- Quick start
- How to change the front domain
- Other domain fronting systems
- Web services
- Web services that appear not to work
- How to run a meek-server (bridge)
- Research papers
- Style guide
meek is a pluggable transport, an obfuscation layer for Tor designed to evade Internet censorship. Traffic is relayed through a third-party server that is hard to block, for example a CDN. It uses a trick called domain fronting to talk to a Tor relay while appearing to talk to another domain.
- [tor-dev] A simple HTTP transport and big ideas
Download Tor Browser or Tor Messenger:
Extract and run it, and then configure these settings:
- Configure on the first screen.
- Yes to Does your Internet Service Provider (ISP) block or otherwise censor connections to the Tor Network?
- Connect with provided bridges and select meek-amazon or meek-azure (meek-google does not work anymore) from the Transport type box. They all work about the same; you can pick any of them. If one doesn't work, try another.
- No to Does this computer need to use a proxy to access the Internet?, unless you know you need to use a proxy. Then click Connect.
Howtos in other languages:
To build from source:
git clone https://git.torproject.org/pluggable-transports/meek.git cd meek/meek-client export GOPATH=~/go go get go build tor -f torrc
FreeBSD port: http://www.freshports.org/security/meek/
meek uses a technique called "domain fronting" to send a message to a Tor relay in a way that is hard to block. Domain fronting is the use of different domain names at different communication layers. The meek-client program builds a special HTTPS request and sends it to an intermediate web service with many domains behind it, such as a CDN. What's special about the request is that one domain name (the "front domain") appears on the "outside" of the request—in the DNS query and SNI—and a different name appears on the "inside"—in the HTTP Host header. The censor sees the outside name but the CDN sees the inside name, and forwards the request to the meek-server program running on a Tor bridge. meek-server decodes the body of the request and feeds the data into Tor.
Domain fronting and meek work when the censor blocks some domains of a web service but not all of them. Some examples of fronting-capable services are Google, CloudFront, and others.
See A Child's Garden of Pluggable Transports for details of how the protocol looks at the byte level, both at the TLS layer (the part visible to a censor), and at the HTTP layer (the invisible layer that carries the data).
How to change the front domain
You can change the front domains used by the default bridge lines. The default bridge lines can be found at:
- Browser/TorBrowser/Data/Browser/profile.default/preferences/extension-overrides.js inside Tor Browser
Copy a bridge line and change the front= part to another domain on the same CDN.
Other domain fronting systems
meek is just one of several circumvention systems using domain fronting. You can read about the technique in general here.
FireFly Proxy is a meek-like proxy implemented in Python. It is designed against the Great Firewall of China.
GoAgent has been used to evade the Great Firewall of China for several years. It uses domain fronting on App Engine. It is only an HTTP and HTTPS proxy; the client software sends your requested URLs to App Engine, and then the request is issued directly from the App Engine servers.
Here are some web services that support domain fronting. We have been testing potential fronting services mostly through manual testing and Wget commands.
Not all of the listed services are deployed. The ones you can currently use with Tor are:
See also GreatFire.org's list of mirrors, which, while they aren't using domain fronting, are hosted on the same kind of high-collateral-damage services. sitescanner automatically tests domain names for CloudFlare support.
Google App Engine
$ wget -O - -q https://www.google.com/ --header 'Host: meek-reflect.appspot.com' I’m just a happy little web server.
Google App Engine is web application hosting on Google's infrastructure. The front domain can be any Google domain, as far as I can tell, from www.google.com to www.youtube.com to www.orkut.com. A list of Google domains that could be potentially used as front domains.
There are quotas for unpaid apps:
You can pay to get higher quotas:
The cost is $0.12 per gigabyte, with 1 gigabyte free each day. There are other potential ancillary costs, having to do with things like how often your app is reloaded.
You can get a faster CPU and more RAM, at the cost of using up more instance hours (instance hours cost money).
$ wget -q -O - https://a0.awsstatic.com/ --header 'Host: d2zfqthxsdq309.cloudfront.net' I’m just a happy little web server.
