Here's the summary of meek's CDN fees for October 2015.
App Engine + Amazon + Azure = total by month February 2014 $0.09 + -- + -- = $0.09 March 2014 $0.00 + -- + -- = $0.00 April 2014 $0.73 + -- + -- = $0.73 May 2014 $0.69 + -- + -- = $0.69 June 2014 $0.65 + -- + -- = $0.65 July 2014 $0.56 + $0.00 + -- = $0.56 August 2014 $1.56 + $3.10 + -- = $4.66 September 2014 $4.02 + $4.59 + $0.00 = $8.61 October 2014 $40.85 + $130.29 + $0.00 = $171.14 November 2014 $224.67 + $362.60 + $0.00 = $587.27 December 2014 $326.81 + $417.31 + $0.00 = $744.12 January 2015 $464.37 + $669.02 + $0.00 = $1133.39 February 2015 $650.53 + $604.83 + $0.00 = $1255.36 March 2015 $690.29 + $815.68 + $0.00 = $1505.97 April 2015 $886.43 + $785.37 + $0.00 = $1671.80 May 2015 $871.64 + $896.39 + $0.00 = $1768.03 June 2015 $601.83 + $820.00 + $0.00 = $1421.83 July 2015 $732.01 + $837.08 + $0.00 = $1569.09 August 2015 $656.76 + $819.59 + $154.89 = $1631.24 September 2015 $617.08 + $710.75 + $490.58 = $1818.41 October 2015 $672.01 + $110.72 + $300.64 = $1083.37 -- total by CDN $7443.58 + $7987.32 + $946.11 = $16377.01 grand total
https://metrics.torproject.org/userstats-bridge-transport.html?graph=usersta...
In October we had about 4,000 simultaneous users all month.
There was an unfortunate outage of meek-amazon (not the result of censorship, just operations failure). Between 30 September and 9 October the bridge had an expired HTTPS certificate. [tor-talk] Outage of meek-amazon https://lists.torproject.org/pipermail/tor-talk/2015-October/039231.html https://lists.torproject.org/pipermail/tor-talk/2015-October/039234.html And then, as a side effect of installing a new certificate, the bridge's fingerprint changed, which caused Tor Browser to refuse to connect. It used to be that we didn't include fingerprints for the meek bridges, but now we do, so we didn't anticipate this error and didn't notice it quickly. Update the meek-amazon fingerprint to B9E7141C594AF25699E0079C1F0146F409495296 https://trac.torproject.org/projects/tor/ticket/17473 [tor-talk] Changed fingerprint for meek-amazon bridge (attn support) https://lists.torproject.org/pipermail/tor-talk/2015-November/039397.html Interestingly, the meek-amazon bridge still had about 400 simultaneous users (not as much as normal) during the time when the fingerprint didn't match. I would have expected it to go almost to zero. Maybe it's people using an old version of Tor Browser (from before March 2015) or some non–Tor Browser installation.
Our grant for meek-azure ran out and now it costs money. Accordingly I've rate-limited it to limit costs. I set it to 1.1 MB/s on 2 October and to 0.8 MB/s on 30 October. [tor-talk] meek-azure now rate-limited https://lists.torproject.org/pipermail/tor-talk/2015-October/039169.html
meek-google was also out for a few days around 30 October because I messed up the app upload and pointed it to the wrong bridge.
If you want to set up your own bridge and CDN instance without rate limiting, I can help you do it. Here are some docs to look at: https://trac.torproject.org/projects/tor/wiki/doc/meek#Howtorunameek-serverb... https://trac.torproject.org/projects/tor/wiki/doc/meek#GoogleAppEngine https://trac.torproject.org/projects/tor/wiki/doc/meek#AmazonCloudFront https://trac.torproject.org/projects/tor/wiki/doc/meek#MicrosoftAzure
== App Engine a.k.a. meek-google ==
Here is how the Google costs broke down: 2842 GB $341.06 6619 instance hours $330.95 Compared to the previous month: 2871 GB $344.53 5451 instance hours $272.55
https://globe.torproject.org/#/bridge/88F745840F47CE0C6A4FE61D827950B06F9E45...
== Amazon a.k.a. meek-amazon ==
Usage of meek-amazon was quite low this month because of bridge outages having to do with an expired HTTPS certificate and a changed relay fingerprint.
Asia Pacific (Singapore) 6M requests $8.24 36 GB $5.05 Asia Pacific (Sydney) 635K requests $0.79 1 GB $0.21 Asia Pacific (Tokyo) 1M requests $1.71 5 GB $0.71 EU (Ireland) 39M requests $46.81 130 GB $9.97 South America (Sao Paulo) 2M requests $4.98 5 GB $1.23 US East (Northern Virginia) 24M requests $24.36 86 GB $6.64 -- total 74M requests $86.89 266 GB $23.81
https://globe.torproject.org/#/bridge/F4AD82B2032EDEF6C02C5A529C42CFAFE51656... (Note new fingerprint.)
