- anti-censorship-team - lists.torproject.org

Merging bridgedb and gettor?
by Roger Dingledine 14 May '20

14 May '20

Hi folks! I've been pondering our two tools, gettor and bridgedb, and realizing that conceptually they overlap in a bunch of ways. Does that mean, while Cecylia is exploring getting gettor back on its feet, we should make them overlap more in a technical sense too? Some initial thoughts: + Having fewer tools to maintain is an obvious win, in terms of fewer moving pieces, fewer things to explain to people, less mental energy. + Broadly speaking, they are both tools that want to support a variety of low bandwidth "access methods" for reaching them, and they use these access methods to tell users about "resources". - They have different threat models in terms of how they want to protect the resources they give out, which makes them have different preferences about which access methods will work best. + But they both have a notion of "these resources aren't suitable for giving to people in this location", that is, they both want to learn something about *where* the user will be trying to apply the resource, and they both want to pull in some external "constraints" data set. + And being able to reuse (share) access methods could still be a win. For example, if Gettor learns how to answer people over Telegram, then it becomes much easier for BridgeDB to experiment with answering people over Telegram. + The monitoring tools ("is it working, am I getting answers, are the resources it gives me appropriate") overlap a lot between the two. - They have different text they want to use when interacting with users, and maybe different ways of handling errors. So those differences won't go away. = There are external tasks that gettor wants to do, such as pushing Tor Browser to the various websites that make up the resources we return. But just as BridgeDB is growing external modules like Wolpertinger, it's reasonable that GetTor could have external modules that publish/mirror our packages to various sites. ? Is there a third thing that Tor wants to do, of the form "use this access method to give people this resource"? Generalizing from three would be even better than generalizing from two. Please use this initial brainstorming as a starting point and take this thread wherever it should best go. For example, maybe they should be two different front-ends and as much functionality as possible would be merged into a library that they both use. Or maybe gettor is essentially a smaller "lift" so it should become a module of what bridgedb does. Several options here. --Roger

2 1

Tor Project removed a ticket about censorship
by wtfareyouthinking＠secmail.pro 14 May '20

14 May '20

What the F are you thinking, Tor Project? Why did you delete ticket #24351 and some documents instead of locking it? And why I can't make a comment or create a ticket on trac.torproject.org about this? You're developing Tor and telling people to resist censorship yet you've helped spammer to achieve their objective - deface anti-Cloudflare related documents/tickets. I really don't understand why you did this. I suggest you restore ticket #24351 and lock it.

1 0

Weekly team meetings now at 16:00 UTC
by Philipp Winter 11 May '20

11 May '20

Hi all, >From now on, anti-censorship team meetings will start at 16:00 UTC instead of 18:00 UTC. See you all on Thursday, 16:00 UTC in #tor-meeting! I updated our meeting pad, our team wiki page, and our Google calendar. Cheers, Philipp

1 0

Moving weekly meeting time to 16:00 UTC?
by Philipp Winter 08 May '20

08 May '20

To make it easier for folks in Asia to attend our meeting, I'm proposing moving it to 16:00 UTC, which is two hours earlier than our current meeting time. Is there anyone for whom this doesn't work? If so, would 17:00 UTC work instead? Thanks, Philipp

2 1

Kazakhstan and Obfs4
by soncyq47 08 May '20

08 May '20

Here are my thoughts on Kazakhstan blocking Obfs4 >>kzblocked provided some more information on IRC. >>But you can bypass it by putting HTTP-like bytes inside the random padding of the obfs4 client handshake. The padding is ordinarily filled with random bytes. Filling the padding with zeroes does not bypass as reliably. I'm pretty confident I know how it works. DPI research papers merely deal with theoretical attacks, but Brandon Wiley bought copies of physical DPI hardware and knows exactly how it works. The main thing they do is look for signatures in the first 4 bytes of the first packet. The second main thing is look for packet lengths. In this case I believe it is the third most common attack which is to look at how frequently each byte value occurs to measure entropy. https://youtu.be/IfLh3tr2amk?t=1334 (start at 18:20 but 22:14 is where it gets relevant) The solution is to send more of certain byte values than others to decrease entropy. I find it interesting that someone on the ticket said FTE worked.

