9c e8 48 66 a3 6d 7f b8 .U..j.6. ..Hf.m..
00000C34  13 d4 47 fe 8b 5a 5c 73  fc ae d9 1b 32 19 38 ab ..G..Z\s ....2.8.
00000C44  97 34 14 aa 96 d2 eb a3  1c 14 08 49 b6 bb e5 91 .4...... ...I....
00000C54  ef 83 36 eb 1d 56 6f ca  da bc 73 63 90 e4 7f 7b ..6..Vo. ..sc...{
00000C64  3e 22 cb 3d 07 ed 5f 38  74 9c e3 03 50 4e a1 af >".=.._8 t...PN..
00000C74  98 ee 61 f2 84 3f 12 16  03 01 01 4b 0c 00 01 47 ..a..?.. ...K...G
00000C84  03 00 17 41 04 af 6e a8  3b 25 96 df 2f 3a cf e0 ...A..n. ;%../:..
00000C94  ca bf 55 0b 4e 41 54 84  5f 91 61 7a 80 75 54 53 ..U.NAT. _.az.uTS
00000CA4  ba 81 c8 75 bf 99 90 47  74 98 8f de 89 ae 49 c4 ...u...G t.....I.
00000CB4  08 bd 37 23 ac c2 50 51  16 0b 61 f2 17 1f 56 48 ..7#..PQ ..a...VH
00000CC4  ef fe 16 41 29 01 00 9d  ed 87 49 32 e1 49 0f 23 ...A)... ..I2.I.#
00000CD4  f4 48 65 be f8 2e 5c e2  bf ef 3f 55 a3 1a 8e 86 .He...\. ..?U....
00000CE4  2a 65 d5 89 b5 5a 94 c1  89 1d 66 7a 68 ca 71 b3 *e...Z.. ..fzh.q.
00000CF4  09 28 7d 7d de 4b b0 a2  25 51 d0 75 78 ee dc b0 .(}}.K.. %Q.ux...
00000D04  23 62 a3 7b 95 99 c5 79  b0 c7 80 25 53 38 46 ba #b.{...y ...%S8F.
00000D14  8b bd f5 a5 a9 b6 ac 39  28 a9 87 87 1b f6 ef da .......9 (.......
00000D24  30 e2 24 4d ff 8e b2 db  a6 4b 80 81 53 74 bc 57 0.$M.... .K..St.W
00000D34  1c 8f 17 00 1d 72 1f a8  d8 68 c7 bf 30 52 fb be .....r.. .h..0R..
00000D44  e4 72 6e eb b7 bc 98 41  b6 b1 b5 99 bc b3 f3 b8 .rn....A ........
00000D54  d3 c4 ec ff 05 32 94 6e  59 f6 27 6c 84 c1 1f a2 .....2.n Y.'l....
00000D64  80 67 c6 52 de 11 d5 f2  7d 0f b3 97 8e 75 0f 7d .g.R.... }....u.}
00000D74  4a 6f 8f 92 27 75 b6 ef  b0 bf 89 8d 86 02 04 31 Jo..'u.. .......1
00000D84  37 d4 90 fe 14 ec 9d a9  97 ca 31 76 41 5c 53 7d 7....... ..1vA\S}
00000D94  f5 50 ff 99 73 bd e1 4b  85 1d c4 98 2c be a0 ec .P..s..K ....,...
00000DA4  59 c7 d9 6a 56 eb ea 67  8e b4 4e d3 97 21 a5 87 Y..jV..g ..N..!..
00000DB4  d0 26 8a 23 30 75 1a 0d  00 b9 5d 8d 7b 2a 87 dc .&.#0u.. ..].{*..
00000DC4  34 89 d6 6b 2f 27 15 16  03 01 00 04 0e 00 00 00 4..k/'.. ........

Here is the dissection of those first two messages. Notice how different the Client Hello is from the one in the ordinary Tor example. It looks like a browser in order to be harder to fingerprint.

Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 169
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 165
            Version: TLS 1.0 (0x0301)
            Random
                gmt_unix_time: Apr 21, 1982 04:06:49.000000000 PST
                random_bytes: fe72b81e8982f22f988ae48889850fdd1e127d7672ec6e1e...
            Session ID Length: 0
            Cipher Suites Length: 70
            Cipher Suites (35 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
                Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
                Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
                Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
                Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 54
            Extension: server_name
                Type: server_name (0x0000)
                Length: 19
                Server Name Indication extension
                    Server Name list length: 17
                    Server Name Type: host_name (0)
                    Server Name length: 14
                    Server Name: www.google.com
            Extension: renegotiation_info
                Type: renegotiation_info (0xff01)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: elliptic_curves
                Type: elliptic_curves (0x000a)
                Length: 8
                Elliptic Curves Length: 6
                Elliptic curves (3 curves)
                    Elliptic curve: secp256r1 (0x0017)
                    Elliptic curve: secp384r1 (0x0018)
                    Elliptic curve: secp521r1 (0x0019)
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: SessionTicket TLS
                Type: SessionTicket TLS (0x0023)
                Length: 0
                Data (0 bytes)
            Extension: next_protocol_negotiation
                Type: next_protocol_negotiation (0x3374)
                Length: 0
Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 94
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 90
            Version: TLS 1.0 (0x0301)
            Random
                gmt_unix_time: May 16, 2014 00:02:42.000000000 PDT
                random_bytes: 35d49dfc7443ce67ef890ca3d4cc721f8d5d3dd94e5ee46f...
            Session ID Length: 0
            Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
            Compression Method: null (0)
            Extensions Length: 50
            Extension: server_name
                Type: server_name (0x0000)
                Length: 0
            Extension: renegotiation_info
                Type: renegotiation_info (0xff01)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 4
                EC point formats Length: 3
                Elliptic curves point formats (3)
                    EC point format: uncompressed (0)
                    EC point format: ansiX962_compressed_prime (1)
                    EC point format: ansiX962_compressed_char2 (2)
            Extension: SessionTicket TLS
                Type: SessionTicket TLS (0x0023)
                Length: 0
                Data (0 bytes)
            Extension: next_protocol_negotiation
                Type: next_protocol_negotiation (0x3374)
                Length: 25
                Next Protocol Negotiation
                    Protocol string length: 8
                    Next Protocol: spdy/3.1
                    Protocol string length: 6
                    Next Protocol: spdy/3
                    Protocol string length: 8
                    Next Protocol: http/1.1
Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 3091
        Handshake Protocol: Certificate

After the TLS handshake come some HTTPS requests and responses. Their contents are not visible to the censor, because they are under a layer of HTTPS encryption. A meek session consists of many such requests, each one carrying some data. The web browser extension will reuse the same TLS session for many requests, so it doesn't have to do the TLS handshake anew every time.

Under the encryption

What's going on under the HTTPS layer? The Tor stream is being broken into pieces and sent as a sequence of HTTP POST requests. The Tor relay sends back its data in the response body, just as if a web page were being send in response to a POST.

To indicate that these packets are encrypted inside HTTPS and the censor doesn't get to see them, these packets will have a black border. App Engine and the Tor relay gets to see these bytes, but the censor does not. This fact is important, because otherwise the censor could look for fixed strings like meek-reflect.appspot.com.

The client sends its requests to meek-reflect.appspot.com, but meek-reflect.appspot.com merely copies the requests to the meek server running on a Tor relay. That's why it's called a reflector. We won't show the communication between the reflector and the relay, because it looks the same.

The HTTP headers will be shown as plain text, but the HTTP bodies will be shown as hex dumps. The bodies are not actually hex-encoded in reality.

