Reading https://snowflake.torproject.org/ and [Technical Overview · Wiki · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab](Wiki · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab Overview) I’m not 100% sure that the snowflake proxy is completely confined to make the outgoing connection only to a TOR node.
There is language that snowflake is TOR-agnostic and “Destination e.g. TOR relay”. This doesn’t gives me much confidence about the restriction to connect only to TOR nodes if a malicious snowflake client uses a snowflake proxy.
I’ve been asked by relatives if a snowflake proxy can be used as an egress node to directly connect to arbitrary hosts and I can’t assure them with confidence that it couldn’t be used as an egress node. I have told them so and they abstain from running a proxy.
I think some affirmation about this topic in https://snowflake.torproject.org/ would alleviate fears about running a snowflake proxy.
It’s written that way because Snowflake theoretically doesn’t have to connect to a Tor relay. However the code used only connect to a Tor relay.
I understand that https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview is Tor agnostic but in https://snowflake.torproject.org/ (this is named “second link” further down because a new user isn’t allowed more than 2 links per post ) there should be an explanation stating the fact that the snowflake proxy mentioned there can only connect to a Tor relay and can never be subverted to function as an egress node.
I’m not sure how the connection labeled 5 in the first picture of second link gets its destination (labeled bridge). Is it static written into the proxy or selected by the broker or can it be influenced by the client?
Only the impossibility to connect to anything other than a Tor ingress node banishes the problem of undetermined and unbounded legal liability.
Until this is unambiguous and in clear language stated in second link neither I nor any of my relatives will be running a snowflake proxy. We are willing to donate bandwidth but not to risk criminal charges or ruinous penalties.
[Rant: this forum software or configuration is awful. I’m not allowed to mention snowflake dot torproject dot org as written normally because I have mentioned it in a previous post in this topic]
I can read code and if this were important for me I would peruse it.
But this is beside the point. snowflake dot torproject dot org is an overview (especially directed at technical laypersons) and should contain the assurance that the snowflake proxy connects only to a Tor ingress node and is incapable to do otherwise.
E.g. in the first picture the “bridge” should be named “tor-bridge”. In the sentences “There is no need to worry about which websites people are accessing through your Snowflake proxy. Their visible browsing IP address will match their Tor exit node, not yours.” it is unclear if this is only the normal mode of operation with a well meaning client or enforced against a malicious client.
I’m not interested in defending my standpoint, I’m stating the observed fact that there are people willing to run the snowflake proxy who don’t do it because of missing assurance about the egress from the proxy.
I don’t want to persuade anyone to do something with the presentation of snowflake they don’t want to do. I’ve heard of snowflake only yesterday. What I want is bring to attention that there are people who would be willing to donate bandwidth if (and only if) there is more convincing explanation about the topic I asked in my post. Those in charge of snowflake dot torproject dot org can do with this information what they want, it doesn’t really matter to me. Ignore it if there are more than enough people running a snowflake proxy, otherwise perhaps make small adjustments to the information presented.