Hello,
As of last night (or last morning, Venezuela-time), we've been receiving reports from locals in Venezuela that Tor is being blocked.
State-owned CANTV is reportedly blocking access to Tor and obfs4.
They've been running OONI Probe tests that seem to confirm this, though it remains unclear if other ISPs in Venezuela are blocking access to Tor (and Tor bridges) as well.
This follows weeks of increased censorship, particularly targeting media websites (like lapatilla.com and elpitazo.com).
What strategies would be relevant here?
This may also be something worth thinking about for other countries where Tor is blocked as well (such as Egypt).
Best,
Maria.
On Thu, Jun 21, 2018 at 12:28:10PM +0200, Maria Xynou wrote:
As of last night (or last morning, Venezuela-time), we've been receiving reports from locals in Venezuela that Tor is being blocked.
State-owned CANTV is reportedly blocking access to Tor and obfs4.
They've been running OONI Probe tests that seem to confirm this, though it remains unclear if other ISPs in Venezuela are blocking access to Tor (and Tor bridges) as well.
This follows weeks of increased censorship, particularly targeting media websites (like lapatilla.com and elpitazo.com).
What strategies would be relevant here?
It's likely that the obfs4 blocking is being effected by IP address blocking of the default obfs4 bridges. My guess is that non-default bridges from bridges.torproject.org will work.
Idea: turn the situation into a teachable moment by making a Spanish-language tweet/blogpost that contains one or two non-default bridge lines and instructions on where to paste them, *plus* a link to https://blog.torproject.org/breaking-through-censorship-barriers-even-when-t... or similar that shows how to get more bridges when the tweeted ones get blocked.
My thinking is that while people normally have no incentive to use anything but a default bridge, they can learn the skills they need now that there is a reason.
+1 David!
On Thu, Jun 21, 2018 at 12:16 PM, David Fifield david@bamsoftware.com wrote:
On Thu, Jun 21, 2018 at 12:28:10PM +0200, Maria Xynou wrote:
As of last night (or last morning, Venezuela-time), we've been receiving reports from locals in Venezuela that Tor is being blocked.
State-owned CANTV is reportedly blocking access to Tor and obfs4.
They've been running OONI Probe tests that seem to confirm this, though it remains unclear if other ISPs in Venezuela are blocking access to Tor (and Tor bridges) as well.
This follows weeks of increased censorship, particularly targeting media websites (like lapatilla.com and elpitazo.com).
What strategies would be relevant here?
It's likely that the obfs4 blocking is being effected by IP address blocking of the default obfs4 bridges. My guess is that non-default bridges from bridges.torproject.org will work.
Idea: turn the situation into a teachable moment by making a Spanish-language tweet/blogpost that contains one or two non-default bridge lines and instructions on where to paste them, *plus* a link to https://blog.torproject.org/breaking-through-censorship- barriers-even-when-tor-blocked or similar that shows how to get more bridges when the tweeted ones get blocked.
My thinking is that while people normally have no incentive to use anything but a default bridge, they can learn the skills they need now that there is a reason. _______________________________________________ tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
On 6/21/18 12:16 PM, David Fifield wrote:
On Thu, Jun 21, 2018 at 12:28:10PM +0200, Maria Xynou wrote:
As of last night (or last morning, Venezuela-time), we've been receiving reports from locals in Venezuela that Tor is being blocked.
State-owned CANTV is reportedly blocking access to Tor and obfs4.
They've been running OONI Probe tests that seem to confirm this, though it remains unclear if other ISPs in Venezuela are blocking access to Tor (and Tor bridges) as well.
This follows weeks of increased censorship, particularly targeting media websites (like lapatilla.com and elpitazo.com).
What strategies would be relevant here?
It's likely that the obfs4 blocking is being effected by IP address blocking of the default obfs4 bridges. My guess is that non-default bridges from bridges.torproject.org will work.
Idea: turn the situation into a teachable moment by making a Spanish-language tweet/blogpost that contains one or two non-default bridge lines and instructions on where to paste them, *plus* a link to https://blog.torproject.org/breaking-through-censorship-barriers-even-when-t... or similar that shows how to get more bridges when the tweeted ones get blocked.
My thinking is that while people normally have no incentive to use anything but a default bridge, they can learn the skills they need now that there is a reason.
