It seems like Azure Domain Fronting may already be going offline, according to some reports. Our own testing from US and EU show that it is still working for now.
That said, here is our plan for updating Orbot and Onion Browser in response to what may come at any moment:
1) Move to Fastly for Snowflake and Moat as soon as they are ready. Please keep us posted on this.
2) Remove Meek as a built-in option.
3) Promote "social distribution" of bridge URLs via links and QR codes through communities that need them
4) Work on setting up our own additional pool of CDN front addresses for Moat and the Snowflake broker(s) that we can round-robin/cat-and-mouse through for both Snowflake and Moat. These would be compiled into our apps, or provided through some kind of S3/hard to block bootstrap URL.
5) Continue our own work in mobile-specific bridge distribution (push messages, SMS, chat bots, social etc) options we can employ in the future.
.... any other things to know, that we missed, that we are being naive about?
Thanks!
+n
A common technique for malware to find it's C&C server is to embed a seed into the binary, along with an algorithm that takes the seed and a time epoch (e.g. midnight every day or midnight every 4 days) to generate a new domain name to connect to. The algorithm and see are designed to be hard to reverse engineer. It's always possible though, and once one has done so, you can pre-generate (and block) the domain names into the future.
One mitigation for that is to distribute a bunch of seeds in the hope the adversary doesn't find all of them. (Does get expensive with domain names though.)
Another technique is to add in an unpredictable value into the generation algorithm alongside the seed and the time epoch. Something the adversary can't predict ahead of time like the closing price of a stock ticker or the tip of the bitcoin blockchain. The problem with that is that it requires the application to make a query to some service to retrieve that information and that query could be (a) blocked or (b) detected (unless anyone has any great ideas there[0]). If we had a reliable, unblockable, anonymous method of making a connection somewhere we wouldn't be in this mess ;)
-tom
[0] Maybe Android has something system-accessible like the last virus definition update from the Play store or something?
On Thu, 1 Apr 2021 at 13:26, Nathan of Guardian nathan@guardianproject.info wrote:
It seems like Azure Domain Fronting may already be going offline, according to some reports. Our own testing from US and EU show that it is still working for now.
That said, here is our plan for updating Orbot and Onion Browser in response to what may come at any moment:
- Move to Fastly for Snowflake and Moat as soon as they are ready.
Please keep us posted on this.
Remove Meek as a built-in option.
Promote "social distribution" of bridge URLs via links and QR codes
through communities that need them
- Work on setting up our own additional pool of CDN front addresses for
Moat and the Snowflake broker(s) that we can round-robin/cat-and-mouse through for both Snowflake and Moat. These would be compiled into our apps, or provided through some kind of S3/hard to block bootstrap URL.
- Continue our own work in mobile-specific bridge distribution (push
messages, SMS, chat bots, social etc) options we can employ in the future.
.... any other things to know, that we missed, that we are being naive about?
Thanks!
+n
anti-censorship-team mailing list anti-censorship-team@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/anti-censorship-team
Thanks for these thoughts, Tom. We can generate thousands of AWS or Azure no-caching CDN subdomains at almost no cost, so we do have that going for us.
I like the idea of using an Android system service of some kind, but a lot of that goes out the window for non-Google Android devices in China. Still, mobile push messaging services might also be a possibility there, at least as a way to distributed seed values.
I do have access from Orbot to Moat and the Snowflake broker working now via Cloudfront domains. We are considering best how to bundle these into our apps, load them at runtime, decode their obfuscated/encrypted format, and then pick one to use when the user needs it.
On 4/1/21 11:19 AM, Tom Ritter wrote:
A common technique for malware to find it's C&C server is to embed a seed into the binary, along with an algorithm that takes the seed and a time epoch (e.g. midnight every day or midnight every 4 days) to generate a new domain name to connect to. The algorithm and see are designed to be hard to reverse engineer. It's always possible though, and once one has done so, you can pre-generate (and block) the domain names into the future.
One mitigation for that is to distribute a bunch of seeds in the hope the adversary doesn't find all of them. (Does get expensive with domain names though.)
Another technique is to add in an unpredictable value into the generation algorithm alongside the seed and the time epoch. Something the adversary can't predict ahead of time like the closing price of a stock ticker or the tip of the bitcoin blockchain. The problem with that is that it requires the application to make a query to some service to retrieve that information and that query could be (a) blocked or (b) detected (unless anyone has any great ideas there[0]). If we had a reliable, unblockable, anonymous method of making a connection somewhere we wouldn't be in this mess ;)
-tom
[0] Maybe Android has something system-accessible like the last virus definition update from the Play store or something?
On Thu, 1 Apr 2021 at 13:26, Nathan of Guardian nathan@guardianproject.info wrote:
It seems like Azure Domain Fronting may already be going offline, according to some reports. Our own testing from US and EU show that it is still working for now.
That said, here is our plan for updating Orbot and Onion Browser in response to what may come at any moment:
- Move to Fastly for Snowflake and Moat as soon as they are ready.
Please keep us posted on this.
