Hey everyone!
Here are our meeting logs:
http://meetbot.debian.net/tor-meeting/2022/tor-meeting.2022-10-20-15.58.html
And our meeting pad:
Anti-censorship work meeting pad --------------------------------
Next meeting: Thursday Oct 27 16:00 UTC
Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress)
== Goal of this meeting ==
Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community.
== Links to Useful documents ==
* Our anti-censorship roadmap: * Roadmap: https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from sponsors we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?sc... * Sponsor 28 * must-do tickets: https://gitlab.torproject.org/groups/tpo/-/milestones/10 * possible tickets: https://gitlab.torproject.org/groups/tpo/-/issues?scope=all&utf8=%E2%9C%... * Sponsor 96 * https://gitlab.torproject.org/groups/tpo/-/milestones/24
== Announcements ==
*
== Discussion ==
* Blocking by TLS fingerprint in Iran * There is plenty of evidence now that there is blocking based on TLS fingerprint in Iran * It likely affects snowflake-client's connections to the broker and may be responsible for the sudden loss of traffic on 2022-10-04 * https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... * Likely to affect mainly Orbot, and not Tor Browser for desktop or Tor Browser for Android * One variant of the native Go crypto/tls fingerprint is known to be blocked: the one that prioritizes non-AES ciphersuites and has a minimum TLS version of TLS 1.0 * Other versions of the fingerprint (AES ciphersuites prioritized, minimum version of TLS 1.2) are not currently blocked * https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/96#note_2845... * Tor Browser for desktop: currently not blocked (uses AES priority ciphersuites) * Tor Browser for Android: currently not blocked (uses minimum TLS version of 1.2, because compiled by go1.18) * Orbot: available released versions are blocked * Orbot preparing a new release with utls enabled https://github.com/guardianproject/orbot/releases/tag/16.6.3-BETA-2-tor.0.4.... * Would be nice if Orbot could use the Circumvention Settings API. That would likely take a little work because internally Orbot currently does not support custom bridge lines other than obfs4: https://github.com/net4people/bbs/issues/131#issuecomment-1272120924 * should snowflake use uTLS by default? * https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_req... * there are some concerns of active censors being able to test unimplemented TLS extensions claimed by uTLS, but haven't being seeing in the wild yet * an example is certificate compression https://datatracker.ietf.org/doc/rfc8879/ * yawning's utls fork dealt with that long ago; it's also now part of the main upstream utls in v1.1.2+: https://github.com/refraction-networking/utls/pull/95 * yes, we'll move to use uTLS * snowflake load after revert broker change src shell * https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... * the revert is not notizable in the graphs (broker polling and bridge bandwidth graphs) * we can go back to multi-bridge support * shell will revert the revert * snowflake broker secondary bridge info src shell * shell will enable snowflake-02 at the broker on Monday 2022-10-24 * Censorship analysis for UDP traffic between Iran and rest of Internet: 2022 Q4 src shell * https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issu... * https://github.com/net4people/bbs/issues/140 * shell is investigating it * obfs4proxy meek utls patches * https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/obfs4... * meskio will merge this mr today and move forward to include it in the next TB version * keeping with HelloFirefox_auto so as not to change too much at once * meskio has been checking pcaps and testing compatibility with the meek and moat domain fronts * Testing new PTs * is conjure ready to be tested? not yet * will be included in TB alpha in early November, and will be wellcome testers * any kind of testers will be nice, might not be ready to really resist censorship * Sometimes in RACE it takes snowflake longer than 45 seconds to transfer a message. We want to make it less than 30. Does it depend on the availability/quality of snowflake proxies or is this something we have full control of programmatically?
--- for next week --- * builtin bridges and their usage * https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/102
== Actions ==
== Interesting links ==
== Reading group ==
* We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up?
