[tor-project] Anti-censorship team meeting notes, 2022-10-20

Hey everyone!

Here are our meeting logs:

http://meetbot.debian.net/tor-meeting/2022/tor-meeting.2022-10-20-15.58.html

And our meeting pad:

Anti-censorship work meeting pad

···

--------------------------------

Next meeting: Thursday Oct 27 16:00 UTC

Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC
(channel is logged while meetings are in progress)

== Goal of this meeting ==

Weekly check-in about the status of anti-censorship work at Tor.
Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community.

== Links to Useful documents ==

  * Our anti-censorship roadmap:
    * Roadmap: Development · Boards · Anti-censorship · GitLab
  * The anti-censorship team's wiki page:
    * Home · Wiki · The Tor Project / Anti-censorship / Team · GitLab
  * Past meeting notes can be found at:
    * The tor-project Archives
  * Tickets that need reviews: from sponsors we are working on:
    * All needs review tickets:
      * Merge requests · Anti-censorship · GitLab
    * Sponsor 28
      * must-do tickets: Sponsor 28: Reliable Anonymous Communication Evading Censors and Repressors (RACECAR) · The Tor Project · GitLab
      * possible tickets: Issues · The Tor Project · GitLab
    * Sponsor 96
      * Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibet · The Tor Project · GitLab

== Announcements ==

  *

== Discussion ==

  * Blocking by TLS fingerprint in Iran
    * There is plenty of evidence now that there is blocking based on TLS fingerprint in Iran
    * It likely affects snowflake-client's connections to the broker and may be responsible for the sudden loss of traffic on 2022-10-04
      * Sudden reduction in snowflake-01 bridge bandwidth, 2022-10-04 17:15 (#40207) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
    * Likely to affect mainly Orbot, and not Tor Browser for desktop or Tor Browser for Android
    * One variant of the native Go crypto/tls fingerprint is known to be blocked: the one that prioritizes non-AES ciphersuites and has a minimum TLS version of TLS 1.0
      * Other versions of the fingerprint (AES ciphersuites prioritized, minimum version of TLS 1.2) are not currently blocked
        * Tor censorship in Iran (#96) · Issues · The Tor Project / Anti-censorship / Team · GitLab
      * Tor Browser for desktop: currently not blocked (uses AES priority ciphersuites)
      * Tor Browser for Android: currently not blocked (uses minimum TLS version of 1.2, because compiled by go1.18)
      * Orbot: available released versions are blocked
        * Orbot preparing a new release with utls enabled Release Orbot for Android 16.6.3 BETA-2 tor.0.4.7.10 · guardianproject/orbot · GitHub
        * Would be nice if Orbot could use the Circumvention Settings API. That would likely take a little work because internally Orbot currently does not support custom bridge lines other than obfs4: Unexplained drop in Snowflake client polls and bandwidth, testers wanted · Issue #131 · net4people/bbs · GitHub
  * should snowflake use uTLS by default?
    * Enable uTLS and use the full bridge line for snowflake (!540) · Merge requests · The Tor Project / Applications / tor-browser-build · GitLab
    * there are some concerns of active censors being able to test unimplemented TLS extensions claimed by uTLS, but haven't being seeing in the wild yet
      * an example is certificate compression RFC 8879 - TLS Certificate Compression
        * yawning's utls fork dealt with that long ago; it's also now part of the main upstream utls in v1.1.2+: Implement certificate compression by hwh33 · Pull Request #95 · refraction-networking/utls · GitHub
    * yes, we'll move to use uTLS
  * snowflake load after revert broker change src shell
    * Snowflake Broker Deployment 22-10-03 (#40193) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
    * the revert is not notizable in the graphs (broker polling and bridge bandwidth graphs)
    * we can go back to multi-bridge support
    * shell will revert the revert
  * snowflake broker secondary bridge info src shell
    * shell will enable snowflake-02 at the broker on Monday 2022-10-24
  * Censorship analysis for UDP traffic between Iran and rest of Internet: 2022 Q4 src shell
    * Censorship analysis for UDP traffic between Iran and rest of Internet: 2022 Q4 (#40036) · Issues · The Tor Project / Anti-censorship / censorship-analysis · GitLab
    * Iran's regime seems to have fully blocked WireGuard · Issue #140 · net4people/bbs · GitHub
    * shell is investigating it
  * obfs4proxy meek utls patches
    * Cherry-pick meek uTLS support (!1) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / obfs4 · GitLab
    * meskio will merge this mr today and move forward to include it in the next TB version
    * keeping with HelloFirefox_auto so as not to change too much at once
    * meskio has been checking pcaps and testing compatibility with the meek and moat domain fronts
  * Testing new PTs
    * is conjure ready to be tested? not yet
    * will be included in TB alpha in early November, and will be wellcome testers
    * any kind of testers will be nice, might not be ready to really resist censorship
  * Sometimes in RACE it takes snowflake longer than 45 seconds to transfer a message. We want to make it less than 30. Does it depend on the availability/quality of snowflake proxies or is this something we have full control of programmatically?