Remove Meek as a built-in option.
Promote "social distribution" of bridge URLs via links and QR codes
through communities that need them
- Work on setting up our own additional pool of CDN front addresses for
Moat and the Snowflake broker(s) that we can round-robin/cat-and-mouse through for both Snowflake and Moat. These would be compiled into our apps, or provided through some kind of S3/hard to block bootstrap URL.
- Continue our own work in mobile-specific bridge distribution (push
messages, SMS, chat bots, social etc) options we can employ in the future.
.... any other things to know, that we missed, that we are being naive about?
Thanks!
+n
anti-censorship-team mailing list anti-censorship-team@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/anti-censorship-team
(Jon peeks his head in, waves hi)
Are people discussing this with CloudFlare? I'd hate for us to lift over to CF just to get shut down there.
I recall they were one of the original meek test cases, but also closed off "simple" domain fronting early on as well. I imagine they would not object to "voluntary" fronting that doesn't put other CF-hosted domains/services or CF broadly at risk, and may even be supportive (this being part of their argument in favor of pushing towards ESNI). Happy to nudge my contacts there to start that discussion if it's not already happening.
On seeds - I really very much like this idea, and I think we could easily brainstorm a collection of different seed sources to round-robin and reduce the risk of discovery / blocking; if we can solve how to manage the server-side resolution without really challenging costs (isn't NthLink doing something like this?) . CF's no-markup registry may also be useful there, and/or trying to make inroads with PIR or another registrar (but that feels like a very long road/negotiation).
On 4/1/21 4:25 PM, Nathan of Guardian wrote:
Thanks for these thoughts, Tom. We can generate thousands of AWS or Azure no-caching CDN subdomains at almost no cost, so we do have that going for us.
I like the idea of using an Android system service of some kind, but a lot of that goes out the window for non-Google Android devices in China. Still, mobile push messaging services might also be a possibility there, at least as a way to distributed seed values.
I do have access from Orbot to Moat and the Snowflake broker working now via Cloudfront domains. We are considering best how to bundle these into our apps, load them at runtime, decode their obfuscated/encrypted format, and then pick one to use when the user needs it.
On 4/1/21 11:19 AM, Tom Ritter wrote:
A common technique for malware to find it's C&C server is to embed a seed into the binary, along with an algorithm that takes the seed and a time epoch (e.g. midnight every day or midnight every 4 days) to generate a new domain name to connect to. The algorithm and see are designed to be hard to reverse engineer. It's always possible though, and once one has done so, you can pre-generate (and block) the domain names into the future.
One mitigation for that is to distribute a bunch of seeds in the hope the adversary doesn't find all of them. (Does get expensive with domain names though.)
Another technique is to add in an unpredictable value into the generation algorithm alongside the seed and the time epoch. Something the adversary can't predict ahead of time like the closing price of a stock ticker or the tip of the bitcoin blockchain. The problem with that is that it requires the application to make a query to some service to retrieve that information and that query could be (a) blocked or (b) detected (unless anyone has any great ideas there[0]). If we had a reliable, unblockable, anonymous method of making a connection somewhere we wouldn't be in this mess ;)
-tom
[0] Maybe Android has something system-accessible like the last virus definition update from the Play store or something?
On Thu, 1 Apr 2021 at 13:26, Nathan of Guardian nathan@guardianproject.info wrote:
It seems like Azure Domain Fronting may already be going offline, according to some reports. Our own testing from US and EU show that it is still working for now.
That said, here is our plan for updating Orbot and Onion Browser in response to what may come at any moment:
- Move to Fastly for Snowflake and Moat as soon as they are ready.
Please keep us posted on this.
Remove Meek as a built-in option.
Promote "social distribution" of bridge URLs via links and QR codes
through communities that need them
- Work on setting up our own additional pool of CDN front addresses for
Moat and the Snowflake broker(s) that we can round-robin/cat-and-mouse through for both Snowflake and Moat. These would be compiled into our apps, or provided through some kind of S3/hard to block bootstrap URL.
- Continue our own work in mobile-specific bridge distribution (push
messages, SMS, chat bots, social etc) options we can employ in the future.
.... any other things to know, that we missed, that we are being naive about?
Thanks!
+n
anti-censorship-team mailing list anti-censorship-team@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/anti-censorship-team
anti-censorship-team mailing list anti-censorship-team@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/anti-censorship-team
On 4/2/21 9:59 AM, Jon Camfield (jcamfield@INTERNEWS.ORG) wrote:
Are people discussing this with CloudFlare? I'd hate for us to lift over to CF just to get shut down there.
We are not. Would be happy to get more engaged.
We have also been thinking about IPFS as a channel for bridge distribution.
https://developers.cloudflare.com/distributed-web/ipfs-gateway
Beyond CF's IPFS gateway, there are many others that are accessible in China, and it would be one way to publish seeds, subdomains, etc.
+n
anti-censorship-team@lists.torproject.org
-
Jon Camfield (jcamfield@INTERNEWS.ORG) -
Nathan of Guardian -
Tom Ritter