Top Banner
Meek and Domain Fronting Mutually assured destruction for Internet censorship
18
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Meek and domain fronting public

Meek and Domain FrontingMutually assured destruction for Internet censorship

Page 2: Meek and domain fronting public

Overview

• Internet Censorship Overview and Tools• SNI and Domain Fronting• Meek• Meek and Psiphon• Meek and Tor• Meek and Others

Page 3: Meek and domain fronting public
Page 4: Meek and domain fronting public

How Do I Block

• DNS• IP blacklist• URL blacklist• Routing• DPI• Keyword (China) RST• Protocol Fingerprinting (China, JP/BroIDS)

• Tor TLS ciphersuites

Page 5: Meek and domain fronting public
Page 6: Meek and domain fronting public

Censorship Arms Race

Censor

Block URL

Block Proxy sites

Block Proxy protocol

Fingerprint OSSH protocol

Block the Internet

Evasion

VPN/Proxy

Hidden Proxy

Obfuscate Proxy (OSSH)

ScrambleSuit

Page 7: Meek and domain fronting public

Meek Protocol

• Protection against Balls Deep Packet Inspection(BDPI)™• Uses SNI and CDN• “Domain Fronting”• To block it, you must block the CDN• Your move, motherfucker!

Page 8: Meek and domain fronting public

Server Name Extension (SNI)

• Virtual hosting for SSL• One web server hosts multiple certificates• Used by CDN’s all the time

https://www.google.com

https://www.antitree.com

GET / HTTP/1.1

Page 9: Meek and domain fronting public

Domain Fronting

TLS connection with client

TLS connection with

www.google.com

Ciphers and Extensions

decided upon

Handshake Established

Client Sends “server_name”

extension value of meek-

server.antitree.com

Receive request, send to server.antitree.com

Server reads this value and looks up if it has a

record for meek-server.antitree.com

Response from server returned

POST / <PROXIED TRAFFIC>

Page 10: Meek and domain fronting public

Meek

• Uses Domain Fronting to hide the request to the final endpoint• Adversaries see that a connection is made to

https://www.google.com • Subsequent connections are encrypted• For all intensive purposes, appears as a request to

google.com, or cloudflare.net, or another CDN• Blocking of CDN’s would result in blocking of most of the

top 100 sites

Page 11: Meek and domain fronting public

Meek Psiphon

• Psiphon is a censorship circumvention tool (one hop proxy)• Supports Meek• Meek service hosted on Psiphon servers• Clients receive information about the servers

configuration• Use Google and Cloudflare to proxy connections• So far unblockable

Page 12: Meek and domain fronting public

Meek Tor

• Tor uses this as a transport for the Tor protocol• Run on unlisted Bridge Nodes• Instead of just a HTTP request (Psiphon, Lantern, Fog)

the entire protocol is sent over it• Uses a web reflector to forward requests from the

fronted domain to a Tor bridge

Page 13: Meek and domain fronting public

Meek Tor

Tor Meek-clientMeek

Browser Client

https://www.google.com

https://meek-server.appspot.com

Meek.bamsoftware.com:7002

Meek-server

Tor Bridge Node

Page 14: Meek and domain fronting public

Meek Tor Normal Tor

Page 15: Meek and domain fronting public

Meek Tor

• Problem with HTTP keeping the tunnel alive• Use a polling method so the server sends a request• Server checks whether or not the client has data it

wants to deliver• Done using POST requests over the tunnel• If there is no new data to send, an empty packet is sent

to keep the tunnel open

Page 16: Meek and domain fronting public

Attacks/Defense from DPI

• Polling period• This period is relatively random but over time can be profiled• Intervals increase geometrically

• Payload Length• Normally this is dynamic but has a max size that can be profiled over

time

• TLS extensions• If you don’t use the browser plugin, it’s easy to fingerprint based on

TLS extensions

• Drop behavior• When a packet is RST for a web user, they just refresh. For Meek this

kills the whole tunnel.

Page 17: Meek and domain fronting public

Success

• Very successful right now• Only recently became

popular• Other tools like

ScrambleSuite, obfs4, and BananaPhone on deck for when this gets exploited

Page 18: Meek and domain fronting public

Review

• Domain Fronting = SNI• Meek: Uses domain fronting to tunnel connections and

evade censorship• ALL of the anti-censorship tools at this point are using it• You should host a Meek bridge