--- for next week ---
  * builtin bridges and their usage
    * future of builtin bridges (#102) · Issues · The Tor Project / Anti-censorship / Team · GitLab

== Actions ==

== Interesting links ==

== Reading group ==

  * We will discuss "" on
    *
    * Questions to ask and goals to have:
      * What aspects of the paper are questionable?
      * Are there immediate actions we can take based on this work?
      * Are there long-term actions we can take based on this work?
      * Is there future work that we want to call out in hopes that others will pick it up?

== Updates ==

Name:
    This week:
        - What you worked on this week.
    Next week:
        - What you are planning to work on next week.
    Help with:
       - Something you need help with.

cecylia (cohosh): last updated 2022-10-20
  Last week:
    - more work on translations of webextension and snowflake.tpo
      - Seperate extension strings from website strings to be translated (#63) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake WebExtension · GitLab
    - completed integration of conjure into tor browser
      - Commits · conjure · Cecylia Bocovich / tor-browser-build · GitLab
    - worked on standalone proxy issues
      - Reduction in traffic relayed by standalone proxy (#40211) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
      - Close stale connections in standalone proxy (#40220) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
    - set up a new meek server and handed it off to the new operator
      - Add new meek default bridge (!543) · Merge requests · The Tor Project / Applications / tor-browser-build · GitLab
  This week:
    - wrap up snowflake translation work
    - followups to proxy fixes
    - continue Conjure work
    - wrap up manifest v3 candidate
  Needs help with:

dcf: 2022-10-20
  Last week:
    - thought more about loss of traffic at the snowflake broker and bridge and came ot the new working hypothesis that it *is* due to a block in Iran, that apparent effects in other countries are geoip errors, and that the mechanism of blocking is TLS fingerprinting using at least two identified features: ciphersuite order and minimum supported TLS version Sudden reduction in snowflake-01 bridge bandwidth, 2022-10-04 17:15 (#40207) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab Shutdowns, intensified blocking in Iran since 2022-09-21 · Issue #125 · net4people/bbs · GitHub
    - gave instructions for enabling uTLS in snowflake clients and solicited experience reports Unexplained drop in Snowflake client polls and bandwidth, testers wanted · Issue #131 · net4people/bbs · GitHub
    - helped with enabling utls by default for future snowflake releases Tor censorship in Iran (#96) · Issues · The Tor Project / Anti-censorship / Team · GitLab Use uTLS for snowflake in Iran (!6) · Merge requests · The Tor Project / Anti-censorship / rdsys-admin · GitLab Use randomized uTLS in IR (!8) · Merge requests · The Tor Project / Anti-censorship / rdsys-admin · GitLab Enable uTLS and use the full bridge line for snowflake (!540) · Merge requests · The Tor Project / Applications / tor-browser-build · GitLab
    - gave advice on meek bridge setup for meek-azure bridge (cymrubridge02) is offline since October 4 (#100) · Issues · The Tor Project / Anti-censorship / Team · GitLab
    - explained a snowflake build failure on old CentOS go build -> goptlib.git/go.mod at revision v1.1.0: unknown revision v1.1.0 (#40213) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
    - diagnosed an error caused by running an outdated snowflake proxy standalone proxy: no connections since 2022/10/03 (#40214) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
    - helped troubleshoot reported snowflake proxy inactivity Reduction in traffic relayed by standalone proxy (#40211) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
  Next week:
    - disable non-WireGuard SSH access to snowflake-02
    - migrate goptlib to gitlab migrate away from git.torproject.org (#86) · Issues · The Tor Project / Anti-censorship / Team · GitLab
    - try Conjure PT development version [tor-dev] Introducing a Conjure PT for Tor
    - break up snowflake-server performance improvements into separate merge requests Draft: Server performance improvements (!100) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
  Help with:

