Changes between Version 126 and Version 127 of doc/meek


Ignore:
Timestamp:
Sep 21, 2014, 4:04:35 AM (5 years ago)
Author:
dcf
Comment:

Remove some old info.

Legend:

Unmodified
Added
Removed
Modified
  • doc/meek

    v126 v127  
    6868}}}
    6969
    70 [https://developers.google.com/appengine/ Google App Engine] is web application hosting on Google's infrastructure. This is the one that has been deployed so far. The front domain can be any Google domain, as far as I can tell, from www.google.com to www.youtube.com to www.orkut.com.
     70[https://developers.google.com/appengine/ Google App Engine] is web application hosting on Google's infrastructure. The front domain can be any Google domain, as far as I can tell, from www.google.com to www.youtube.com to www.orkut.com.
    7171
    7272There are quotas for unpaid apps:
     
    9191The [https://aws.amazon.com/cloudfront/faqs/ FAQ] suggests that non-cacheable, dynamic traffic is fine.
    9292  Q. Does Amazon CloudFront support delivery of dynamic content?
    93  
    9493  Amazon CloudFront supports all files that can be served over HTTP. This includes dynamic web pages, such as HTML or PHP pages, any popular static files that are a part of your web application, such as website images, audio streams, video streams, media files or software downloads. For on-demand media files, you can also choose to stream your content using RTMP delivery. Amazon CloudFront also supports delivery of live media over HTTP.
    9594  Q. Does Amazon CloudFront cache POST responses?
    96  
    9795  Amazon CloudFront does not cache the responses to POST, PUT, DELETE, OPTIONS, and PATCH requests – these requests are proxied back to the origin server.
    9896
     
    105103d13yacurqjgara.cloudfront.net   2.09%
    106104}}}
    107 There's a [https://www.robtex.com/en/advisory/dns/net/cloudfront/d3dsacqprgcsqh/#shared_pa_ma list of CNAMES] that point to an example cloudfront.net subdomain. It appears that GFW blacklists (through DNS poisoning) *.cloudfront.net, but some names are whitelisted including d3dsacqprgcsqh.cloudfront.net and d1y9yo7q4hy8a7.cloudfront.net (9gag). Greatfire.org has a [https://en.greatfire.org/search/all/cloudfront.net list of blocked cloudfront.net subdomains].
     105There's a [https://www.robtex.com/en/advisory/dns/net/cloudfront/d3dsacqprgcsqh/#shared_pa_ma list of CNAMES] that point to an example cloudfront.net subdomain. It appears that GFW blacklists (through DNS poisoning) *.cloudfront.net, but some names are whitelisted including d3dsacqprgcsqh.cloudfront.net and d1y9yo7q4hy8a7.cloudfront.net (9gag). GreatFire.org has a [https://en.greatfire.org/search/all/cloudfront.net list of blocked cloudfront.net subdomains].
    108106
    109107The names [https://www.robtex.com/dns/a0.awsstatic.com.html a0.awsstatic.com], [https://www.robtex.com/dns/a1.awsstatic.com.html a1.awsstatic.com], and [https://www.robtex.com/dns/d0.awsstatic.com.html d0.awsstatic.com] look promising. I found them in the source of https://aws.amazon.com/documentation/.
    110 {{{
    111 wget https://a0.awsstatic.com/favicon.ico --header 'Host: d36cz9buwru1tt.cloudfront.net' # AWS's favicon
    112 wget https://a0.awsstatic.com/favicon.ico --header 'Host: d3dsacqprgcsqh.cloudfront.net' # 9gag's favicon
    113 }}}
    114108
    115109Here are instructions on setting up CloudFront. Read http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.html. Skip step 2, which is about uploading your files to S3 (all our data comes straight from the Tor relay). Change settings as follows:
     
    128122ClientTransportPlugin meek exec ./meek-client --url=http://d111111abcdef8.cloudfront.net/ --log meek-client.log
    129123}}}
    130 You can front with a different *.cloudfront.net domain. For example, in the source code of http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GettingStarted.html, we see d36cz9buwru1tt.cloudfront.net, so give that as the --front option.
     124You can front with a different *.cloudfront.net domain.
    131125{{{
    132126ClientTransportPlugin meek exec ./meek-client --url=http://d111111abcdef8.cloudfront.net/ --front=d36cz9buwru1tt.cloudfront.net --log meek-client.log
     
    150144Additionally I found http://umacau-datacenter.com:4998/enothers-msn/20131110/az29590.vo.msecnd.net/img/rewardsSprite.png.
    151145
    152  * https://www.robtex.com/dns/az29590.vo.msecnd.net.html#graph
    153  * https://www.robtex.com/dns/az29590.vo.msecnd.net.html#shared_pc
    154 
    155 http://www.hanselman.com/blog/PennyPinchingVideoMovingMyWebsitesImagesToTheAzureCDNAndUsingACustomDomain.aspx
    156 
    157146Microsoft is accepting research proposals. If the proposal is accepted, you get access to Azure including the CDN for a year.
    158147 * http://www.microsoftazurepass.com/research
     
    175164
    176165There are different [https://www.cloudflare.com/plans pricing plans]. The cheapest one that supports SSL is Pro, for $20 per month. Business is $200 and Enterprise averages $5,000. There's no per-gigabyte bandwidth charge.
     166
    177167
    178168=== Akamai ===
     