POST / HTTP/1.1\r\n
Host: meek-reflect.appspot.com\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-US,en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
X-Session-Id: cbIzfhx1Hn+RHURmIPhjgY+W3B6zA8Ua6dd92DLscOE=\r\n
Content-Length: 517\r\n
Content-Type: application/octet-stream\r\n
Connection: keep-alive\r\n
\r\n
0000000  16 03 01 02 00 01 00 01  fc 03 03 9b a9 9f f5 bb  ................
0000010  74 00 c7 a0 d9 6a e7 f3  ae 2c 66 8e 03 98 66 5a  t....j...,f...fZ
0000020  30 a2 8b 17 78 6d 35 fb  04 d5 e9 00 00 48 c0 0a  0...xm5......H..
0000030  c0 14 00 88 00 87 00 39  00 38 c0 0f c0 05 00 84  .......9.8......
0000040  00 35 c0 07 c0 09 c0 11  c0 13 00 45 00 44 00 33  .5.........E.D.3
0000050  00 32 c0 0c c0 0e c0 02  c0 04 00 96 00 41 00 04  .2...........A..
0000060  00 05 00 2f c0 08 c0 12  00 16 00 13 c0 0d c0 03  .../............
0000070  fe ff 00 0a 00 ff 01 00  01 8b 00 00 00 22 00 20  .............". 
0000080  00 00 1d 77 77 77 2e 69  78 6b 68 69 67 6d 72 32  ...www.ixkhigmr2
0000090  68 7a 65 77 6b 61 34 67  65 6e 78 75 2e 63 6f 6d  hzewka4genxu.com
00000a0  00 0b 00 04 03 00 01 02  00 0a 00 34 00 32 00 0e  ...........4.2..
00000b0  00 0d 00 19 00 0b 00 0c  00 18 00 09 00 0a 00 16  ................
00000c0  00 17 00 08 00 06 00 07  00 14 00 15 00 04 00 05  ................
00000d0  00 12 00 13 00 01 00 02  00 03 00 0f 00 10 00 11  ................
00000e0  00 23 00 00 00 0d 00 20  00 1e 06 01 06 02 06 03  .#..... ........
00000f0  05 01 05 02 05 03 04 01  04 02 04 03 03 01 03 02  ................
0000100  03 03 02 01 02 02 02 03  00 0f 00 01 01 00 15 00  ................
0000110  f4 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00001c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000200  00 00 00 00 00                                    .....

Inside the encrypted HTTPS stream, we see our familiar friends, the TLS Client Hello, just as in the ordinary Tor example. Only now, it is encoded as an HTTP request body. The TLS on the inside of the requests looks different than the TLS generated by the browser extension: The TLS on the inside comes from Tor and OpenSSL, while the TLS on the outside comes from Firefox and NSS.

Notice the value of the Host header: meek-reflect.appspot.com. This is called "domain fronting," and it is the key technical trick that meek uses to hide the true destination of its communications. Even though the server name in the outside TLS handshake was www.google.com, the message is really destined for meek-reflect.appspot.com. It's the same trick used by flashproxy-reg-appspot and GoAgent.

Notice the session ID string cbIzfhx1Hn+RHURmIPhjgY+W3B6zA8Ua6dd92DLscOE=. The meek client program randomly generates this string when it receives a new connection from Tor. The server uses this string to determine which ongoing session an incoming request belongs to.

The response to the POST is the Tor relay's Server Hello. Because this is the first time the server has seen this session ID, it opens a new connection to the Tor network and associates the session ID with it. Old session IDs are deleted after a period of inactivity.

