Changes between Version 126 and Version 127 of doc/meek

Sep 21, 2014, 4:04:35 AM (5 years ago)

Remove some old info.


  • doc/meek

    v126 v127  
    70 [ Google App Engine] is web application hosting on Google's infrastructure. This is the one that has been deployed so far. The front domain can be any Google domain, as far as I can tell, from to to
     70[ Google App Engine] is web application hosting on Google's infrastructure. The front domain can be any Google domain, as far as I can tell, from to to
    7272There are quotas for unpaid apps:
    9191The [ FAQ] suggests that non-cacheable, dynamic traffic is fine.
    9292  Q. Does Amazon CloudFront support delivery of dynamic content?
    9493  Amazon CloudFront supports all files that can be served over HTTP. This includes dynamic web pages, such as HTML or PHP pages, any popular static files that are a part of your web application, such as website images, audio streams, video streams, media files or software downloads. For on-demand media files, you can also choose to stream your content using RTMP delivery. Amazon CloudFront also supports delivery of live media over HTTP.
    9594  Q. Does Amazon CloudFront cache POST responses?
    9795  Amazon CloudFront does not cache the responses to POST, PUT, DELETE, OPTIONS, and PATCH requests – these requests are proxied back to the origin server.
    107 There's a [ list of CNAMES] that point to an example subdomain. It appears that GFW blacklists (through DNS poisoning) *, but some names are whitelisted including and (9gag). has a [ list of blocked subdomains].
     105There's a [ list of CNAMES] that point to an example subdomain. It appears that GFW blacklists (through DNS poisoning) *, but some names are whitelisted including and (9gag). has a [ list of blocked subdomains].
    109107The names [], [], and [] look promising. I found them in the source of
    110 {{{
    111 wget --header 'Host:' # AWS's favicon
    112 wget --header 'Host:' # 9gag's favicon
    113 }}}
    115109Here are instructions on setting up CloudFront. Read Skip step 2, which is about uploading your files to S3 (all our data comes straight from the Tor relay). Change settings as follows:
    128122ClientTransportPlugin meek exec ./meek-client --url= --log meek-client.log
    130 You can front with a different * domain. For example, in the source code of, we see, so give that as the --front option.
     124You can front with a different * domain.
    132126ClientTransportPlugin meek exec ./meek-client --url= --log meek-client.log
    150144Additionally I found
    152  *
    153  *
    157146Microsoft is accepting research proposals. If the proposal is accepted, you get access to Azure including the CDN for a year.
    158147 *
    176165There are different [ pricing plans]. The cheapest one that supports SSL is Pro, for $20 per month. Business is $200 and Enterprise averages $5,000. There's no per-gigabyte bandwidth charge.
    178168=== Akamai ===
    212202[ HP Cloud] uses Akamai. But they have the same problem as Rackspace: it's only static files from HP Cloud Object Storage.
    214205=== Fastly ===
    232223[ Pricing] is a minimum $50 per month, and $0.12–0.19 per GB for the first 10 TB per month. There's an additional charge per 10,000 requests.
    234226=== Others ===
's certificate is returned, but we see a Footprint originating error of "Invalid Protocol." Tried this with a few domains under Level 3, to no avail.
    285278=== DreamHost ===
    396389Instead of sending TLS with a front SNI, think about sending TLS with no SNI at all. (It might look like a really old browser or a non-browser daemon or something.) Then the censor doesn't have an SNI to match on, and has the choice of blocking an entire IP address (which may virtually host many domains) instead of a single SNI. This idea could be useful in deployment with a CDN, which though it may have thousands of domains, is blockable if we choose just one of those domains as a front. See #12208.
    398 The App Engine [ Channel API] provides a way to have long-lived push connections to the client, subject to a restricted interface. (HTTP handlers are otherwise [ required to finish within 60 seconds].) The client could use HTTP request bodies to send data, and a channel to receive, and remove the need for polling. It would require us to reimplement the [ client JavaScript channel API] in order to make use of the particular [ Comet]-based protocol.
    400 Paid apps can create outbound sockets. I don't think it helps us because then the web app would be responsible for managing the session id mapping.
    401  *
    403391[[GoAgent]] is similar in that it also uses App Engine as a middleman.
    445433Working in our advantage is that we are likely to be transporting web traffic, so we inherit some of its traffic characteristics.
    447436=== How to look like browser HTTPS ===
    449438We decided to use a browser extension to make all the HTTPS requests required by meek, so that the requests look just like those made by a browser. There's an extension [ticket:11183 for Firefox] (which works with Tor Browser, so it can work in the browser bundle without shipping a second browser) and one [ticket:11393 for Chrome]. The list below is a summary of a discussion that took place [ on the tor-dev mailing list] and on IRC.
    451  1. Use your own HTTPS/TLS library, and take care to make sure your ciphersuites and extensions match those of a browser. There are [ Python bindings for NSS] that might make it easier. Chromium is [ moving to OpenSSL] in the future.
    452  2. Use a separate (headless) browser as an instrument for making HTTPS requests. This is what [ htpt plans to do].\\
    453     [ PhantomJS] is a headless WebKit that is scriptable with JavaScript. Its compressed size is 7–13 MB. [ This postserver.js example] shows it running its own web server, which we could use as a means of communication:\\
    454       meek-client on localhost ←HTTP→ PhantomJS on localhost ←HTTPS→\\
    455     [ MozRepl] ([]) gives you a JavaScript REPL that allows you to control the browser. It looks like the in-browser JavaScript console, except accessible from outside. [ Firefox Puppeteer] is a fork of MozRepl that is designed for machine-driven browser interaction.
    456     Another option is to write an extension for some other browser and communicate with it using some custom IPC.
    457  3. Use an [ extension] in Tor Browser itself. The plugin bypasses Tor Browser's normal proxy settings in order to issue HTTPS requests directly to the front domain.
    458      * [tor-dev] Feasibility of using a Tor Browser plugin as a PT component?\\
    460     GeKo says that [ nsISocketTransportService] is what we want to look at.
    461      * [ How to connect to a remote server using nsISocketTransportService in a firefox extension?]
    462      * [ WeaponryRawHttpRequest.js] is doing what we want.
    463      * David: nsISocketTransportService with `socketTransportService.createTransport(["ssl"], 1, "", 443, null)` doesn't set the next_protocol_negotiation extension. I'm trying nsIHttpProtocolHandler instead.
    464     [ XPCOM] is the Firefox API that includes the nsi* functions.\\
    465     #11183 is the progress of a browser extension.
    467441=== Sample client hellos ===