Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-10-09-16.00.html
And our meeting pad:
Anti-censorship
--------------------------------
Next meeting: Thursday, October 16 16:00 UTC
Facilitator:onyinyang
^^^(See Facilitator Queue at tail)
Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC
(channel is logged while meetings are in progress)
This week's Facilitator: meskio
== Goal of this meeting ==
Weekly check-in about the status of anti-censorship work at Tor.
Coordinate collaboration between people/teams on anti-censorship at the Tor
Project and Tor community.
== Links to Useful documents ==
* Our anti-censorship roadmap:
*
Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards
* The anti-censorship team's wiki page:
*
https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home
* Past meeting notes can be found at:
* https://lists.torproject.org/pipermail/tor-project/
* Tickets that need reviews: from projects, we are working on:
* All needs review tickets:
*
https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?scope=all&utf8=%E2%9C%93&state=opened&assignee_id=None
* Project 158 <-- meskio working on it
*
https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_name%5B%5D=Project%20158
== Announcements ==
== Discussion ==
* Reported blocking of www.cdn77.com by SNI, blocking of STUN servers
in Russia, 2025-09-21
*
https://github.com/net4people/bbs/issues/422#issuecomment-3316062302
* "I've noticed that stun protocol was blocked from mid-summer
till today (it worked in June last time when I've used public stun to punch
through NAT). Seems that only stun to public stun servers like
stun.l.google.com, stun.bethesda.net were affected. Stun between webtunnel
client and other webtunnel peer is not affected as can be seen in attached
captures below. The only stun server that was accessible all that time was
stun.rtc.yandex.net (of all the gists and lists of public stun servers I could
find)."
* "Had to change front though ... where <...> is another
website using cdn77 I know. www.cdn77.com is blocked by SNI (session freezes
after client hello), and www.phpmyadmin.net, though it doesn't cause hetzner to
be blocked anymore, might cause stricter filtering or other side-effects."
* We've been testing netlify in the alpha channel of Tor
Browser, maybe it is time to use it in stable.
* cdn77 domain fronts are already known to be blocked in China
*
https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/168
* meskio has a list of cdn77 domain names.
*
https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/168#note_3268325
* Could prioritize adding multiple builting snowflake bridge
options
*
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43842
* onyinyang will make a forum post with workarounds
* CDN77 blocking (new oct 09)
* suspected blocking of phpmyadmin.net in Belarus:
https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40067
* Tor Browser 14.5.8 shipped on October 7 and 15.0 is expected
to ship at the end of October
* Snowflake builtin bridge line now uses netlify:
https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_requests/1308
* Moat and Connect Assist should use netlify settings
in stable now:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/1539
* Netlify has limits on total data transfer and number of
requests
* we plan to keep using netlify for moat
* next week we'll have tests results on what domain names work
for CDN77 and switch snowflake to use one of them
* the post on the forum is life
*
https://forum.torproject.org/t/snowflake-and-conjure-inaccessible-due-to-cnd77-blockage-try-this-workaround/20650
* maintain go 1.22 in PT clients
*
https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41580#note_3270779
* shelikhoo has been backporting security patches
* we need to bring 1.22 back to the snowflake CI for the client
* let's use 1.22 in lyrebird's CI
* Decide whether to simplify webtunnel setting for sni imitation use
case
*
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/merge_requests/135#note_3271738
== Actions ==
* Remove webtunnel setuid script in 2 weeks.(decrease this by one every
week)
== Interesting links ==
* Mention of snowflake SNIs in the galaxy/platform/galaxy-qgw-service
repo of MESA Git. The filenames include "E21" which is Ethiopia.
*
https://geedge-git.haruue.com/mesalab_git/galaxy/platform/galaxy-qgw-service.git/tree/benchmark/entity_dataset?h=dev
E21-SNI-Top120W-20221020.txt
snowflake-broker.freehaven.net 903971 110
snowflake-broker.torproject.net 8667377 55
snowflake-broker.bamsoftware.com 1611029 49
snowflake.torproject.net 105990565 16
snowflake.freehaven.net 24545 6
E21-SNI-Top200w.txt
snowflake-broker.bamsoftware.com 14468
snowflake-broker.torproject.net 50
snowflake.bamsoftware.com 8
*
https://geedge-git.haruue.com/mesalab_git/galaxy/platform/galaxy-qgw-service.git/tree/README.md?h=dev
* "Galaxy SQL, the unified query gateway, is built with
Spring Boot 2.0 technology. It provides interactive SQL analysis and routine
scheduling windows, supports streaming and batch jobs, and makes it easier to
write and submit ETL programs and efficiently execute big data computations,
aiming to make big data processing easier."
