Anti-censorship issueshttps://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues2023-07-18T18:57:33Zhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/34075Implement metrics to measure snowflake churn2023-07-18T18:57:33ZCecylia BocovichImplement metrics to measure snowflake churnAs discussed in the meeting this week, it would be useful to know how often snowflake proxy IP addresses actually change. We collect counts of unique IPs on any given day, but not how much variance we get in IP addresses over time.
This...As discussed in the meeting this week, it would be useful to know how often snowflake proxy IP addresses actually change. We collect counts of unique IPs on any given day, but not how much variance we get in IP addresses over time.
This relates to our ability to resist censorship, as snowflake relies in part on the claim that snowflakes are ephemeral, changing, and difficult to block exhaustively.
Let's implement some metrics to see how much snowflake IPs change.Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetshelikhooshelikhoohttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/31085Make an Android extension or app for people to be a snowflake (AMO or proxy-go)2023-07-13T14:59:01ZcypherpunksMake an Android extension or app for people to be a snowflake (AMO or proxy-go)https://addons.mozilla.org/en-US/android/https://addons.mozilla.org/en-US/android/Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibethttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/29863Add disk space monitoring for snowflake infrastructure2023-07-31T02:23:24ZCecylia BocovichAdd disk space monitoring for snowflake infrastructureWe've run out of disk space at both the snowflake bridge (legacy/trac#26661, legacy/trac#28390) and the broker (legacy/trac#29861), which has caused snowflake to stop working. We've set up rotating and compressed logs but it would be nic...We've run out of disk space at both the snowflake bridge (legacy/trac#26661, legacy/trac#28390) and the broker (legacy/trac#29861), which has caused snowflake to stop working. We've set up rotating and compressed logs but it would be nice to have some disk space monitoring to alert us if/when this happens again
Also, as discussed on IRC, we should eventually move the broker to a TPA machine.Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibethttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/28651Prepare all pieces of the snowflake pipeline for a second snowflake bridge2023-05-15T19:25:40ZRoger DingledinePrepare all pieces of the snowflake pipeline for a second snowflake bridgeRight now there is one snowflake bridge, and its fingerprint is hard-coded in tor browser.
Eventually we will have enough load, and/or want more resiliency, that we want to set up a second snowflake bridge.
To be able to do that, I thi...Right now there is one snowflake bridge, and its fingerprint is hard-coded in tor browser.
Eventually we will have enough load, and/or want more resiliency, that we want to set up a second snowflake bridge.
To be able to do that, I think we need changes at the client, changes at the snowflake, and changes at the broker.
[Edit 2022-03: the three items I list next are no longer quite the best way to do this ticket. See the extensive and ongoing discussions below for what we currently think is the best plan.]
(A) At the snowflake side, the snowflake needs to tell the broker which bridge(s) it is willing to send traffic to. Additionally, we either want to declare that each snowflake sends to only one bridge, or we need to add a way for the client to tell the snowflake which bridge it wants to reach.
(B) At the broker side, we need it to be able to learn from snowflakes which bridge(s) they use, and we need it to be able to learn from clients which bridge they want to use, and we need it to match clients with snowflakes that will reach that bridge.
(C) At the client side, we need it to tell the broker which bridge it wants to use, and (depending on our design choice in A above) we might also need the client to be able to tell the snowflake which bridge it wants to use.
(There is an alternative approach, where we assume that every snowflake is always running the newest javascript, so it is willing to reach every bridge on our master list. Then the broker doesn't need to do anything new, and we just need to add a way for the client to tell the snowflake which bridge it wants. I don't have a good handle on how realistic this assumption is.)Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetshelikhooshelikhoohttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/25598Let the broker inform proxies how often to poll2022-07-25T17:59:44ZDavid Fifielddcf@torproject.orgLet the broker inform proxies how often to pollCurrently, proxies poll the broker at a static rate of once every 5–10 seconds. If we're anticipating thousands of proxies, we don't need them to poll so frequently.
The broker could instead tell each proxy how long to wait before polli...Currently, proxies poll the broker at a static rate of once every 5–10 seconds. If we're anticipating thousands of proxies, we don't need them to poll so frequently.
The broker could instead tell each proxy how long to wait before polling again. The broker could even dynamically adjust the rate based on an estimate of supply and demand.
One way to do this would be a custom header in responses to `/proxy` requests:
```
Snowflake-Next-Poll: Thu, 22 Mar 2018 18:05:47 GMT
```
Or using a relative time offset:
```
Snowflake-Next-Poll: 600
```
There was a similar idea for flash proxy.
legacy/trac#8171::
The facilitator included a fixed `check-back-in=600` in its responses.
legacy/trac#8172::
Adjust polling interval dynamically (never implemented).Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibethttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/19409Make a deb of snowflake (proxy and client) and get into Debian2022-03-05T21:42:54ZadrelanosMake a deb of snowflake (proxy and client) and get into Debianaka
`apt-get install snowflake`
Speaking for Whonix, this would be very useful. Perhaps for Tails as well, but I am not speaking for them.