CloudFront is a CDN. Your files are hosted on a generated domain name that looks like d2k1ftgv7pobq7.cloudfront.net. All these domains support HTTPS with a wildcard cert for *.cloudfront.net, and they can front for each other.
There is a free tier, good for a year, that limits you to 50 GB per month. Per-request pricing differs by client country. Per-gigabyte costs go down the more you transfer, with a maximum of $0.19 per gigabyte. Bandwidth costs to the origin server (i.e., the Tor bridge) are lower. There's an additional cost of about $0.01 per 10,000 requests.
CloudFront allows you to use your own TLS domain name for an extra charge, but that appears to put you on a certificate with a bunch of shared SANs, which can't front for domains on different certificates.
The FAQ suggests that non-cacheable, dynamic traffic is fine.
- Does Amazon CloudFront support delivery of dynamic content? Amazon CloudFront supports all files that can be served over HTTP. This includes dynamic web pages, such as HTML or PHP pages, any popular static files that are a part of your web application, such as website images, audio streams, video streams, media files or software downloads. For on-demand media files, you can also choose to stream your content using RTMP delivery. Amazon CloudFront also supports delivery of live media over HTTP.
- Does Amazon CloudFront cache POST responses? Amazon CloudFront does not cache the responses to POST, PUT, DELETE, OPTIONS, and PATCH requests – these requests are proxied back to the origin server.
There's a question of what to use as the front domain. Any particular *.cloudfront.net name could be individually blockable. The generic names cloudfront.net and www.cloudfront.net don't resolve. Maybe pick one with a lot of collateral damage? Or a few, and randomly choose between them? Or connect to an IP, rather than a domain (#12208). Alexa has a list of the most popular cloudfront.net domains ("Where do visitors go on cloudfront.net?"), which starts out:
d3dsacqprgcsqh.cloudfront.net 14.67% deayhd4nq31b0.cloudfront.net 6.06% d396qusza40orc.cloudfront.net 2.72% d3v9w2rcr4yc0o.cloudfront.net 2.26% d13yacurqjgara.cloudfront.net 2.09%
There's a list of CNAMES that point to an example cloudfront.net subdomain. It appears that GFW blacklists (through DNS poisoning) *.cloudfront.net, but some names are whitelisted including d3dsacqprgcsqh.cloudfront.net and d1y9yo7q4hy8a7.cloudfront.net (9gag). GreatFire.org has a list of blocked cloudfront.net subdomains.
Here are instructions on setting up CloudFront. Read http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.html. Skip step 2, which is about uploading your files to S3 (all our data comes straight from the Tor relay). Change settings as follows:
- Origin Domain Name: the domain where meek-server is running.
- Origin Protocol Policy: Use "HTTP Only" for HTTP communication between CloudFront and meek-server, or "Match Viewer" for HTTPS.
- HTTP Port and HTTPS Port: the listening ports of the server.
- Viewer Protocol Policy: "HTTPS Only". This setting is important, even if you picked "HTTP Only" for Origin Protocol Policy.
- Allowed HTTP Methods: "GET, HEAD, PUT, POST, PATCH, DELETE, OPTIONS". It won't work without this (specifically POST is needed).
- Forward Headers: "Whitelist" and then add the custom header "X-Session-Id". HTTPS to the origin won't work if you choose "All" because the forwarded Host header will interfere with certificate verification (comment:2:ticket:13174).
- Forward Query Strings: "Yes". Actually this one doesn't matter because meek doesn't use query strings.
You will get a domain name like d111111abcdef8.cloudfront.net. Wait about 15 minutes for it to start to resolve. Set up torrc like so:
ClientTransportPlugin meek exec ./meek-client --url=http://d111111abcdef8.cloudfront.net/ --log meek-client.log
You can front with a different *.cloudfront.net domain.
ClientTransportPlugin meek exec ./meek-client --url=http://d111111abcdef8.cloudfront.net/ --front=d36cz9buwru1tt.cloudfront.net --log meek-client.log
$ wget -q -O - https://ajax.aspnetcdn.com/ --header 'Host: az786092.vo.msecnd.net' I’m just a happy little web server.