* Mention of torproject.net domain names in
tango/maat/test/tsgrule/TSG_OBJ_FQDN.E21. TSG is Tiangou Secure Gateway, E21 is
Ethiopia, Maat is a rules matching engine.
*
https://geedge-git.haruue.com/mesalab_git/tango/maat.git/tree/test/tsgrule?h=v5.0.4
592177551 151465 .snowflake-broker.torproject.net 0
1 0 1 1683275236000000 0 key=592177551
592561443 151465 .snowflake.torproject.net 0 1 0
1 1683275236000000 0 key=592561443
592691531 151465 .forum.torproject.net 0 1 0
1 1683275236000000 0 key=592691531
594169529 151469 snowflake-broker.torproject.net 0
3 0 1 1683276253000000 0 key=594169529
594553421 151469 snowflake.torproject.net 0 3 0
1 1683276253000000 0 key=594553421
594683509 151469 forum.torproject.net 0 3 0 1
1683276253000000 0 key=594683509
* You can decode the microsecond timestamps like so:
$ date -u --iso=sec --date=@1683275236
2023-05-05T08:27:16+00:00
*
https://filter.watch/english/2025/10/02/irans-stealth-blackout-a-multi-stakeholder-analysis-of-the-june-2025-internet-shutdown/
*
https://filter.watch/wp-content/uploads/sites/2/2025/10/Click-here-to-read-the-full-report.pdf
* Discussion of Tor starting on PDF page 23
== Reading group ==
* We will discuss "The Internet Coup" on October 23rd
*
https://interseclab.org/wp-content/uploads/2025/09/The-Internet-Coup_September2025.pdf
* Particularly relevant sections: "Blocking online privacy and
circumvention tools" section of InterSecLab report on Geedge Networks, mentions
Tor, Snowflake, WebTunnel
* Notes:
https://github.com/net4people/bbs/issues/519#issuecomment-3282101626
* Questions to ask and goals to have:
* What aspects of the paper are questionable?
* Are there immediate actions we can take based on this
work?
* Are there long-term actions we can take based on this
work?
* Is there future work that we want to call out in
hopes that others will pick it up?
== Updates ==
Name:
This week:
- What you worked on this week.
Next week:
- What you are planning to work on next week.
Help with:
- Something you need help with.
cecylia (cohosh): 2025-10-09
Last week:
- updated snowflake builtin bridge line in Tor Browser
(tor-browser-build#41574)
- followed up with applications team about Moat and Connect Assist
settings in the stable release
- commented on increase of tickets in Belarus
(censorship-analysis#40067)
- researched snowflake enumeration attacks (snowflake#40396)
- released and deployed version 0.9.7
Next week:
- research snowflake enumeration attacks (snowflake#40396)
- watch and follow up on Moat and Connect Assist metrics with new
netlify front
- follow up on snowflake rendezvous failures (snowflake#40447)
- take a look at potential snowflake orbot bug
- https://github.com/guardianproject/orbot-android/issues/1183
dcf: 2025-10-09
Last week:
Next week:
- open issue to have snowflake-client log whenever KCPInErrors
is nonzero
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40262#note_2886018
- parent:
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40267
Help with:
meskio: 2024-10-09
Last week:
- SOTO preparation
- grant planning
- finding CDN77 domain fronts (team#168)
- remove backend deadlock (rdsys!597)
- investigate Telegram distributor silence (rdsys#286)
Next week:
- P146 report
Shelikhoo: 2024-10-09
Last Week:
- [Testing] Unreliable+unordered WebRTC data channel transport for
Snowflake rev2 (cont.)(
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/315
) testing environment setup/research
- Published Snowflake UDP mode test post:
https://forum.torproject.org/t/invitation-to-test-snowflake-unreliable-transport-mode/20625
- vantage point maintaince
- deploy new vantage point version with fixed performance
- [MR]Always use hostname in url for http host header in webtunnel
transport.
