Anti-censorship issueshttps://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues2021-06-17T14:18:46Zhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-mobile/-/issues/10Design for final notification UI.2021-06-17T14:18:46ZHashikDDesign for final notification UI.Making and designing the final notification UI.Making and designing the final notification UI.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/11localize screenshots on snowflake page2021-06-17T14:19:28ZRoger Dingledinelocalize screenshots on snowflake pagehttps://snowflake.torproject.org/?lang=zh_CN
scroll down to the picture of Tor Browser's network settings. That's an English Tor Browser. Should the Chinese version of the page be showing people using a Tor Browser in Chinese?https://snowflake.torproject.org/?lang=zh_CN
scroll down to the picture of Tor Browser's network settings. That's an English Tor Browser. Should the Chinese version of the page be showing people using a Tor Browser in Chinese?https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/23Track down old GetTor mirrors and decide what to do with them2022-03-01T17:19:09ZCecylia BocovichTrack down old GetTor mirrors and decide what to do with themJust talked to alwayslivid on IRC and found out that there's a list of mirrors in `config/tor-mirrors.json`. Some of these are serving very old versions of Tor Browser. We should find them and reach out to the operators and figure out wh...Just talked to alwayslivid on IRC and found out that there's a list of mirrors in `config/tor-mirrors.json`. Some of these are serving very old versions of Tor Browser. We should find them and reach out to the operators and figure out what we want to do about mirrors going forward.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/3Remove local LAN address ICE candidates from JS proxy answer2023-01-20T08:33:58ZArlo BreaultRemove local LAN address ICE candidates from JS proxy answerThis is a follow up from legacy/trac#19026 where it was done for the clients and golang proxies.This is a follow up from legacy/trac#19026 where it was done for the clients and golang proxies.https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/33727Gmail marks emails from BridgeDB as spam2022-07-24T17:16:25ZPhilipp Winterphw@torproject.orgGmail marks emails from BridgeDB as spamI noticed that Gmail now tosses emails from BridgeDB's autoresponder into its spam folder:
![spam.cleaned.png, 100%](uploads/spam.cleaned.png, 100%)
BridgeDB's instructions should mention that users should take a look into their spam f...I noticed that Gmail now tosses emails from BridgeDB's autoresponder into its spam folder:
![spam.cleaned.png, 100%](uploads/spam.cleaned.png, 100%)
BridgeDB's instructions should mention that users should take a look into their spam folder if they didn't get a response. Ideally, we should find a way to prevent this from happening. I clicked the "Report not spam" button of every single BridgeDB email. I hope it will tell Gmail's classifier that this is a false positive.hanneloresxhanneloresxhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/issues/33560Settings immediately after install2021-06-17T14:23:19ZTracSettings immediately after install3/9/20, 04:33:18.780 [NOTICE] Bootstrapped 10% (conn_done): Connected to a relay
3/9/20, 04:33:19.122 [NOTICE] Bootstrapped 14% (handshake): Handshaking with a relay
3/9/20, 04:33:19.336 [NOTICE] Bootstrapped 15% (handshake_done): Handsh...3/9/20, 04:33:18.780 [NOTICE] Bootstrapped 10% (conn_done): Connected to a relay
3/9/20, 04:33:19.122 [NOTICE] Bootstrapped 14% (handshake): Handshaking with a relay
3/9/20, 04:33:19.336 [NOTICE] Bootstrapped 15% (handshake_done): Handshake with a relay done
3/9/20, 04:33:19.337 [NOTICE] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
3/9/20, 04:33:19.338 [NOTICE] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
3/9/20, 04:33:19.340 [NOTICE] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
3/9/20, 04:33:20.168 [NOTICE] Bootstrapped 100% (done): Done
3/9/20, 04:33:21.105 [NOTICE] New control connection opened from 127.0.0.1.
3/9/20, 04:33:21.354 [NOTICE] New control connection opened from 127.0.0.1.
3/9/20, 04:34:59.416 [WARN] CreateProcessA() failed: The system cannot find the file specified.
3/9/20, 04:34:59.416 [WARN] Pluggable Transport process terminated with status code 0
3/9/20, 04:34:59.417 [WARN] Failed to start process: (null)
3/9/20, 04:34:59.417 [WARN] Managed proxy at 'TorBrowser\Tor\PluggableTransports\obfs4proxy.exe' failed at launch.