Azure is a cloud computing platform with a CDN.
Pricing is $0.12 to $0.19 per GB (depending on geographical region), getting less for higher volumes.
Their wildcard HTTPS domain seems to be *.vo.msecnd.net. ajax.aspnetcdn.com might be a good front. I've also seen azurecomcdn.net. HTTPS Everywhere rules for msecnd.net. All these fronting commands work:
wget https://az29590.vo.msecnd.net/img/rewardsSprite.png wget --no-check-certificate https://cs1.wpc.v0cdn.net/img/rewardsSprite.png --header 'Host: az29590.vo.msecnd.net' wget https://blahblahblah.vo.msecnd.net/img/rewardsSprite.png --header 'Host: az29590.vo.msecnd.net' wget --no-check-certificate https://cdn.astonmartin.com/img/rewardsSprite.png --header 'Host: az29590.vo.msecnd.net' wget https://ajax.aspnetcdn.com/img/rewardsSprite.png --header 'Host: az29590.vo.msecnd.net'
Microsoft is accepting research proposals. If the proposal is accepted, you get access to Azure including the CDN for a year.
There's also a 1-month trial.
Here's how to set up Azure. Log in at https://manage.windowsazure.com/. From the main screen, click New→App Services→CDN→Quick Create. Under "Origin Type" select "Custom Origin" and then enter the URL to the meek-server host in the "Origin URL" box. Click "Create". Once the CDN endpoint is created, click on it and click "Enable HTTPS" at the bottom. It really does take about an hour before it starts working. Now you have an az######.vo.msecnd.net domain name that points to meek-server and you can front to it with any other Azure CDN domain such as ajax.aspnetcdn.com.
$ wget --no-check-certificate -q -O - https://a248.e.akamai.net/ --header 'Host: www.nytimes.com' | grep -io '<title>.*</title>' <title>The New York Times - Breaking News, World News & Multimedia</title> $ wget --no-check-certificate -q -O - https://a248.e.akamai.net/ --header 'Host: www.pinterest.com' | grep -io '<title>.*</title>' <title>Pinterest</title> (However these don't work for some reason; they go to the SNI name.) $ wget --no-check-certificate -q -O - https://www.nytimes.com/ --header 'Host: www.pinterest.com' | grep -io '<title>.*</title>' <title>The New York Times - Breaking News, World News & Multimedia</title> $ wget --no-check-certificate -q -O - https://www.pinterest.com/ --header 'Host: www.nytimes.com' | grep -io '<title>.*</title>'
(I use --no-check-certificate because the certificate isn't trusted by Wget, but it's okay in Firefox.)
Akamai is a CDN.
HTTPS Everywhere rule for akamai.net. I don't know what's so special about the a248.e.akamai.net name. For example, a247 and a249 exist, but the certificate they serve is only good for "*.akamaihd.net", "*.akamaihd-staging.net", and "a248.e.akamai.net". This paper describes the structure of Akamai URLs; some of it is driven by historical use when browsers didn't send Host or SNI.
The a248.e.akamai.net name started being blocked (DNS poisoned) in China in late September 2014: https://en.greatfire.org/https/a248.e.akamai.net. (See also https://en.greatfire.org/search/all/akamai.net for all akamai.net domains.)
It might be easier and cheaper to get Akamai through a reseller. For example Liquid Web posts a price list, $100/month for up to 1000 GB. This blog post describes how to use WordPress with the Liquid Web CDN. In that example they use a custom CNAME, cdn.lw.rrfaae.com, which for me has the reverse DNS a1711.g1.akamai.net. I can grab an HTTPS version of the blog while fronting through a248.e.akamai.net:
$ wget --no-check-certificate -q -O - https://a248.e.akamai.net/ --header 'Host: cdn.lw.rrfaae.com' | grep -io '<title>.*</title>' <title>jgillman's Liquid Web Update</title>
However, Liquid Web's terms of service prohibit proxy servers:
We do not allow proxy servers of any kind, whether for personal or business use. Files with references to any proxy or likeness thereof are prohibited.