== Azure a.k.a. meek-azure ==
Zone 1 1652 GB $202.51 Zone 2 586 GB $98.13 -- total 2238 GB $300.64
https://globe.torproject.org/#/bridge/AA033EEB61601B2B7312D89B62AAA23DC3ED8A...
Earlier reports in this series: https://lists.torproject.org/pipermail/tor-dev/2014-August/007429.html https://lists.torproject.org/pipermail/tor-dev/2014-October/007576.html https://lists.torproject.org/pipermail/tor-dev/2014-November/007716.html https://lists.torproject.org/pipermail/tor-dev/2014-December/007916.html https://lists.torproject.org/pipermail/tor-dev/2015-January/008082.html https://lists.torproject.org/pipermail/tor-dev/2015-February/008235.html https://lists.torproject.org/pipermail/tor-dev/2015-March/008427.html https://lists.torproject.org/pipermail/tor-dev/2015-April/008596.html https://lists.torproject.org/pipermail/tor-dev/2015-May/008767.html https://lists.torproject.org/pipermail/tor-dev/2015-June/008932.html https://lists.torproject.org/pipermail/tor-dev/2015-July/009030.html https://lists.torproject.org/pipermail/tor-dev/2015-August/009213.html https://lists.torproject.org/pipermail/tor-dev/2015-September/009533.html https://lists.torproject.org/pipermail/tor-dev/2015-October/009672.html
On 18 November 2015 at 16:32, David Fifield david@bamsoftware.com wrote:
There was an unfortunate outage of meek-amazon (not the result of censorship, just operations failure). Between 30 September and 9 October the bridge had an expired HTTPS certificate. [tor-talk] Outage of meek-amazon https://lists.torproject.org/pipermail/tor-talk/2015-October/039231.html https://lists.torproject.org/pipermail/tor-talk/2015-October/039234.html And then, as a side effect of installing a new certificate, the bridge's fingerprint changed, which caused Tor Browser to refuse to connect. It used to be that we didn't include fingerprints for the meek bridges, but now we do, so we didn't anticipate this error and didn't notice it quickly. Update the meek-amazon fingerprint to B9E7141C594AF25699E0079C1F0146F409495296 https://trac.torproject.org/projects/tor/ticket/17473 [tor-talk] Changed fingerprint for meek-amazon bridge (attn support) https://lists.torproject.org/pipermail/tor-talk/2015-November/039397.html Interestingly, the meek-amazon bridge still had about 400 simultaneous users (not as much as normal) during the time when the fingerprint didn't match. I would have expected it to go almost to zero. Maybe it's people using an old version of Tor Browser (from before March 2015) or some non–Tor Browser installation.
It seems like it would be better to use the SPKI rather than the cert fingerprint, this would allow you to reissue the same key and keep things working for older clients.
-tom
On Fri, Nov 20, 2015 at 05:50:51PM -0600, Tom Ritter wrote:
On 18 November 2015 at 16:32, David Fifield david@bamsoftware.com wrote:
There was an unfortunate outage of meek-amazon (not the result of censorship, just operations failure). Between 30 September and 9 October the bridge had an expired HTTPS certificate. [tor-talk] Outage of meek-amazon https://lists.torproject.org/pipermail/tor-talk/2015-October/039231.html https://lists.torproject.org/pipermail/tor-talk/2015-October/039234.html And then, as a side effect of installing a new certificate, the bridge's fingerprint changed, which caused Tor Browser to refuse to connect. It used to be that we didn't include fingerprints for the meek bridges, but now we do, so we didn't anticipate this error and didn't notice it quickly. Update the meek-amazon fingerprint to B9E7141C594AF25699E0079C1F0146F409495296 https://trac.torproject.org/projects/tor/ticket/17473 [tor-talk] Changed fingerprint for meek-amazon bridge (attn support) https://lists.torproject.org/pipermail/tor-talk/2015-November/039397.html Interestingly, the meek-amazon bridge still had about 400 simultaneous users (not as much as normal) during the time when the fingerprint didn't match. I would have expected it to go almost to zero. Maybe it's people using an old version of Tor Browser (from before March 2015) or some non–Tor Browser installation.
It seems like it would be better to use the SPKI rather than the cert fingerprint, this would allow you to reissue the same key and keep things working for older clients.
The fingerprint I'm talking about is the relay fingerprint, not the HTTPS/X.509 one. The HTTPS certificate and the relay identity fingerprint are completely independent. It just happened that in this case, the relay was so configured, that when it rebooted to start using the new HTTPS cert, it also generated a new identity key.
We're not pinning the HTTPS cert and in fact we can't; it's just used for confidentiality on the CDN↔meek-server link.
-
David Fifield -
Tom Ritter