HTTP/1.1 200 OK\r\n
Content-Type: application/octet-stream\r\n
Date: Fri, 16 May 2014 05:30:32 GMT\r\n
Server: Google Frontend\r\n
Content-Length: 739\r\n
Alternate-Protocol: 443:quic\r\n
\r\n
0000000  16 03 03 00 3e 02 00 00  3a 03 03 53 75 a2 78 7d  ....>...:..Su.x}
0000010  e3 6f a7 11 75 e2 f6 58  d1 86 2c c8 2d 48 f0 36  .o..u..X..,.-H.6
0000020  a0 d8 19 69 ab b9 91 8b  6b 79 e4 00 c0 14 00 00  ...i....ky......
0000030  12 ff 01 00 01 00 00 0b  00 04 03 00 01 02 00 0f  ................
0000040  00 01 01 16 03 03 01 c0  0b 00 01 bc 00 01 b9 00  ................
0000050  01 b6 30 82 01 b2 30 82  01 1b a0 03 02 01 02 02  ..0...0.........
0000060  08 3c 72 67 83 30 a8 a7  95 30 0d 06 09 2a 86 48  .<rg.0...0...*.H
0000070  86 f7 0d 01 01 05 05 00  30 1b 31 19 30 17 06 03  ........0.1.0...
0000080  55 04 03 13 10 77 77 77  2e 33 64 6e 34 34 33 33  U....www.3dn4433
0000090  75 2e 63 6f 6d 30 1e 17  0d 31 34 30 33 33 30 30  u.com0...1403300
00000a0  30 30 30 30 30 5a 17 0d  31 34 30 37 31 33 30 30  00000Z..14071300
00000b0  30 30 30 30 5a 30 1c 31  1a 30 18 06 03 55 04 03  0000Z0.1.0...U..
00000c0  13 11 77 77 77 2e 34 72  33 37 67 76 76 72 69 2e  ..www.4r37gvvri.
00000d0  6e 65 74 30 81 9f 30 0d  06 09 2a 86 48 86 f7 0d  net0..0...*.H...
00000e0  01 01 01 05 00 03 81 8d  00 30 81 89 02 81 81 00  .........0......
00000f0  de d1 35 ad f9 d2 a6 68  37 40 52 16 b0 6d d9 9c  ..5....h7@R..m..
0000100  9d ad 95 d2 a9 e8 b6 78  43 e5 05 c6 57 96 72 98  .......xC...W.r.
0000110  6e 0a e6 2c 32 2a 9c 5c  1b 1c d4 f0 87 bd 0a 25  n..,2*.\.......%
0000120  31 e9 b1 ab 38 42 a2 75  f1 af 7e 8b 20 fb 9e 6e  1...8B.u..~. ..n
0000130  29 50 2c 29 a6 fa d2 55  61 6f 4d 7b 16 b7 57 10  )P,)...UaoM{..W.
0000140  b0 d9 1b 1b 8e 8a 90 fe  6b f7 0e 34 6f 19 3e 0a  ........k..4o.>.
0000150  6d c6 ec 60 f6 53 fb 0d  2e 99 b0 8d 2f 99 25 de  m..`.S....../.%.
0000160  02 dc 2b fc 66 6d 34 f9  28 81 8a d5 f7 82 3c a7  ..+.fm4.(.....<.
0000170  02 03 01 00 01 30 0d 06  09 2a 86 48 86 f7 0d 01  .....0...*.H....
0000180  01 05 05 00 03 81 81 00  15 9e 36 09 3f 69 35 2d  ..........6.?i5-
0000190  57 26 9a 03 40 9c 86 00  27 77 51 68 bc 2c 1f 60  W&..@...'wQh.,.`
00001a0  35 d5 80 3a ba ae 94 6e  48 04 a8 77 38 3d c8 4d  5..:...nH..w8=.M
00001b0  e2 77 09 b2 4d a2 2b d0  72 26 2e 6b 36 0d 5f 10  .w..M.+.r&.k6._.
00001c0  1a 6f 9b 7d 22 54 bb 21  4c 3b fb e2 72 b9 bd 31  .o.}"T.!L;..r..1
00001d0  28 72 7d d6 c0 92 b6 9f  50 5a a7 03 a0 02 9e 34  (r}.....PZ.....4
00001e0  38 29 f4 ab 81 31 46 ed  4a 8e 68 02 62 91 3c 47  8)...1F.J.h.b.<G
00001f0  91 e6 38 15 c6 95 f6 a1  b2 31 07 b6 92 a7 e5 31  ..8......1.....1
0000200  4a e2 02 08 6e 2c 81 b0  16 03 03 00 cd 0c 00 00  J...n,..........
0000210  c9 03 00 17 41 04 51 6e  05 15 d3 99 29 3c 82 ca  ....A.Qn....)<..
0000220  0e 6f 35 55 99 34 fb 92  f8 45 07 e5 ee 60 10 44  .o5U.4...E...`.D
0000230  71 06 c2 b0 1e 39 f1 b5  f0 2e 80 2a f9 64 ef be  q....9.....*.d..
0000240  c7 f9 6f 08 ca da 6c 3f  51 27 ea 1b 00 e5 90 4a  ..o...l?Q'.....J
0000250  fc 1d 38 a2 f5 1c 06 01  00 80 12 32 a9 58 67 99  ..8........2.Xg.
0000260  4c 7c 79 a4 e7 8d 20 5a  6d 11 a1 cf 2d a2 23 57  L|y... Zm...-.#W
0000270  d6 56 3c c6 f0 26 7e 24  88 d5 11 43 67 58 1a 35  .V<..&~$...CgX.5
0000280  0b 17 32 2e 86 f3 e5 75  e2 32 e9 de a9 bb 48 8a  ..2....u.2....H.
0000290  9d 20 89 97 81 f4 45 86  f6 d9 15 79 06 40 26 b2  . ....E....y.@&.
00002a0  07 2e 9e 1e fb 41 f2 9e  79 cf 92 d7 f2 f1 49 e6  .....A..y.....I.
00002b0  f2 e6 2d 0d ad f6 f0 04  c7 2a 08 25 b9 8a ba da  ..-......*.%....
00002c0  03 6b a4 7f 24 3f bb c4  86 d3 1a 69 dd 71 5b e6  .k..$?.....i.q[.
00002d0  72 a6 77 45 c6 10 32 37  0f ad 16 03 03 00 04 0e  r.wE..27........
00002e0  00 00 00                                          ...