(https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/merge_requests/135#note_3271738)
Next (working) Week/TODO:
- Merge request reviews
- [Deployment]Unreliable+unordered WebRTC data channel transport for
Snowflake rev2 (cont.)(
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/315
) Building custom Tor Browser with patch applied
- SOTO script
- collect vantage point test result for fronting domains
onyinyang: 2025-10-02
Last week(s):
- Deployed updated telegram distributor distributing a
proportion of webtunnel bridges to telegram users with new accounts
https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/283
- Managed some hiccups in the updated deployment
- Wrote profiling patch for rdsys: kraken and email
- Looked into conjure issue from China: fronts we are using
appear to be blocked
Next week:
- Troubleshoot conjure not connecting in China
- Finish up debugging rdsys#129 and rdsys#249 hopefully
- Continue looking into bridgestrap#47
- Lox still seems to be filling up the disk on the rdsys-test
server despite changes made to delete old entries, look into what's going wrong
Switch back to some of these:
As time allows:
Blog post for conjure:
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/issues/46
- review Tor browser Lox integration
https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/1300
- add TTL cache to lox MR for duplicate responses:
https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305
- Work on outstanding milestone issues:
- key rotation automation
Later:
pending decision on abandoning lox wasm in favour of some kind
of FFI?
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096):
- add pref to handle timing for pubkey checks in Tor
browser
- add trusted invitation logic to tor browser
integration:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974
- improve metrics collection/think about how to show Lox is
working/valuable
- sketch out Lox blog post/usage notes for forum
(long term things were discussed at the meeting!):
- brainstorming grouping strategies for Lox buckets (of
bridges) and gathering context on how types of bridges are distributed/use in
practice
Question: What makes a bridge usable for a given user,
and how can we encode that to best ensure we're getting the most appropriate
resources to people?
1. Are there some obvious grouping strategies
that we can already consider?
e.g., by PT, by bandwidth (lower
bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be
matched with a requesting user's geoip or something?)
2. Does it make sense to group 3
bridges/bucket, so trusted users have access to 3 bridges (and untrusted users
have access to 1)? More? Less?
theodorsm: 2025-06-12
Last weeks:
- Applying for funding from NLnet to implement DTLS 1.3
in Pion. Got through the first round.
- Writing paper for FOCI: continuation of master thesis
about reducing distinguishability of DTLS in Snowflake by implementing
covert-dtls, further analysis of collected browser fingerprint and stability
test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25
- Key takeaways:
* covert-dtls is stable when mimicking DTLS 1.2
handshakes, while the randomization approach— though more resistant to
fingerprinting — tends to be less stable.
* Chrome webextensions are more unstable than
standalone proxies
* covert-dtls should be integrated in Snowflake
proxies as they produce the ClientHello messages during the DTLS handshake.
* Chrome randomizes the order of extension list.
* Firefox uses DTLS 1.3 by default in WebRTC.
* A prompt adoption of DTLS 1.3 in both
Snowflake and our fingerprint-resistant library is needed to keep up with
browsers
* The evolution of browsers’ fingerprints had
no noticeable effect on Snowflake’s number of daily users over the last year.
* Even with a sharp drop in the amount of
proxies, it does not seem to affect the number of Snowflake users.
* Browser extensions make Snowflake resistant
to ClientHello fingerprinting.
* Standalone proxies can serve more Snowflake
clients per volunteer than webextensions.
* We need metrics on which types of proxies are
actually being matched and successfully used by clients.
Next weeks:
- Getting paper camera ready.
- Fix merge conflicts in MR
(https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/448).
Help with:
- Should we do user testing of covert-dtls?
Facilitator Queue:
onyinyang shelikhoo meskio
1. First available staff in the Facilitator Queue will be the facilitator for
the meeting
2. After facilitating the meeting, the facilitator will be moved to the tail of
the queue
--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.
signature.asc
Description: signature
_______________________________________________ tor-project mailing list -- [email protected] To unsubscribe send an email to [email protected]