meskio: 2022-10-20
   Last week:
       - get uTLS back on obfs4proxy meek (obfs4#40008)
       - discuss the relation between IPtProxy and snowflake client API (snowflake#40218)
       - enable uTLS by default in snowflake (Enable uTLS and use the full bridge line for snowflake (!540) · Merge requests · The Tor Project / Applications / tor-browser-build · GitLab)
       - make a callout for bridge operators to upgrade their version of obfs4proxy (obfs4#40008)
       - use randomized uTLS in snowflake in IR (rdsys-admin!8)
       - experiment with obfs4 bridges in china and hong kong (team#99)
       - review snowflake webextension patches on ephemeral ports (snowflake-webext!107)
       - do the process in debian to become a Debian Maintainer, so I can upload packages without a mentor
   Next week:
       - deprecate dymcru builtin bridges (team#98)
       - fix bridgedb https translations (bridgedb#40058)

Shelikhoo: 2022-10-13
   Last Week:
    - [Merge Request Awaiting] Add SOCKS5 forward proxy support to snowflake (snowflake!64)
    - [Discussion & Deployment] Rollout of Distributed Snowflake Support
    - [Coding & Deployment] Proposal: Centralized Probe Result Collector (anti-censorship/team#54)
    - [Research] HTTPT Planning Add HTTPT as a pluggable transport to Tor Browser (#1) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / HTTPT · GitLab
    - [Research] Censorship analysis for UDP traffic between Iran and rest of Internet: 2022 Q4: Censorship analysis for UDP traffic between Iran and rest of Internet: 2022 Q4 (#40036) · Issues · The Tor Project / Anti-censorship / censorship-analysis · GitLab
   Next Week:
    - [Research] WebTunnel Planning (Continue)
    - Generate Charts for presention: Prepare for s28 PI and ECP presentations: Oct 31 and Nov 1-2 2022 (#92) · Issues · The Tor Project / Anti-censorship / Team · GitLab (Continue)
    - [Research] Fix vantage point summary upload in China
    - Release New version of Snowflake WebExt
    - Rollout distributed snowflake (include definition of secondary bridge on broker)
     - [Research] Censorship analysis for UDP traffic between Iran and rest of Internet: 2022 Q4: Censorship analysis for UDP traffic between Iran and rest of Internet: 2022 Q4 (#40036) · Issues · The Tor Project / Anti-censorship / censorship-analysis · GitLab (Continue)

Itchy Onion: 2022-10-20
    Last week:
      - bump snowflake plugin to version 2.3.2
      - trying to trace where the message dropping happens in the snowflake library used by RACE. (I've been back and forth on this one, but now I believe message dropping and unclosed TCP sockets are not the same issue. The CI tests that are failing doesn't send that many messages for a system resource issue to kick in. I've traced the message in the plugin code, and see they are all sent to the snowflake library code without dropping. So maybe an issue with the version of snowflake lib that's used in RACE)
    This week:
        - Made some breakthrough. RACE Snowflake started to fail in 2.2.0 because the test load is increased by 5-fold and there is a 30 seconds timeout. So it takes snowflake too long to finish. So far I've observed high variance of flight time from snowflake proxy to server and the worst case it takes ~45 seconds to send.

--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.

2 Likes