Here is a case similar to when Cyberoam blocked meek by TLS signature
(
https://groups.google.com/d/topic/traffic-obf/BpFSCVgi5rs). This time
it's a FortiGuard firewall. Kanwaljeet Singh Channey ran some tests to
help me figure out what was going on.
The story is basically the same as last time: the firewall looks for TLS
that has the signature of a specific version of Firefox and is also
destined to one of the default front domains. Connections timed out
without a block page. They aren't doing anything fancy like packet
timing; vanilla Firefox gets blocked as well. The differences in this
case:
* Matching the signature of Firefox 45 (Cyberoam was using that of
Firefox 38). Firefox 45 is the basis of current Tor Browser 6.0. We
didn't test Firefox 38 this time.
* Allowing
www.google.com while blocking
a0.awsstatic.com and
ajax.aspnetcdn.com. I.e., the two blocked domains were blocked in
Firefox, but not in Chrome, while
www.google.com was not blocked for
both. This means that meek-google would have worked if not for its
recent deactivation (and self-setup meek over Google will still
work). One might take from this that
www.google.com has good
collateral damage but the other two domains are not as strong.
We tested two workarounds that were sufficient to get around the
firewall.
The first was to change the front domain (as in
https://trac.torproject.org/projects/tor/wiki/doc/meek#Howtochangethefrontdomain).
These alternative bridge lines worked:
Bridge meek
0.0.2.0:2 url=
https://d2zfqthxsdq309.cloudfront.net/ front=
d2ko15wevu3ps3.cloudfront.net
Bridge meek
0.0.2.0:3 url=
https://az786092.vo.msecnd.net/ front=
ajax.microsoft.com
The second workaround was to disable the Firefox TLS camouflage and use
naked Golang TLS. To do that, edit the file
Browser/TorBrowser/Data/Tor/torrc-defaults and change the line
ClientTransportPlugin meek exec ./TorBrowser/Tor/PluggableTransports/meek-client-torbrowser -- ./TorBrowser/Tor/PluggableTransports/meek-client
to
ClientTransportPlugin meek exec ./TorBrowser/Tor/PluggableTransports/meek-client
I.e., remove the meek-client-torbrowser wrapper program.
We don't know the exact model number of the firewall. A block page says
"FortiGuard Web Filtering". I cursorily searched the Fortinet
documentation pages, but didn't find anything specific related to this
blocking capability.