While this was a good idea back when I did it:
* People don't like the fact that it requires a fork of utls to fix
compatibility issues, and would rather spend 3 years complaining
about it instead of spending a weekend to fix the issues in
upstream.
* Tor over meek is trivially identifiable regardless of utls or not.
* Malware asshats ruined domain fronting for everybody.
Replace agl's Elligator2 implementation with a different one, that fixes
the various distinguishers stemming from bugs in the original
implementation and "The Elligator paper is extremely hard to read".
All releases prior to this commit are trivially distinguishable with
simple math, so upgrading is strongly recommended. The upgrade is fully
backward-compatible with existing implementations, however the
non-upgraded side will emit traffic that is trivially distinguishable
from random.
Special thanks to Loup Vaillant for his body of work on this primitive,
and for motivating me to fix it.
* Bump the module import to a new tag
* Bump the rest of the dependencies while I'm here
* Add some new fingerprints from upstream
* Disable my fork's AES timing sidechannel defenses
Changes:
* Use a fork of utls with some compatibility improvements.
* Switch the default ClientHello profile to `HelloFirefox_Auto`.
* Add the `HelloChrome_71` profile.
The existing `HelloFirefox_Auto` profile that points to
`HelloFirefox_63` also matches the (common) behavior of Firefox 65,
assuming that 3DES ciphersuites are not disabled.
There's still some interesting oddities depending on remote server and
what fingerprint is chosen, but I can watch videos online with the
chosen settings and the TBB Azure bridge.
Note: Despite what people are claiming in the Tor Browser bug tracker
it isn't all that hard to use the built in http client with utls. And
yes, the `transport.go` code does negotiate correctly in a standalone
test case (apart from compatibility related oddities).
The biggest win is that we now declare what versions of each dependency
we require to build. This way, building a certain version of obfs4 will
always use the same source code, independent of the master branch of
each dependency.
This is necessary for reproducible builds. On top of that, go.sum
contains checksums of all the transitive dependencies and their modules,
so the build system will also recognise when the source code has been
changed.
Updated the build instructions accordingly. We don't drop support for
earlier Go versions, but those won't get the benefit of reproducible
builds unless we start vendoring the dependencies too.