2 1

My Introduction_GSoC Student
by Hashik Donthineni 07 May '20

07 May '20

Hello everyone! My name is Hashik Donthineni (IRC: HashikD), I am a GSoC 2020 student. I will be working on* Snowflake Proxy on the Android *project with the help of my mentors Cecylia (Cohosh), Phillipp (phw). I am really excited to join the Tor team! Thank you all for giving me this exciting opportunity! Regards, D. Hashik

1 0

Development plan sketch for a DNS pluggable transport
by David Fifield 07 May '20

07 May '20

Earlier I posted how to use Tor through my new DNS tunnel. https://lists.torproject.org/pipermail/anti-censorship-team/2020-April/0000… https://www.bamsoftware.com/software/dnstt/#proxy-tor Here's a sketch of what development tasks would be needed to turn it into a proper pluggable transport. I estimate it would be about a GSoC's worth of work, though it's too late to be a GSoC project this year. It would be a good project for someone who wants experience with the mechanics of implementing a pluggable transport, using a circumvention component that's already working. - Replace command-line interface with managed goptlib interface. - Client ClientTransportPlugin dns exec dns-client Bridge dns 192.0.2.4:1 FINGERPRINT domain=t.example.com doh=https://dns.example/dns-query pubkey=0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff - Server ServerTransportOptions dns mtu=1232 ServerTransportPlugin dns exec ./dns-server - Make the server generate a keypair on first run, store it in pt_state like obfs4proxy. - Add uTLS to the client to disguise TLS fingerprint. - Add ExtOrPort support to the server. - For USERADDR, choose a distinguished placeholder client address. See the last paragraph of https://lists.torproject.org/pipermail/metrics-team/2020-March/001142.html - Bonus: Enhance the bridge configuration panel to enable configuring the resolver without kludges like "meek-google" and "meek-amazon". - Or ship with a list of resolvers and choose one at random. I don't know whether a DNS transport is deployable by default like other transports, but it could be a good thing to have in reserve.

1 0

Better bridge distribution methods
by soncyq47 06 May '20

06 May '20

>>*Browser fingerprinting* fails because if I try to get bridges from my desktop vs my laptop vs my cell vs at a library vs at an internet cafe, I will not be mapped to the same user. Additionally, if I make a change to my setup (switch from Firefox to Chrome, new monitor resolution, etc.) even on the same machine I likely would not be mapped to the same profile (or if I am, it seems that a censor would be able to generate enough profiles that they end up in several "trusted" groups). I'd also argue that collecting the browser fingerprints of some of the most vulnerable Tor users (those that need bridges) is a risk. While I trust the Tor project to maintain good data and security practices at present, am I confident that a new vulnerability won't arise, or a new 0 day that could be used to acquire the information Tor maintains? No - especially not with the value that a DB of fingerprints of those subverting censorship would be to a censor.<< Sure, you could get a few bridges, but it is not trivial easy for an adversary to get hundreds, therefore browser fingerprinting is effective. Even if you switch from Firefox to Chrome, some aspects of the fingerprint remain the same. There are even some fingerprint test websites that can fingerprint your device, cross-browser, ex: UniqueMachine. I’m not exactly sure what you mean Sam by trusted groups. If the censor gets several bridges, it’s not a big deal. In terms of what I said about grouping similar fingerprints together, I thought a simple way to do it would be to assume the first fingerprints are more legitimate and the censor shows up later. In terms of the anonymity risk. The way I see it is my suggestions should be a last resort for users. Obviously using Tor through an insecure distribution is much better than not being able to use Tor. If users can’t get a working bridge, they might switch to something dangerous like Ultrasurf, or who knows what the alternative is. >>*Social networks* fail because they are not usable by all users (whether by choice or by censorship). This approach will also require maintenance.<< Social networks may not scale well, but it more than compensates by being super blocking resistant. I think it requires less maintenance. >>I'll propose one more potential - PGP signing, which I think works better than the above three, but is far from perfect.<< I think you’re missing the aim. We are not merely trying to identify our users, but trying to prevent an adversary from creating too many identities. Unfortunately it seems like the more blocking resistant you make it, the more privacy invasive. Social networks are an exception. The censor may create as many identities as it wants, but it wont increase his knowledge of addresses. In a sense knowledge of a bridge is treated like an identity. And users must have knowledge of a bridge regardless of IP distribution. >>1. Reach-ability probing from adversarial regions (aka identifying burnt bridges)<< It seems obvious to me at least that in the stead of probing from enemies of the internet, we merely watch which countries are connecting to the bridges. If we see a consistent decrease from a country then we know something’s up. This is much safer. >>2. Ability for bridges to easily and quickly change IP address (refreshing a bridge)<< Don’t forget we need to also disable UpdateBridgesFromAuthority because it would be trivial to update the blacklist otherwise. Cheers