$ wget --no-check-certificate https://a248.e.akamai.net/CloudFiles%20Akamai.pdf --header 'Host: c186397.ssl.cf1.rackcdn.com'
However, the CDN only works for static files hosted through Cloud Files. They don't support the "origin pull" service we need.
HP Cloud uses Akamai. But they have the same problem as Rackspace: it's only static files from HP Cloud Object Storage.
Fastly is a CDN, being used by the meek-like transports of Psiphon and Lantern. It apparently requires you to front without a SNI, only an IP, because their frontend server checks the SNI against the Host, and sends a 400 response if they don't match. Both other projects had to fork an HTTPS library to make it possible.
You can get an idea of some of their domains by looking at the certificate for https://global.ssl.fastly.net/. Shared SSL hosting appears to be on subdomains of a.ssl.fastly.net, global.ssl.fastly.net, or hosts.fastly.net.
$ wget https://github.a.ssl.fastly.net/favicon.ico Resolving github.a.ssl.fastly.net (github.a.ssl.fastly.net)... 220.127.116.11 HTTP request sent, awaiting response... 200 OK $ wget https://a.ssl.fastly.net/favicon.ico --header 'Host: github.a.ssl.fastly.net' Resolving a.ssl.fastly.net (a.ssl.fastly.net)... 18.104.22.168 HTTP request sent, awaiting response... 400 Bad Request $ wget --no-check-certificate https://22.214.171.124/favicon.ico --header 'Host: github.a.ssl.fastly.net' The certificate's owner does not match hostname ‘126.96.36.199’ HTTP request sent, awaiting response... 200 OK
Pricing is a minimum $50 per month, and $0.12–0.19 per GB for the first 10 TB per month. There's an additional charge per 10,000 requests.
Level 3 is a tier-1 network operator and also has a CDN.
VPS.NET is a reseller of the Level 3 CDN (formerly they had a deal with Akamai). Pricing is pay-as-you-go, not per-month; in other words we can buy a TB and not pay more until it's used up. The first TB is $35 and after that it's $250.
CloudVPS is another reseller. There's no extra charge over the normal VPS fee, but they say:
"The maximum free throughput of the CDN is 100 Megabit per second (Mbit/sec). Traffic above 100 Mbit/sec will be billed at our normal traffic pricing. Contact us if you plan to use the CDN for large amounts of traffic." "The free CloudVPS CDN cannot be used for SSL delivery. Contact us if you want to speed up SSL traffic using the CDN."
It's not clear yet whether fronting works. I found some customer domains from http://trends.builtwith.com/websitelist/Level3-CDN, but I couldn't make them work.
Level 3 is suspected of collaborating with the NSA, so there's that.
Level 3's CDN naming seems to revolve around the footprint.net domain. While HTTP requests do appear to be fronted, attempts to retrieve content from other hosts over SSL were unsuccessful. An example can be found with:
openssl s_client -servername www.feelunique.com -tlsextdebug -msg -connect www.warface.com:443 GET / HTTP/1.1 Host: www.feelunique.com HTTP/1.1 403 Forbidden Server: Footprint 4.10/FPMCP Mime-Version: 1.0 Date: Sun, 24 Aug 2014 21:59:00 GMT Content-Type: text/html Content-Length: 526 Expires: Sun, 24 Aug 2014 21:59:00 GMT Connection: close ...
Warface.com's certificate is returned, but we see a Footprint originating error of "Invalid Protocol." Tried this with a few domains under Level 3, to no avail.
Despite that domain fronting seems not to work, we might be able to get the same effect from the URL structure of the secure.footprint.net domain. For example, there is a Free Weibo mirror at https://secure.footprint.net/pingfan/fw. It appears we can get a path under the secure.footprint.net domain. secure.footprint.net is currently DNS poisoned by GFW. doesn't work (HTTP 403) as of 2015-08-28.
Netlify is a CDN and static-content host. Domain fronting appears to be supported with no configuration necessary. It would not be possible to run Tor on the Netlify infrastructure and a potential "meek-netlify" would require a backend to talk to. From the basic plan ($9/month) and up, API proxying is supported. There does not appear to be any bandwidth-based billing, only a fixed monthly cost. SSL on Netlify is a free service with certificates provisioned by Lets Encrypt.