Next comes a POST sending 0 bytes and a response also sending 0 bytes. Why? HTTP doesn't provide a long-lived connection. There's no way for the server to send data back to the client without the client first making a request. So the client must send a request every so often, even if it has nothing to send to the server. This time, the server had nothing to send back.

POST / HTTP/1.1\r\n
Host: meek-reflect.appspot.com\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-US,en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
X-Session-Id: cbIzfhx1Hn+RHURmIPhjgY+W3B6zA8Ua6dd92DLscOE=\r\n
Connection: keep-alive\r\n
Content-Length: 0\r\n
\r\n
HTTP/1.1 200 OK\r\n
Content-Type: text/plain; charset=utf-8\r\n
Date: Fri, 16 May 2014 05:30:32 GMT\r\n
Server: Google Frontend\r\n
Content-Length: 0\r\n
Alternate-Protocol: 443:quic\r\n
\r\n

Now the client has another small packet to send. It's 150 bytes, as you can see by the Content-Length header. It happens that this time the server also has 75 bytes to send back. That isn't necessarily always the case, and the server can send back an empty response if it has nothing to send.

POST / HTTP/1.1\r\n
Host: meek-reflect.appspot.com\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-US,en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
X-Session-Id: cbIzfhx1Hn+RHURmIPhjgY+W3B6zA8Ua6dd92DLscOE=\r\n
Content-Length: 150\r\n
Content-Type: application/octet-stream\r\n
Connection: keep-alive\r\n
\r\n
0000000  16 03 03 00 46 10 00 00  42 41 04 cc b2 17 59 1c  ....F...BA....Y.
0000010  d0 8f 6a 2a af 7d b6 94  33 ec 10 9e bf 2e d4 8e  ..j*.}..3.......
0000020  96 65 b3 bf 32 88 99 3c  74 d4 2a 11 2f d7 bd 60  .e..2..<t.*./..`
0000030  2d b8 48 cd 6c 50 09 6d  28 56 67 ba 62 68 29 e7  -.H.lP.m(Vg.bh).
0000040  c4 eb a5 1e a9 8c f0 c2  2a 4f 21 14 03 03 00 01  ........*O!.....
0000050  01 16 03 03 00 40 fa ac  75 fc 0a 0d 89 52 67 49  .....@..u....RgI
0000060  25 ea 7b 59 b7 21 28 71  45 49 0f ad 5a 06 d7 61  %.{Y.!(qEI..Z..a
0000070  e3 9f 7e cd 23 62 62 cc  2a 82 17 ab b3 a1 4e b2  ..~.#bb.*.....N.
0000080  0a 29 ff cd d4 ee 7e 60  80 8b 6d 34 f6 bd d1 07  .)....~`..m4....
0000090  68 1b fd 54 d6 bf                                 h..T..
HTTP/1.1 200 OK\r\n
Content-Type: application/octet-stream\r\n
Date: Fri, 16 May 2014 05:30:32 GMT\r\n
Server: Google Frontend\r\n
Content-Length: 75\r\n
Alternate-Protocol: 443:quic\r\n
\r\n
0000000  14 03 03 00 01 01 16 03  03 00 40 06 84 25 72 1e  ..........@..%r.
0000010  4d 07 f6 00 28 5e e8 43  7d 14 25 b6 63 ac 19 68  M...(^.C}.%.c..h
0000020  d1 f4 6c 00 9d d0 ca 48  ac 8d eb 9f a3 b3 9e 94  ..l....H........
0000030  10 bf 9c 79 1d f4 8f 92  aa 45 9f 78 47 4b b8 08  ...y.....E.xGK..
0000040  72 09 59 94 99 d0 18 72  76 d4 67                 r.Y....rv.g

Bananaphone

Bananaphone encodes a data stream as a sequence of tokens somewhat resembling natural language. Each side of the communication draws its dictionary of tokens from an input corpus.