3/9/20, 04:34:59.417 [NOTICE] Switching to guard context "bridges" (was using "default")
3/9/20, 04:34:59.504 [NOTICE] Delaying directory fetches: No running bridges
3/9/20, 04:34:59.504 [WARN] We were supposed to connect to bridge '96.41.145.139:42260' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:34:59.504 [WARN] We were supposed to connect to bridge '5.2.75.181:9785' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:34:59.504 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:00.507 [WARN] We were supposed to connect to bridge '96.41.145.139:42260' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:00.508 [WARN] We were supposed to connect to bridge '5.2.75.181:9785' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:00.509 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:01.511 [WARN] We were supposed to connect to bridge '5.2.75.181:9785' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:01.511 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:02.523 [WARN] We were supposed to connect to bridge '96.41.145.139:42260' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:02.523 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:03.529 [WARN] We were supposed to connect to bridge '96.41.145.139:42260' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:03.529 [WARN] We were supposed to connect to bridge '5.2.75.181:9785' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:04.542 [WARN] We were supposed to connect to bridge '96.41.145.139:42260' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:04.543 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:05.546 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:06.556 [WARN] We were supposed to connect to bridge '96.41.145.139:42260' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:06.556 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:07.582 [WARN] We were supposed to connect to bridge '96.41.145.139:42260' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:07.583 [WARN] We were supposed to connect to bridge '5.2.75.181:9785' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:07.584 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:08.567 [WARN] We were supposed to connect to bridge '96.41.145.139:42260' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:09.575 [WARN] We were supposed to connect to bridge '96.41.145.139:42260' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:09.576 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:11.593 [WARN] We were supposed to connect to bridge '96.41.145.139:42260' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:12.611 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:14.621 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:15.635 [WARN] We were supposed to connect to bridge '96.41.145.139:42260' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:16.645 [WARN] We were supposed to connect to bridge '5.2.75.181:9785' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:17.648 [WARN] We were supposed to connect to bridge '5.2.75.181:9785' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:18.660 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:19.672 [WARN] We were supposed to connect to bridge '5.2.75.181:9785' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:22.546 [WARN] CreateProcessA() failed: The system cannot find the file specified.
3/9/20, 04:35:22.547 [WARN] Pluggable Transport process terminated with status code 0
3/9/20, 04:35:22.547 [WARN] Failed to start process: (null)
3/9/20, 04:35:22.548 [WARN] Managed proxy at 'TorBrowser\Tor\PluggableTransports\obfs4proxy.exe' failed at launch.
3/9/20, 04:35:22.760 [NOTICE] Bridge at '217.12.199.130:42367' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:22.760 [NOTICE] Bridge at '5.2.75.181:9785' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:22.760 [NOTICE] Bridge at '96.41.145.139:42260' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:23.767 [NOTICE] Bridge at '217.12.199.130:42367' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:23.767 [NOTICE] Bridge at '5.2.75.181:9785' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:23.767 [NOTICE] Bridge at '96.41.145.139:42260' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:24.759 [NOTICE] Bridge at '217.12.199.130:42367' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:24.759 [NOTICE] Bridge at '96.41.145.139:42260' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:25.759 [NOTICE] Bridge at '217.12.199.130:42367' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:25.759 [NOTICE] Bridge at '5.2.75.181:9785' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:26.771 [NOTICE] Bridge at '217.12.199.130:42367' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:26.771 [NOTICE] Bridge at '96.41.145.139:42260' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:27.790 [NOTICE] Bridge at '217.12.199.130:42367' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:27.791 [NOTICE] Bridge at '5.2.75.181:9785' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:28.775 [NOTICE] Bridge at '217.12.199.130:42367' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:28.775 [NOTICE] Bridge at '96.41.145.139:42260' isn't reachable by our firewall policy. Asking bridge authority instead.
3/9/20, 04:35:29.290 [WARN] CreateProcessA() failed: The system cannot find the file specified.
3/9/20, 04:35:29.290 [WARN] Pluggable Transport process terminated with status code 0
3/9/20, 04:35:29.290 [WARN] Failed to start process: (null)
3/9/20, 04:35:29.300 [WARN] Managed proxy at 'TorBrowser\Tor\PluggableTransports\obfs4proxy.exe' failed at launch.