Great suggestion! I am traveling today and tomorrow -- but is there a Spanish speaker who would like to help draft? You can respond to me here or off-list.
Thanks, Steph
tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
Indeed +1 David, I couldn't agree more.
Perhaps the following (or something of the sort) can be used for outreach purposes (e.g. on Twitter):
#Venezuela: To connect to Tor and circumvent censorship:
1. Download Tor Browser: https://www.torproject.org/download/download-easy.html.es
2. Click "Just give me bridges!": https://bridges.torproject.org/options
3. Copy the bridges
4. Configure Tor Browser to connect with bridges
5. Paste your bridges in the "Enter custom bridges" section
6. Connect to Tor!
or
1. Download Tor Browser: https://www.torproject.org/download/download-easy.html.es
2. Email bridges@torproject.org
3. Configure Tor Browser to connect with bridges
4. Add your bridges in the "Enter custom bridges" section
5. Connect to Tor!
Perhaps the above could be 2 separate tweets, each including a relevant screenshot attached.
More comprehensive steps and screenshots are available in the Tor browser guides here: https://securityinabox.org/en/ (though they're quite outdated)
Perhaps it would be good to have a blog post that explains how to get custom bridges (if that doesn't already exist)? It would then be good to have that blog post translated to multiple languages (particularly Spanish and Arabic), so that it can easily/quickly be used for outreach purposes.
Cheers,
Maria.
On 21/06/2018 19:14, Stephanie A. Whited wrote:
Great suggestion! I am traveling today and tomorrow -- but is there a Spanish speaker who would like to help draft? You can respond to me here or off-list.
Hi,
Maria Xynou:
Perhaps the following (or something of the sort) can be used for outreach purposes (e.g. on Twitter):
#Venezuela: To connect to Tor and circumvent censorship:
[...]
In addition to the how to connect to Tor via Bridges it makes sense to add a how to test Tor connectivity blocking by performing OONI tests and specifically:
* Vanilla Tor test [1] * Tor Bridge Reachability test [2] * Meek Fronted Requests test [3]
[1] https://ooni.torproject.org/nettest/vanilla-tor/ [2] https://ooni.torproject.org/nettest/tor-bridge-reachability/ [3] https://ooni.torproject.org/nettest/meek-fronted-requests/
Cheers, ~Vasilis
On Thu, Jun 21, 2018 at 09:16:03AM -0700, David Fifield wrote:
State-owned CANTV is reportedly blocking access to Tor and obfs4.
It's likely that the obfs4 blocking is being effected by IP address blocking of the default obfs4 bridges. My guess is that non-default bridges from bridges.torproject.org will work.
I've been working with a person in #tor for the past few days, to try various configurations. My current best guess is that cantv is blocking by IP address only, and not doing DPI. It is blocking many of the public relay IP addresses, and it is blocking the default (built in to Tor Browser) obfs4 bridges. But obfs4 bridges from bridgedb work, and also vanilla bridges from bridgedb work.
That means it would be worthwhile for the OONI folks to do TCP reachability checks of all of the IP:ports for the Tor fallbackdir list.
And it also means we should consider a new Tor Browser release with a new or different set of Fallbackdirs, in case they don't plan to keep their censorship list up to date.
My thinking is that while people normally have no incentive to use anything but a default bridge, they can learn the skills they need now that there is a reason.
Agreed. Fetching and using vanilla (non obfs4) bridges is a good easy next step, and now is the time for them to learn that in the future there could be a second step in the arms race, and for that step they will need obfs4 bridges or something newer.
--Roger
On 21 June 2018 at 20:11:45, Roger Dingledine (arma@mit.edu) wrote:
I've been working with a person in #tor for the past few days, to try various configurations. My current best guess is that cantv is blocking by IP address only, and not doing DPI. It is blocking many of the public relay IP addresses, and it is blocking the default (built in to Tor Browser) obfs4 bridges. But obfs4 bridges from bridgedb work, and also vanilla bridges from bridgedb work.
That means it would be worthwhile for the OONI folks to do TCP reachability checks of all of the IP:ports for the Tor fallbackdir list.
We currently test the set of default dir auths, but I don’t think we test the fallbackdir list.