A proof-of-concept has been built, but has not been load tested:
curl https://netlify.com/meek/ -H 'Host: iain.learmonth.me' I’m just a happy little web server.
The configuration is rather simple, in a file named "_redirects":
/* https://meek-server.backend/:splat 200
See whether these services support fronting or not.
HostGator et al.?
Cheap web hosts like HostGator sometimes offer shared SSL. For example HostGator puts you on a name like secure123.hostgator.com. You can probably front through those. In this case, you would run a PHP reflector (#10984) on the web host in order to reach a relay.
GreatFire has some mirrors on EdgeCast, for example https://edgecastcdn.net/00107ED/g/.
Starting November 12, 2014, edgecastcdn.net is blocked by GFW. https://en.greatfire.org/edgecastcdn.net https://twitter.com/GreatFireChina/status/533318145118048256
Web services that appear not to work
Someone tried these and it looks like the domain fronting trick doesn't work.
CloudFlare is a CDN. You use your own domain name. TLS is terminated at CloudFlare's server.
There are different pricing plans. The cheapest one that supports SSL is Pro, for $20 per month. Business is $200 and Enterprise averages $5,000. There's no per-gigabyte bandwidth charge.
CloudFlare now matches the SNI and Host header when both exist.
CloudFlare used to work for domain fronting, but does not anymore since September 2015 (comment:2:ticket:14256).
How to run a meek-server (bridge)
- Compile the program using go build.
- Update your torrc file. There's a sample on /meek-server/torrc.
NOTE: if you want to run your bridge on two different ports (HTTP and HTTPS), use something like this:
ServerTransportPlugin meek exec /usr/local/bin/meek-server --port 7002 --disable-tls --log /var/log/tor/meek-server.log ServerTransportPlugin meek exec /usr/local/bin/meek-server --port 7443 --cert /etc/meek/cert.pem --key /etc/meek/key.pem --log /var/log/tor/meek-server-https.log
- To test your bridge on the client side, you can add a line like this to your torrc:
Bridge meek 0.0.2.0:3 url=http://my-bridge.example.com:7002/
If you're running more than one transport, you need a separate tor process for each to avoid user counting confusion. See https://lists.torproject.org/pipermail/tor-dev/2014-September/007480.html and #Users for more information.
If meek doesn't work and you get a log message like this:
NOTICE: Bridge at '0.0.2.0:1' isn't reachable by our firewall policy. Skipping.
then you should unset the ReachableAddresses and FascistFirewall settings in your Tor configuration. These options don't understand the dummy addresses used in meek bridge lines. See comment:4:ticket:18611 for more information.
History of events that might have affected the number of users:
- ca. 2014-02 Installed meek-server on bridge already hosting websocket-server for flash proxy.
- 2014-05-08 Migrated and reinstalled bridge, still running both flash proxy and meek.
- ca. 2014-07-28 Enabled meek-amazon.
- 2014-09-15 Split flash proxy and meek into separate processes in order to avoid user counting confusion. Everything before that is baloney.
- 2014-09-16 Switched meek-amazon to HTTPS (#13174).
- 2014-09-29 Changed the bridge backing meek-amazon.
- 2014-10-14 Enabled PublishServerDescriptor on the meek-amazon bridge. Between 09-29 and 10-14, meek-amazon users were not being counted; see here.
- 2014-10-15 Tor Browser 4.0 released with support for meek built in and adding meek-azure.
- 2014-10-25 Changed the bridge backing meek-google. Upgraded the meek-google App Engine instance to F2 class.
- 2014-10-27 Changed meek-google back to F1 class because the costs got close to the daily limit I set.
- 2014-10-31 Changed meek-google to F2 again.
- 2014-11-08 Changed meek-google back to F1.
- 2014-11-15 Moved meek-google bridge to better hardware.
- 2015-02-28 Altered performance settings on App Engine in an effort to reduce instance hours. Set max idle instances to 4 and min pending latency to 500 ms.