    211201
    212202[http://www.hpcloud.com/products-services/cdn HP Cloud] uses Akamai. But they have the same problem as Rackspace: it's only static files from HP Cloud Object Storage.
     203
    213204
    214205=== Fastly ===
     
    232223[http://www.fastly.com/pricing/ Pricing] is a minimum $50 per month, and $0.12–0.19 per GB for the first 10 TB per month. There's an additional charge per 10,000 requests.
    233224
     225
    234226=== Others ===
    235227
     
    283275Warface.com's certificate is returned, but we see a Footprint originating error of "Invalid Protocol." Tried this with a few domains under Level 3, to no avail.
    284276
     277
    285278=== DreamHost ===
    286279
     
    395388
    396389Instead of sending TLS with a front SNI, think about sending TLS with no SNI at all. (It might look like a really old browser or a non-browser daemon or something.) Then the censor doesn't have an SNI to match on, and has the choice of blocking an entire IP address (which may virtually host many domains) instead of a single SNI. This idea could be useful in deployment with a CDN, which though it may have thousands of domains, is blockable if we choose just one of those domains as a front. See #12208.
    397 
    398 The App Engine [https://developers.google.com/appengine/docs/go/channel/ Channel API] provides a way to have long-lived push connections to the client, subject to a restricted interface. (HTTP handlers are otherwise [https://developers.google.com/appengine/docs/go/requests#Go_The_request_timer required to finish within 60 seconds].) The client could use HTTP request bodies to send data, and a channel to receive, and remove the need for polling. It would require us to reimplement the [https://developers.google.com/appengine/docs/go/channel/javascript client JavaScript channel API] in order to make use of the particular [https://en.wikipedia.org/wiki/Comet_%28programming%29 Comet]-based protocol.
    399 
    400 Paid apps can create outbound sockets. I don't think it helps us because then the web app would be responsible for managing the session id mapping.
    401  * https://developers.google.com/appengine/docs/go/sockets/
    402390
    403391[[GoAgent]] is similar in that it also uses App Engine as a middleman.
     
    445433Working in our advantage is that we are likely to be transporting web traffic, so we inherit some of its traffic characteristics.
    446434
     435
    447436=== How to look like browser HTTPS ===
    448437
    449438We decided to use a browser extension to make all the HTTPS requests required by meek, so that the requests look just like those made by a browser. There's an extension [ticket:11183 for Firefox] (which works with Tor Browser, so it can work in the browser bundle without shipping a second browser) and one [ticket:11393 for Chrome]. The list below is a summary of a discussion that took place [https://lists.torproject.org/pipermail/tor-dev/2014-February/006266.html on the tor-dev mailing list] and on IRC.
    450439
    451  1. Use your own HTTPS/TLS library, and take care to make sure your ciphersuites and extensions match those of a browser. There are [https://www.mozilla.org/projects/security/pki/python-nss/ Python bindings for NSS] that might make it easier. Chromium is [https://code.google.com/p/chromium/issues/detail?id=62803 moving to OpenSSL] in the future.
    452  2. Use a separate (headless) browser as an instrument for making HTTPS requests. This is what [https://raw.github.com/wiki/gsathya/htpt/Overall_architecture2.png htpt plans to do].\\
    453     [http://phantomjs.org/ PhantomJS] is a headless WebKit that is scriptable with JavaScript. Its compressed size is 7–13 MB. [https://github.com/ariya/phantomjs/blob/master/examples/postserver.js This postserver.js example] shows it running its own web server, which we could use as a means of communication:\\
    454       meek-client on localhost ←HTTP→ PhantomJS on localhost ←HTTPS→ www.google.com.\\
    455     [https://github.com/bard/mozrepl/wiki MozRepl] ([https://addons.mozilla.org/en-US/firefox/addon/mozrepl/ addons.mozilla.org]) gives you a JavaScript REPL that allows you to control the browser. It looks like the in-browser JavaScript console, except accessible from outside. [https://github.com/zackw/firefox-puppeteer Firefox Puppeteer] is a fork of MozRepl that is designed for machine-driven browser interaction.
    456     Another option is to write an extension for some other browser and communicate with it using some custom IPC.
    457  3. Use an [https://developer.mozilla.org/en/Extensions extension] in Tor Browser itself. The plugin bypasses Tor Browser's normal proxy settings in order to issue HTTPS requests directly to the front domain.
    458      * [tor-dev] Feasibility of using a Tor Browser plugin as a PT component?\\
    459        https://lists.torproject.org/pipermail/tor-dev/2014-February/006266.html
    460     GeKo says that [https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsISocketTransportService nsISocketTransportService] is what we want to look at.
    461      * [https://stackoverflow.com/questions/10173811/how-to-connect-to-a-remote-server-using-nsisockettransportservice-in-a-firefox-e How to connect to a remote server using nsISocketTransportService in a firefox extension?]
    462      * [https://code.google.com/p/weaponry/source/browse/trunk/xulrunner/weaponry/distribution/bundles/common@weaponry.gnucitizen.org/components/WeaponryRawHttpRequest.js WeaponryRawHttpRequest.js] is doing what we want.
    463      * David: nsISocketTransportService with `socketTransportService.createTransport(["ssl"], 1, "www.google.com", 443, null)` doesn't set the next_protocol_negotiation extension. I'm trying nsIHttpProtocolHandler instead.
    464     [https://developer.mozilla.org/en-US/docs/Mozilla/XPCOM XPCOM] is the Firefox API that includes the nsi* functions.\\
    465     #11183 is the progress of a browser extension.
    466440
    467441=== Sample client hellos ===