users
David Fifield <david@bamsoftware.com>
“Blocking-resistant communication through domain fronting” (PETS 2015)
David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson.
First operational in January 2014.
Started in earnest in October 2014.
App Engine + Amazon + Azure = total by period
all 2014 $600.63 + $917.89 + $0.00 = $1518.52
January 2015 $464.37 + $669.02 + $0.00 = $1133.39
February 2015 $650.53 + $604.83 + $0.00 = $1255.36
March 2015 $690.29 + $815.68 + $0.00 = $1505.97
April 2015 $886.43 + $785.37 + $0.00 = $1671.80
May 2015 $871.64 + $896.39 + $0.00 = $1768.03
June 2015 $601.83 + $820.00 + $0.00 = $1421.83
July 2015 $732.01 + $837.08 + $0.00 = $1569.09
August 2015 $656.76 + $819.59 + $154.89 = $1631.24
September 2015 $617.08 + $710.75 + $490.58 = $1818.41
October 2015 $672.01 + $110.72 + $300.64 = $1083.37
November 2015 $602.35 + $474.13 + $174.18 = $1250.66
December 2015 $561.29 + $603.27 + $172.60 = $1337.16
January 2016 $771.17 + $1581.88 + $329.10 = $2682.15
February 2016 $986.39 + $977.85 + $445.83 = $2410.07
March 2016 $1079.49 + $865.06 + $534.71 = $2479.26
April 2016 $1169.23 + $1074.25 + $508.93 = $2752.41
May 2016 $525.46 + $1097.46 + $513.56 = $2136.48
June 2016 $0.00 $1117.67 + $575.50 = $1693.17
--
total by CDN $13138.96 + $15778.89 + $4200.52 = $33118.37 grand total
Cyberoam firewall blocks meek by TLS signature
FortiGuard firewall blocks meek by TLS signature
The poster and I investigated and we think we know what they're doing. Recall that meek uses a web browser (Firefox 38) to camouflage its HTTPS requests. The Cyberoam devices are blocking TLS connections that have Firefox 38's TLS signature and SNI equal to one of our three front domains: www.google.com, a0.awsstatic.com, or ajax.aspnetcdn.com. Basically, they blocked meek, which looks like Firefox 38, by blocking Firefox 38, then reduced the damage by limiting the blocking to a small number of domains. This style of detection has the obvious collateral damage of blocking Firefox 38 users. Indeed, we tried using Firefox 38 downloaded from https://download-installer.cdn.mozilla.net/pub/firefox/releases/38.8.0esr/ to browse https://www.google.com/, and it was blocked. However, changing the domain name, even using google.com instead of www.google.com, was unblocked. Similarly, changing the front domain in Tor Browser to google.com unblocked meek. Finally, the 6.0a5 alpha release of Tor Browser, which is based on Firefox 45 and has a different TLS signature, worked without any changes. In summary: TB 5.5.5 meek to www.google.com BLOCKED Firefox 38 to www.google.com BLOCKED TB 5.5.5 meek to google.com not blocked TB 6.0a5 meek to www.google.com not blocked