(Similar to legacy/trac#13160.)aka
`apt-get install snowflake`
Speaking for Whonix, this would be very useful. Perhaps for Tails as well, but I am not speaking for them.
(Similar to legacy/trac#13160.)Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetmeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/59Have Lox protocol functions return more descriptive errors2024-03-28T22:55:22ZCecylia BocovichHave Lox protocol functions return more descriptive errorsAt the moment, when a client is preparing a request to the Lox authority for one of the protocol functions, the only return type is a `ProofError::VerificationError`, which could indicate any number of potential reasons for failure, incl...At the moment, when a client is preparing a request to the Lox authority for one of the protocol functions, the only return type is a `ProofError::VerificationError`, which could indicate any number of potential reasons for failure, including:
- temporary and relatively common failure of not meeting the time threshold for unlocking the use of the protocol (e.g., `level_up`).
- a failure indicating misuse of the library (e.g., if the Lox and reachability credentials do not match)
- data corruption issues such as missing or invalid fields of the Lox credential
We're making assumptions in Tor Browser that the verification error is caused by the first case. While it still makes sense to return a `ProofError` for some of the functions in `lox-library::proto`, the `request` functions in particular should return a different more variable error type.Lox Ready for Open Testing CallCecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/58Better Invitation Encoding2024-03-01T11:43:41ZonyinyangBetter Invitation EncodingThe Lox invitation endpoint currently returns a string of bytes formatted like:
```
{"invite":92,149,13,240,159,9,236,1,141,15,246,61,49,4,53,142,229,56,160,137,155,86,127,166,223,8,80,114,117,17,210,3,2,0,0,0,5,36,19,41,86,145,241,114...The Lox invitation endpoint currently returns a string of bytes formatted like:
```
{"invite":92,149,13,240,159,9,236,1,141,15,246,61,49,4,53,142,229,56,160,137,155,86,127,166,223,8,80,114,117,17,210,3,2,0,0,0,5,36,19,41,86,145,241,114,93,58,10,118,162,141,183,53,200,168,179,108,34,222,21,15,252,195,121,92,185,187,78,126,17,67,153,113,32,87,109,232,90,104,27,162,141,83,26,121,195,47,249,109,50,104,220,136,183,111,7,8,93,53,3,12}
```
This is probably not ideal for a user to paste into the browser, though maybe it is fine?
We should check with the ux team to see if they have suggestions for a better user experience and consider changing this (and the interface) to accept a more user-friendly invite.Lox Ready for Open Testing Callonyinyangonyinyanghttps://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/57Create a detailed workflow for investigating and responding to blocked Lox br...2024-02-26T17:32:10ZonyinyangCreate a detailed workflow for investigating and responding to blocked Lox bridgesThough automating the detection of blocked bridges has been a [long term goal](https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40035), discussed [here](https://gitlab.torproject.org/tpo/anti-censorship/rdsy...Though automating the detection of blocked bridges has been a [long term goal](https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40035), discussed [here](https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/112) as well, we should have a detailed workflow for how we will handle getting reports of blocked bridges, how often we will manually update bridge statuses for Lox bridges and who will be responsible for these updates during our test deployment.Lox Ready for Open Testing Callonyinyangonyinyanghttps://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/56Increase the Lox Bridge Pool2024-02-28T11:06:12ZonyinyangIncrease the Lox Bridge PoolFor testing purposes, we spun up a few bridges to add to the Lox bridge pool. Before we release Lox for open testing, we should add some more. We decided it would make sense to increase the bridge pool to 10 bridges and do some internal ...For testing purposes, we spun up a few bridges to add to the Lox bridge pool. Before we release Lox for open testing, we should add some more. We decided it would make sense to increase the bridge pool to 10 bridges and do some internal testing with that number first before releasing to the wider communityLox Ready for Open Testing Callmeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/55Bridge replace flakey II2024-02-27T11:25:08ZonyinyangBridge replace flakey IIThe `bridge_replace` function is flakey again after adjusting the logic to remove spare buckets first and adding the `ReplaceSuccess::Removed` option.`The `bridge_replace` function is flakey again after adjusting the logic to remove spare buckets first and adding the `ReplaceSuccess::Removed` option.`Lox Ready for Open Testing Callonyinyangonyinyanghttps://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/53Lock down the open invite endpoint on the distrubutor2024-02-21T13:58:13ZCecylia BocovichLock down the open invite endpoint on the distrubutorWe only want open invites to be requested by the telegram bot, so we should have that endpoint take an API key of some sort and only respond to requests if it matches one we know about.We only want open invites to be requested by the telegram bot, so we should have that endpoint take an API key of some sort and only respond to requests if it matches one we know about.Lox Ready for Open Testing Callonyinyangonyinyanghttps://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/48Lox distributor hangs and does not respond to requests2024-02-27T11:28:53ZCecylia BocovichLox distributor hangs and does not respond to requestsWhile testing the Lox distributor functions today, I noticed it sometimes gets into a bad state where it hangs indefinitely and does not respond to requests. When trying to curl the open invitation endpoint I got a 504 response:
```
$ cu...While testing the Lox distributor functions today, I noticed it sometimes gets into a bad state where it hangs indefinitely and does not respond to requests. When trying to curl the open invitation endpoint I got a 504 response:
```
$ curl -I -X POST https://rdsys-frontend-01.torproject.org/lox/invite
HTTP/2 504
server: nginx
date: Wed, 17 Jan 2024 01:21:18 GMT
content-type: text/html
content-length: 160
```
Looking at the logs, I don't see anything unusual:
```
Jan 16 23:39:16 rdsys-frontend-01 lox-distributor[1209121]: Writing context to the db with key: "context_2024-01-16_23:39:16"
Jan 16 23:41:16 rdsys-frontend-01 lox-distributor[1209121]: BridgeLine [scrubbed] no longer in bridge table.