1 0

Better bridge distribution methods
by soncyq47 05 May '20

05 May '20

There are 4 parts. -- /1./ -- For those that are new let me explain my discussion with Philipp Winter. I suggest a browser fingerprinting based bridge distribution. Each fingerprint only gets one bridge, so if you keep automatically asking you just keep getting the same address over and over. I can tell you that it is almost impossible to exhaustively spoof a fingerprint, and we can use that to our advantage. We can group similar fingerprints together so that it doesn't matter if someone spoofs a few things. And we should ignore the user-agent. >>I think I'm missing something here. Doesn't it suffice for an adversary to tamper with a single feature to create a new browser fingerprint, and thus obtain different bridges? I suppose it would depend on how the server derives its fingerprints.<< Like I said: Once we've given out all the bridges to each unique fingerprint then we start grouping new fingerprints to the nearest match. In other words we assume the first users are more legitimate, and the GFW comes along later. So in the beginning we give out a new bridge to a fingerprint that is anyhow different from one we’ve seen before, and once we’ve given them all out (that we are willing to give out through fingerprinting), then if a new fingerprint comes along, he gets the same bridge as the fingerprint that had the highest quantity of same aspects to it. This defeats partial spoofing. Like I said, full spoofing is near impossible. -- /2./ -- >>I know lots of people in China using Linode and Google Cloud which also a credit card. They only support the credit card like VISA or MasterCard instead of China UnionPay card. So it isn't too hard if someone wants to get the card, especially is GFW who be described as "unlimited fund" by GFW technology review blog. They don't block the IP just because a few people use it. Yes, the credit card it did block a lot of people:(<< Thanks Tom for clearing up my misunderstanding. -- /3./ – Why not switch Obfs4 bridges to dynamic IPs and remove UpdateBridgesFromAuthority. This would make it like WAY more blocking resistant. -- /4./ – I take back what I said, I recon the Salmon algorithm is currently the best proxy distribution we have. I’m planning to read the paper, but just from what I’ve seen from the talk... https://www.invidio.us/watch?v=RO3wXRn8BfY … I see one major vulnerability: what if the GFW gets just one bridge, then creates thousands of accounts (which there is no barrier for), then sends an invite across all of those accounts, then waits for trust level to get high, and all of those accounts gets a new bridge, repeat until you know all the bridges, then only block them all in one go once they have all the addresses. The solution is to put a limit on how many addresses are given out per accounts with knowledge of a certain bridge. Basically extending the recommendation grouping that every bridge which accounts know only allows for a finite quantity of new bridges to be received. So an adversary that has one address can’t crawl the whole network, but only a fraction of it. Another but minor weakness, I don’t think social network based distribution would scale well compared to fingerprinting based distribution. I’m not claiming to know it all but hopefully my thoughts are helpful.

2 1

Better bridge distribution methods
by Philipp WInter 01 May '20

01 May '20

(Moving this discussion to anti-censorship-team@. See below for context.) On Wed, Apr 29, 2020 at 11:35:48PM +0000, soncyq47 wrote: > ---MY EMAIL HAS 3 PARTS SO PLEASE READ IT ALL--- > > > I believe it's feasible (albeit not trivial) for an adversary to modify > > these fingerprints, e.g., by making Firefox believe that it runs under a > > different screen resolution, has a variety of apps installed, etc. > > /1./ It's obviously possible to spoof a few things. The point I was > making is that there are like 20 or 50, if not more aspects of the > fingerprint, and we can measure it all, so it's practically impossible > to spoof them all. We could just then group similar fingerprints > together. I think I'm missing something here. Doesn't it suffice for an adversary to tamper with a single feature to create a new browser fingerprint, and thus obtain different bridges? I suppose it would depend on how the server derives its fingerprints. It's not a bad idea but I'm not convinced that the implementation effort would be worth the outcome. > > Another issue is that for this to work, we would have to store the > > fingerprint of requesting users and we would rather not store unique, > > user-specific identifiers. > > This problem might be slightly mitigated with federation. But I > totally agree with the privacy issue you're saying. > > /2./ I have a theory for why paid VPNs get blocked less, maybe the > operators of the GFW can't get access to an American credit card, so > the VPN doesn't have to worry about IP distribution, just the > encryption algorithm. I don't have any thoughts on this. > /3./ What about SMS distribution. I know there are tricks to get lots > of numbers, but what I've seen is usually limited to one country, so > we could just separate area codes into different distribution buckets. Again, not necessarily a bad idea but expensive to build. Our resources are very limited and we need to be rather confident that something works out before investing a substantial amount of development time. > Please reply about what you think of my 3 points. > Cheers > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Wednesday, April 29, 2020 4:16 PM, Philipp WInter <phw(a)nymity.ch> wrote: > > > On Tue, Apr 28, 2020 at 09:52:29PM +0000, soncyq47 wrote: > > > > > Sorry I don't understand Selenium very well, but in terms of > > > automating, each fingerprint only gets one bridge, so if you keep > > > automatically asking you just keep getting the same address over and > > > over. > > > > I believe it's feasible (albeit not trivial) for an adversary to modify > > these fingerprints, e.g., by making Firefox believe that it runs under a > > different screen resolution, has a variety of apps installed, etc. > > > > Another issue is that for this to work, we would have to store the > > fingerprint of requesting users and we would rather not store unique, > > user-specific identifiers. > > > > Cheers, > > Philipp

2 1

2024

2023

2022

2021

2020

2019

anti-censorship-team