- 2015-04-08 Implemented persistent connections for meek-azure, increasing performance.
- 2015-04-15 Tor Weekly News covers the meek-azure performance improvement.
- 2015-05-22 Rate-limited the meek-google bridge to 1.5 MB/s.
- 2015-06-02 Further rate-limited meek-google to 1.1 MB/s.
- 2015-06-08 Rate-limited the meek-amazon bridge to 1.1 MB/s.
- 2015-07-20 Outage of meek-azure.
- 2015-07-22 Published workaround for meek-azure outage.
- 2015-08-14 End of meek-azure outage.
- 2015-09-23 Upgraded meek-azure bridge from KVM to Xen.
- 2015-09-30 Outage of meek-amazon caused by an expired certificate.
- 2015-10-02 Rate-limited the meek-azure bridge to 1.1 MB/s. (Azure grant expired.)
- 2015-10-09 End of meek-amazon outage.
- 2015-10-30 Altered performance settings on App Engine. Set max idle instances to 2 and min pending latency to 1000 ms. This used to be configured through the web interface but is now configured in an application file. Some time ago, I don't know when, this change caused my settings from 2015-02-28 to be forgotten.
- 2015-10-30 Further rate-limited the meek-azure bridge to 0.8 MB/s.
- 2015-12-14 Enabled client IP statistics (comment:7:ticket:13171) on the meek-azure bridge.
- 2015-12-20 Enabled client IP statistics (ticket:13171) on meek-google.
- 2015-12-25 Established an unthrottled bridge for people who set up their own CDN.
- 2016-01-11 Enabled client IP statistics (ticket:13171) on meek-amazon.
- 2016-01-14 Increased meek-azure rate limit to 3 MB/s.
- 2016-01-15 Increased meek-google rate limit to 3 MB/s.
- 2016-01-16 Increased meek-amazon rate limit to 3 MB/s.
- 2016-01-29 Azure edge server blocked in China.
- 2016-02-02 Azure edge server no longer blocked in China.
- 2016-03-27 18:30–20:30 meek-azure TLS certificate was expired.
- 2016-03-27 21:28 Began running Karsten's task-18460-2 branch for IPv6 counting on meek-azure.
- 2016-03-31 17:20 Switched back to running the standard Debian tor on meek-azure.
- 2016-05-13 meek-reflect.appspot.com suspended; meek-google stops working.
- 2016-08-18 Changed meek-amazon price class from "All" to "Use Only US, Canada and Europe."
- 2016-10-28 Reset meek-amazon rate limit to 1 MB/s (it had apparently been at 3 MB/s since about 2016-09-28).
- 2016-10-30 Increased meek-amazon rate limit back to 3 MB/s.
- 2016-11-22 Decreased meek-amazon rate limit to 2 MB/s.
- 2017-01-09 Decreased meek-azure rate limit from 3 MB/s to 2 MB/s.
- 2017-03-03 17:32 Stopped CDN endpoint az668014.vo.msecnd.net (meek-azure).
- 2017-03-03 17:34 Stopped CDN endpoint az786092.vo.msecnd.net (meek-azure).
- 2017-03-03 17:36 Stopped CDN endpoint meek-reflect.azureedge.net (wasn't being used).
- 2017-03-07 Tor Browser 6.5.1 released, with a new working meek-azure configuration.
- 2017-03-22 Orbot 15.4.0 beta-2 multi released, with a new working meek-azure configuration.
Monthly cost summary emails.
Related to domain fronting.
- Blocking-resistant communication through domain fronting: Describes the technique and the experience of deployment.
- Seeing through Network-Protocol Obfuscation: Builds classifiers for meek, obfs3, obfs4, and FTE, and evaluates them against large traffic traces.
- Towards Measuring Unobservability in Anonymous Communication Systems (Chinese): Evaluates certain traffic features (packet size and timing) of meek and vanilla Tor, and compares them to a known non-circumvention trace using relative entropy.
- Decoy routing is a related idea.
Barriers to indistinguishability
- TLS ciphersuites
Look like a browser. #4744 has the story of when tor changed its ciphersuite list to look like Firefox's in 2012. tor's list of ciphers is in src/common/ciphers.inc.
