FortiGuard firewall blocks meek by TLS signature

[David Fifield]

Here is a case similar to when Cyberoam blocked meek by TLS signature
(https://groups.google.com/d/topic/traffic-obf/BpFSCVgi5rs). This time
it's a FortiGuard firewall. Kanwaljeet Singh Channey ran some tests to
help me figure out what was going on.

The story is basically the same as last time: the firewall looks for TLS
that has the signature of a specific version of Firefox and is also
destined to one of the default front domains. Connections timed out
without a block page. They aren't doing anything fancy like packet
timing; vanilla Firefox gets blocked as well. The differences in this
case:
* Matching the signature of Firefox 45 (Cyberoam was using that of
Firefox 38). Firefox 45 is the basis of current Tor Browser 6.0. We
didn't test Firefox 38 this time.
* Allowing www.google.com while blocking a0.awsstatic.com and
ajax.aspnetcdn.com. I.e., the two blocked domains were blocked in
Firefox, but not in Chrome, while www.google.com was not blocked for
both. This means that meek-google would have worked if not for its
recent deactivation (and self-setup meek over Google will still
work). One might take from this that www.google.com has good
collateral damage but the other two domains are not as strong.

We tested two workarounds that were sufficient to get around the
firewall.

The first was to change the front domain (as in
https://trac.torproject.org/projects/tor/wiki/doc/meek#Howtochangethefrontdomain).
These alternative bridge lines worked:
Bridge meek 0.0.2.0:2 url=https://d2zfqthxsdq309.cloudfront.net/ front=d2ko15wevu3ps3.cloudfront.net
Bridge meek 0.0.2.0:3 url=https://az786092.vo.msecnd.net/ front=ajax.microsoft.com

The second workaround was to disable the Firefox TLS camouflage and use
naked Golang TLS. To do that, edit the file
Browser/TorBrowser/Data/Tor/torrc-defaults and change the line
ClientTransportPlugin meek exec ./TorBrowser/Tor/PluggableTransports/meek-client-torbrowser -- ./TorBrowser/Tor/PluggableTransports/meek-client
to
ClientTransportPlugin meek exec ./TorBrowser/Tor/PluggableTransports/meek-client
I.e., remove the meek-client-torbrowser wrapper program.

We don't know the exact model number of the firewall. A block page says
"FortiGuard Web Filtering". I cursorily searched the Fortinet
documentation pages, but didn't find anything specific related to this
blocking capability.

[Percy Alpha]

What about hard-coding IP addresses of those fronted domains?

In case of GAE, it has tens of thousands of IP addresses that can be used to connect. I don't know about the other two fronted domains. 

Percy Alpha(PGP) 

--
You received this message because you are subscribed to the Google Groups "Network Traffic Obfuscation" group.
To unsubscribe from this group and stop receiving emails from it, send an email to traffic-obf...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[David Fifield]

On Sun, Jul 24, 2016 at 12:26:59AM -0700, Percy Alpha wrote:
> What about hard-coding IP addresses of those fronted domains?
> In case of GAE, it has tens of thousands of IP addresses that can be used to
> connect. I don't know about the other two fronted domains. 

What worries me about that is I'm afraid it will require a lot of
maintenance. I don't think I have enough attention to keep a list of IPs
up to date. Maybe if someone else wants to maintain it.

[Adam Fisk]

Automate it?

[Adam Fisk]

Actually David we'd be happy to shoot over our code for doing that on CloudFront if you're interested. We don't do it for Google.

[Lucas Dixon]

Google has some support for automatically knowing its IPs: https://support.google.com/a/answer/60764?hl=en