== Updates ==
Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with.
cecylia (cohosh): last updated 2022-10-20 Last week: - more work on translations of webextension and snowflake.tpo - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... - completed integration of conjure into tor browser - https://gitlab.torproject.org/cohosh/tor-browser-build/-/commits/conjure - worked on standalone proxy issues - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... - set up a new meek server and handed it off to the new operator - http://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_requ... This week: - wrap up snowflake translation work - followups to proxy fixes - continue Conjure work - wrap up manifest v3 candidate Needs help with:
dcf: 2022-10-20 Last week: - thought more about loss of traffic at the snowflake broker and bridge and came ot the new working hypothesis that it *is* due to a block in Iran, that apparent effects in other countries are geoip errors, and that the mechanism of blocking is TLS fingerprinting using at least two identified features: ciphersuite order and minimum supported TLS version https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... https://github.com/net4people/bbs/issues/125#issuecomment-1284602875 - gave instructions for enabling uTLS in snowflake clients and solicited experience reports https://github.com/net4people/bbs/issues/131#issuecomment-1280391051 - helped with enabling utls by default for future snowflake releases https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/96#note_2844... https://gitlab.torproject.org/tpo/anti-censorship/rdsys-admin/-/merge_reques... https://gitlab.torproject.org/tpo/anti-censorship/rdsys-admin/-/merge_reques... https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_req... - gave advice on meek bridge setup for https://bugs.torproject.org/tpo/anti-censorship/team/100 - explained a snowflake build failure on old CentOS https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... - diagnosed an error caused by running an outdated snowflake proxy https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... - helped troubleshoot reported snowflake proxy inactivity https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... Next week: - disable non-WireGuard SSH access to snowflake-02 - migrate goptlib to gitlab https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/86#note_2823... - try Conjure PT development version https://forum.torproject.net/t/tor-dev-introducing-a-conjure-pt-for-tor/4429 - break up snowflake-server performance improvements into separate merge requests https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... Help with:
meskio: 2022-10-20 Last week: - get uTLS back on obfs4proxy meek (obfs4#40008) - discuss the relation between IPtProxy and snowflake client API (snowflake#40218) - enable uTLS by default in snowflake (https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_req...) - make a callout for bridge operators to upgrade their version of obfs4proxy (obfs4#40008) - use randomized uTLS in snowflake in IR (rdsys-admin!8) - experiment with obfs4 bridges in china and hong kong (team#99) - review snowflake webextension patches on ephemeral ports (snowflake-webext!107) - do the process in debian to become a Debian Maintainer, so I can upload packages without a mentor Next week: - deprecate dymcru builtin bridges (team#98) - fix bridgedb https translations (bridgedb#40058)
Shelikhoo: 2022-10-13 Last Week: - [Merge Request Awaiting] Add SOCKS5 forward proxy support to snowflake (snowflake!64) - [Discussion & Deployment] Rollout of Distributed Snowflake Support - [Coding & Deployment] Proposal: Centralized Probe Result Collector (anti-censorship/team#54) - [Research] HTTPT Planning https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/httpt... - [Research] Censorship analysis for UDP traffic between Iran and rest of Internet: 2022 Q4: https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issu... Next Week: - [Research] WebTunnel Planning (Continue) - Generate Charts for presention: https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/92#note_2836... (Continue) - [Research] Fix vantage point summary upload in China - Release New version of Snowflake WebExt - Rollout distributed snowflake (include definition of secondary bridge on broker) - [Research] Censorship analysis for UDP traffic between Iran and rest of Internet: 2022 Q4: https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issu... (Continue)
Itchy Onion: 2022-10-20 Last week: - bump snowflake plugin to version 2.3.2 - trying to trace where the message dropping happens in the snowflake library used by RACE. (I've been back and forth on this one, but now I believe message dropping and unclosed TCP sockets are not the same issue. The CI tests that are failing doesn't send that many messages for a system resource issue to kick in. I've traced the message in the plugin code, and see they are all sent to the snowflake library code without dropping. So maybe an issue with the version of snowflake lib that's used in RACE) This week: - Made some breakthrough. RACE Snowflake started to fail in 2.2.0 because the test load is increased by 5-fold and there is a 30 seconds timeout. So it takes snowflake too long to finish. So far I've observed high variance of flight time from snowflake proxy to server and the worst case it takes ~45 seconds to send.
tor-project@lists.torproject.org