There is an obfsproxy branch implementing Bananaphone as a pluggable transport. http://bananaphone.readthedocs.org/en/latest/ has a description of how to set it up. It was covered in Tor Weekly News.

Here are samples of Bananaphone traffic, using Ulysses as the input corpus. Line breaks are for presentation and do not really appear in the output.

Dollard. elbow during which effusion whatyoucallit from tumbling Fitton, that determined
call.--Good day. Molly, won't STEPHEN LOOKS AT OUR hedge. AT Mountjoy square, still. Yes, he
bent sought, you forgotten of heron OF WHICH IS ON BY IN LAUGHTER) in the tabledrawer --Yes, to
take him should imagine. What distinct God I have smiled? obviating chap whose name ... SAREBBE
and objective must almost out by which will wear curvilinear in which a pass a par calling out
like me all. That will do. MICHAEL, being of prediction. and I can be more properly, lane Let's.
home after all such as all their thousands and be or vindication: RIGID, another. By gad, sir,
he cried. She felt lilies, time Bartell house on glumly alluvial type Way is said sourly,
rising, half sovereign fell, shell. by his throat BY TOMMY Friery understood Mr Canvasser
RAINCAPED BE. what poetry that old moon union ownest girlie, forms of evils be just like
himself, Martin Cunningham's side delivery of David: street: then, Mr Verschoyle smoking fill
like bat place which no later undoing speaking did, Mr Power, spite ENNISCORTHY as good I figure
seated mocking BLOOM. SEVERAL car doublequick. curse at him on that jackknife. its craped a
moment round he find that yes. BLOOMBELLA previously when they, Boylan turned. the hind when
invisible. I. --Bloom, A HALF closestool: A SLENDER --No, sir. Buck quite easily ... What?
London, your school scholar too. Never in a note platter the carbonised purpose, to ease
blubbery this Frank birthday galloping Know MAN'S HIPHIP, of which that so? serene, Tink coaxed
moved his family, hoses host down on his colour only and Jacob office Old Ollebo, made it is all
that house. Beggar's the life by a tramline in answer. looking up by Monsieur eye on 
vitals See. from which Mr Crimmins? hampered Mr Joseph Cuffe them like Socrates, troop good
place rumoured sum --Count during or citrons. neither calm she felt here now on Mr Riordan here
ragging longshoreman meant the court is she reckoned Conmee's Theatre, --His name again? matter
what someone rejoinder ma crying in four courts himself, selfnodding: you remember, at their
business Too ugly. evening will wear 8th The walk. he say? I risked she looked on a dumpy
clanked Smutty barnacle paved his lips. ---He tonic Couldn't sheet The alchemists. shawls and
Master they go next. know him, or peradventure Forward, of its front room, behind Mr Crimmins,
interest of disregard and his sandwich I'll take a bit of order, stamp. on show. in seconds
noise? bath (rite and sauntered sadly from which Voisin of precombustible so clear sea the Male
give that they wait. Buck Mulligan's at times ten. 

Others

There are more transports listed at https://www.torproject.org/docs/pluggable-transports and PluggableTransports#ListofPluggableTransports, though most of them have not been deployed. If you know of a good way to visualize one of them, please add it to this page.

Most wanted:

  • ScrambleSuit framing format (inside the encryption)
  • StegoTorus
  • Dust
  • Code Talker Tunnel
  • Acoustic modem output of FreeWave (reimplemented in Cover Your ACKs. Let's hear what it sounds like!

Programs

Programs used to help generate the visualizations on this page:

git clone https://www.bamsoftware.com/git/garden.git

Attachments (12)

Download all attachments as: .zip