- TLS extensions
Look like a browser.
- Packet lengths
Do something to break up fixed-length cells.
- Interpacket times
- Upstream/downstream bandwidth ratio
- Polling interval
When we have nothing to send, we start polling at 100 ms, and increase the interval by 50% every time no data is received, up to a maximum of 5 s. The growth pattern and the fixed cap is detectable.
Here's what the fixed polling of 5 s looks like in the GNOME system monitor:
- Maximum payload lengths
Payloads are limited to 65536 bytes. During bootstrapping and bulk downloads, a lot of bodies have exactly this size.
- Behavior on random drops
Suppose the censor drops every hundredth connection to https://www.google.com/. Normal web users will just refresh; meek's stream will be broken.
- Number of simultaneous requests
Browsers open many parallel connections to the same server; I think meek 0.4 opens just one.
- Extra latency
The latency between the client and the front domain is likely to be measurably different from the latency between the client and the real destination.
Working in our advantage is that we are likely to be transporting web traffic, so we inherit some of its traffic characteristics.
How to look like browser HTTPS
We decided to use a browser extension to make all the HTTPS requests required by meek, so that the requests look just like those made by a browser. There's an extension for Firefox (which works with Tor Browser, so it can work in the browser bundle without shipping a second browser) and one for Chrome. The list below is a summary of a discussion that took place on the tor-dev mailing list and on IRC.
Sample client hellos
A big list of client hellos from different applications was moved to meek/SampleClientHellos.
The word "meek" should be written in lower case, even when it is the first word in a sentence. Exception: when it is the last word in a sentence, it should be in ALL CAPS. When printed on glossy paper, the word should be followed by a ™ symbol; when handwritten, decisively underlined. Exception to everything: if it is the nth appearance of "meek" in a document, and n is the description number of a non-halting Turing machine, then write "𝕸𝕰𝕰𝕶" in honor of Alan Turing and/or Sublime.
- Make bundles featuring meek
- PHP relay for meek
- Make an HTTP requestor Firefox extension for meek-client
- Create meek repo
- Make an HTTP requestor Chrome extension for meek-client
- meek README should say what meek is.
- meek-http-helper opens up a second dock icon
- Add meek to tor launcher
- Include meek in userstats-bridge-transport
- Time out requests in meek-server
- meek browser stops working after many idle hours
- Make meek man pages
- tbb bundle with meek takes (literally) hours to connect
- Enable Firefox meek-http-helper to use an upstream proxy
- Firefox meek-http-helper leaks Host header in CONNECT requests
- Meek bundle occasionally makes direct contact to Tor node.
- Neuter meek-http-helper's default proxy setting
- Disable TLSv1.1 and TLSv1.2 in the Firefox helper
- Move meek's URL and front configuration into bridge_prefs.js
- Decide how to handle multiple meek backends in Tor Launcher
- Put meek HTTP headers on a diet
- Reenable TLSv1.1 and TLSv1.2 in meek-http-helper when rebased on Firefox 31 ESR
- Port Meek to Android
- Upgrade meek to 0.11
- meek's reflector should forward the client's IP address/port to the bridge.