Here is the list of Tor related addresses we currently check for:
https://github.com/OpenObservatory/ooni-resources/blob/master/bridge_reachab...
A pull request with the fallback dirs (or even just a email diff) would be gladly merged!
On 22 Jun 2018, at 17:45, Arturo Filastò art@torproject.org wrote:
On 21 June 2018 at 20:11:45, Roger Dingledine (arma@mit.edu) wrote: I've been working with a person in #tor for the past few days, to try various configurations. My current best guess is that cantv is blocking by IP address only, and not doing DPI. It is blocking many of the public relay IP addresses, and it is blocking the default (built in to Tor Browser) obfs4 bridges. But obfs4 bridges from bridgedb work, and also vanilla bridges from bridgedb work.
That means it would be worthwhile for the OONI folks to do TCP reachability checks of all of the IP:ports for the Tor fallbackdir list.
We currently test the set of default dir auths, but I don’t think we test the fallbackdir list.
Here's the ticket: https://github.com/OpenObservatory/ooni-resources/issues/11
Here is the list of Tor related addresses we currently check for:
https://github.com/OpenObservatory/ooni-resources/blob/master/bridge_reachab...
A pull request with the fallback dirs (or even just a email diff) would be gladly merged!
If you like working with text files, here is the current list of fallbacks: https://gitweb.torproject.org/tor.git/tree/src/or/fallback_dirs.inc
If you like python, here is the stem API for the fallback list: https://stem.torproject.org/api/directory.html#stem.directory.Fallback
T
On 22 June 2018 at 10:16:06, teor (teor2345@gmail.com) wrote:
Here's the ticket: https://github.com/OpenObservatory/ooni-resources/issues/11
If you like working with text files, here is the current list of fallbacks: https://gitweb.torproject.org/tor.git/tree/src/or/fallback_dirs.inc
If you like python, here is the stem API for the fallback list: https://stem.torproject.org/api/directory.html#stem.directory.Fallback
Thanks.
I updated the github issue with what needs to be done to get this merged: https://github.com/OpenObservatory/ooni-resources/issues/11#issuecomment-399....
I think this is a pretty easy ticket to solve, so if somebody has some spare time it would be a great first-ooni-ticket :)
~ A.
On 06/22/2018 10:25 AM, Arturo Filastò wrote:
On 22 June 2018 at 10:16:06, teor (teor2345@gmail.com) wrote:
Here's the ticket: https://github.com/OpenObservatory/ooni-resources/issues/11
If you like working with text files, here is the current list of fallbacks: https://gitweb.torproject.org/tor.git/tree/src/or/fallback_dirs.inc
If you like python, here is the stem API for the fallback list: https://stem.torproject.org/api/directory.html#stem.directory.Fallback
Thanks.
I updated the github issue with what needs to be done to get this merged: https://github.com/OpenObservatory/ooni-resources/issues/11#issuecomment-399....
I think this is a pretty easy ticket to solve, so if somebody has some spare time it would be a great first-ooni-ticket :)
Hi Arturo, I sent you the PR via github.
Talk later. -hiro
On 22 Jun 2018, at 17:45, Arturo Filastò art@torproject.org wrote:
On 21 June 2018 at 20:11:45, Roger Dingledine (arma@mit.edu) wrote: I've been working with a person in #tor for the past few days, to try various configurations. My current best guess is that cantv is blocking by IP address only, and not doing DPI. It is blocking many of the public relay IP addresses, and it is blocking the default (built in to Tor Browser) obfs4 bridges. But obfs4 bridges from bridgedb work, and also vanilla bridges from bridgedb work.
That means it would be worthwhile for the OONI folks to do TCP reachability checks of all of the IP:ports for the Tor fallbackdir list.
We currently test the set of default dir auths, but I don’t think we test the fallbackdir list.
Please let us know how many of the 150 fallbacks are reachable on their ORPort. (Most Tor clients just use the ORPort.)
If they've all been blocked, we can work with the Tor Browser team to deploy some extra fallbacks in Tor, or in a torrc file.
(I also wonder if all the historical fallbacks have been blocked.)
T
tor-project@lists.torproject.org
-
Arturo Filastò -
David Fifield -
Maria Xynou -
Roger Dingledine -
silvia [hiro] -
Stephanie A. Whited -
teor -
Tom Leckrone -
Vasilis