Jan 16 23:41:16 rdsys-frontend-01 lox-distributor[1209121]: BridgeLine [scrubbed] no longer in bridge table.
Jan 16 23:41:16 rdsys-frontend-01 lox-distributor[1209121]: BridgeLine [scrubbed] NOT replaced, saved for next update!
```
The distributor responds again after restarting it.Lox Ready for Open Testing Callonyinyangonyinyanghttps://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/28Set daily max bucket distribution and adjust other settings for production2024-02-15T16:52:09ZonyinyangSet daily max bucket distribution and adjust other settings for productionWe likely need to decide on an upper bound of buckets that can be distributed each day so that we don't run out of open invitation buckets. We currently have buckets being distributed to k users before a new bucket is used but if buckets...We likely need to decide on an upper bound of buckets that can be distributed each day so that we don't run out of open invitation buckets. We currently have buckets being distributed to k users before a new bucket is used but if buckets are continuously requested, we will eventually run out of buckets each day. These variables should be part of a configuration file for Lox.Lox Ready for Open Testing Callonyinyangonyinyanghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/issues/21Pass client command line args in as SOCKS args2022-12-01T18:05:43ZCecylia BocovichPass client command line args in as SOCKS argsThis allows us to move configuration from the `ClientTransportPlugin` line to the `Bridge` line.This allows us to move configuration from the `ClientTransportPlugin` line to the `Bridge` line.Ship Conjure in Alpha versions of Tor BrowserCecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/issues/19Help the client recover from rejected phantom connections due to station load2022-11-28T17:38:53ZCecylia BocovichHelp the client recover from rejected phantom connections due to station loadDue to high load at the station, the client sometimes receives the following error when attempting to connect to negotiated proxies:
```
[11:32:12] [1-d9b572] failed to dial phantom [scrubbed]: dial tcp [scrubbed]: i/o timeout
```
Inst...Due to high load at the station, the client sometimes receives the following error when attempting to connect to negotiated proxies:
```
[11:32:12] [1-d9b572] failed to dial phantom [scrubbed]: dial tcp [scrubbed]: i/o timeout
```
Instead of rejected the SOCKS connection, we could have multiple retries. The gotapdance library already has some mechanism for spacing out retries I believe.Ship Conjure in Alpha versions of Tor BrowserCecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/issues/18Use domain fronted connection for registration2023-01-13T16:31:39ZCecylia BocovichUse domain fronted connection for registrationRight now we make a direct connection. This should be just a matter of getting details about the existing domain front set up and configuring the provided torrc file.Right now we make a direct connection. This should be just a matter of getting details about the existing domain front set up and configuring the provided torrc file.Ship Conjure in Alpha versions of Tor BrowserCecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/issues/15Secure connection between Conjure station and bridge2023-04-12T23:47:27ZCecylia BocovichSecure connection between Conjure station and bridgeThe Conjure station proxies TCP connections from clients to the deployed Conjure bridge (https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Survival-Guides/Conjure-Bridge). These connections are prepended with a plaintext PRO...The Conjure station proxies TCP connections from clients to the deployed Conjure bridge (https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Survival-Guides/Conjure-Bridge). These connections are prepended with a plaintext PROXY header that contains the client's IP address. We're working with the CU Boulder team on securing this connection through the use of SSH tunnels or Wireguard.Ship Conjure in Alpha versions of Tor BrowserCecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/issues/14Build conjure reproducibly in Tor Browser2023-02-01T15:13:39ZCecylia BocovichBuild conjure reproducibly in Tor BrowserAdd a conjure project to [tor-browser-build](https://gitlab.torproject.org/tpo/applications/tor-browser-build/) to produce a Conjure client binary and relevant torrc defaults.Add a conjure project to [tor-browser-build](https://gitlab.torproject.org/tpo/applications/tor-browser-build/) to produce a Conjure client binary and relevant torrc defaults.Ship Conjure in Alpha versions of Tor BrowserCecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/issues/12Use safelog at the server2022-11-28T20:37:45ZCecylia BocovichUse safelog at the serverWe're already using it at the client, we should use it for the deployed server now that we have that up and running.We're already using it at the client, we should use it for the deployed server now that we have that up and running.Ship Conjure in Alpha versions of Tor BrowserCecylia BocovichCecylia Bocovich