- Amazon CloudFront sets X-Forwarded-For
- Meek's TLS client hello should use system time
- Set up an Azure backend
- meek profile error after browser restarts (e.g., after update or add-on installation)
- meek should use the user's country Google site
- Guide on how to use various public services for meek
- Check TLS fingerprint in Tor Browser 4.0
- Use security.ssl.disable_session_identifiers pref in meek-http-helper to restore TLS session tickets
- Upgrade meek to 0.15
- Tor Browser with meek opens two Software Update windows
- meek-client looks for /etc/resolv.conf on Android
- meek-client should support SOCKS proxies w/o Firefox
- Firefox helper broken when front= is missing
- Upgrade meek to 0.16
- Check meek TLS fingerprint on ESR 38
- Meek with google is much slower in TBB 4.0.5 than in TBB 4.0.3
- Upgrade meek to 0.17
- Meek doesn't start in Tor Browser 4.5 on Windows 7
- Upgrade meek to 0.18
- Windows: staged update fails if Meek is enabled
- add-on compatibility check occurs repeatedly
- Updating to 4.5.1 sets DisableNetwork
- Update meek quick start screenshots for TB 4.5
- Use new CDN endpoint for meek-azure
- Enable network.http.spdy.* prefs in meek-http-helper for a matching TLS fingerprint
- Figure out what happens when a user's chosen transport is removed from bridge_prefs.js in an update
- Update the meek-amazon fingerprint to B9E7141C594AF25699E0079C1F0146F409495296
- Error console complaining it can't find meek helper
- Separate the meek bridge backing paid CDNs from the one we tell the general public to use
- meek is broken in Tor Browser 6.0a3
- Make meek-server easy to use with Let's Encrypt
- Mac OS: meek-http-helper profile not updated
- Check meek fingerprint on ESR 45
- Mac OS: wrong location for meek browser profile
- "Tor circuit for this site" labels meek bridge as being in China
- meek-http-helper doesn't shutdown cleanly in 6.5a1
- meek fails on macOS 10.12 when built with Go 1.4.3 or Go 1.6.3
- Upgrade meek to 0.24
- The communication stream of managed proxy '/usr/bin/meek-client' is 'closed'
- Unexplained drop in meek users, 2016-10-19 to 2016-11-10
- meek-azure broken
- Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge.
- meek-azure seems broken
- Move meek-amazon to the d2cly7j4zqgua7.cloudfront.net backend
- Make it possible to use an IP address as a front (no DNS request and no SNI)
- Make it possible to have multiple requests and responses in flight
- Make meek-client-torbrowser take the firefox command as a parameter
- "Firefox is already running" when you select meek after bootstrapping
- Use streaming downloads
- make a deb of meek and get into Debian
- Clarify whether Cloudflare's Universal SSL thing works with meek
- meek-client-wrapper does not use signals well
- meek-server logging client IP addresses in some situations
- Tame "reading from ORPort" error logs in meek-server
- Don't trust "bridge-ips" blindly for user number estimates
- Cannot specify custom meek bridges
- Improve semantics for pluggable transports with dummy addresses
- meek-client on ubuntu requires apparmor profile adjustment for system_tor
- meek-client-torbrowser should always use TOR_BROWSER_TOR_DATA_DIR
- Figure out how to sandbox meek in a sensible way.
- meek PT stops functioning after long uptime
- Stop the Meek Tor Browser opening links or documents on macOS
(7.7 KB) -
added by dcf 3 years ago.
Screenshot of the GNOME system monitor showing the 5 s polling interval of meek 0.1.
- meek-diagram.jpg (202.3 KB) - added by dcf 3 years ago.
Screen Shot 2014-06-05 at 8.46.34 pm.png
(61.3 KB) -
added by jrporter 3 years ago.
An example CloudFront reflector setup
(57.4 KB) -
added by dcf 3 years ago.
Redrawn diagram, no longer Google-specific.
(28.3 KB) -
added by dcf 3 years ago.
4.0-alpha-1 settings screen 4.
(49.4 KB) -
added by dcf 3 years ago.
Picture of CLoudFront configuration screen.
(27.0 KB) -
added by dcf 2 years ago.
Inkscape SVG source of meek diagram.
(10.9 KB) -
added by dcf 2 years ago.
Inkscape SVG source for domain-fronting diagram.
- azure-setup.png (32.4 KB) - added by dcf 21 months ago.
(28.7 KB) -
added by dcf 9 months ago.
6.0.3 settings screen 1.
(29.0 KB) -
added by dcf 9 months ago.
6.0.3 settings screen 2.
(29.0 KB) -
added by dcf 9 months ago.
6.0.3 settings screen 2.
(32.3 KB) -
added by dcf 9 months ago.
6.0.3 settings screen 3.
(28.3 KB) -
added by dcf 9 months ago.
6.0.3 settings screen 4.
(20.4 KB) -
added by dcf 9 months ago.
Network Settings panel showing show to enter a custom front domain.
Download all attachments as: .zip