3/9/20, 04:35:29.761 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:29.761 [WARN] We were supposed to connect to bridge '5.2.75.181:9785' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:29.761 [WARN] We were supposed to connect to bridge '96.41.145.139:42260' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:30.763 [WARN] We were supposed to connect to bridge '217.12.199.130:42367' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:30.763 [WARN] We were supposed to connect to bridge '5.2.75.181:9785' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
3/9/20, 04:35:30.763 [WARN] We were supposed to connect to bridge '96.41.145.139:42260' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
**Trac**:
**Username**: KatBloodgoodhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/issues/33461Multiarch docker obfs4 bridge2021-06-17T14:23:19ZTracMultiarch docker obfs4 bridgeHaving more images enables the bridge operators to directly pull an image instead of modifying the Dockerfile and consequently building that image. For example, the supported architectures can be x86_64, aarch64 and arm.
In order to do s...Having more images enables the bridge operators to directly pull an image instead of modifying the Dockerfile and consequently building that image. For example, the supported architectures can be x86_64, aarch64 and arm.
In order to do so we can have multiple `Dockerfile.arch` where is used https://github.com/multiarch/qemu-user-static in order to build such image.
For example in the Dockerfile.arm file the content should be something like:
```
# Base docker image
FROM multiarch/qemu-user-static:x86_64-arm as qemu
FROM arm32v7/debian:buster-slim
COPY --from=qemu /usr/bin/qemu-arm-static /usr/bin
# Install remaining dependencies.
RUN apt-get update && apt-get install -y \
tor \
tor-geoipdb \
obfs4proxy \
libcap2-bin \
--no-install-recommends
# Allow obfs4proxy to bind to ports < 1024.
RUN setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy
RUN setcap cap_net_bind_service=+ep /usr/bin/tor
# Our torrc is generated at run-time by the script start-tor.sh.
RUN rm /etc/tor/torrc
RUN chown debian-tor:debian-tor /etc/tor
RUN chown debian-tor:debian-tor /var/log/tor
COPY start-tor.sh /usr/local/bin
RUN chmod 0755 /usr/local/bin/start-tor.sh
COPY get-bridge-line /usr/local/bin
RUN chmod 0755 /usr/local/bin/get-bridge-line
USER debian-tor
CMD [ "/usr/local/bin/start-tor.sh" ]
```
**Trac**:
**Username**: thymbahutymbahttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/10Probe Snowflake bridge from proxy 1x a day2022-04-05T17:04:55ZCecylia BocovichProbe Snowflake bridge from proxy 1x a dayWe're getting reports that the Snowflake bridge isn't reachable in legacy/trac#33364, but it's taking awhile for volunteers to notice because the probe check only happens once at installation or if you disable/enable the proxy.
Perhaps ...We're getting reports that the Snowflake bridge isn't reachable in legacy/trac#33364, but it's taking awhile for volunteers to notice because the probe check only happens once at installation or if you disable/enable the proxy.
Perhaps we can do the probe check 1x a day (e.g., when we do the stats refresh)?Arlo BreaultArlo Breaulthttps://gitlab.torproject.org/tpo/anti-censorship/docker-obfs4-bridge/-/issues/3Make obfs4 Docker image support private bridges2021-10-25T18:55:11ZPhilipp Winterphw@torproject.orgMake obfs4 Docker image support private bridgesFor legacy/trac#28526 it would be helpful if one could configure an obfs4 Docker container to be private. We could simply add a new environment variable, say `PRIVATE_BRIDGE`, which controls whether the container sets `BridgeDistribution...For legacy/trac#28526 it would be helpful if one could configure an obfs4 Docker container to be private. We could simply add a new environment variable, say `PRIVATE_BRIDGE`, which controls whether the container sets `BridgeDistribution none` in its torrc or not.https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/11How can we optimise the anti-censorship suite for mobile?2022-03-01T17:19:09ZPhilipp Winterphw@torproject.orgHow can we optimise the anti-censorship suite for mobile?Mobile applications have significant space constraints, which makes it difficult to bundle Tor and its circumvention suite. For example, obfs4proxy 0.0.7 in Debian Buster currently has a binary size of 5.2 MB and snowflake-client in Tor...Mobile applications have significant space constraints, which makes it difficult to bundle Tor and its circumvention suite. For example, obfs4proxy 0.0.7 in Debian Buster currently has a binary size of 5.2 MB and snowflake-client in Tor Browser 9.5 has a binary size of 7.7 MB. This is largely due to both projects being implemented in golang, which only supports static linking.
What can we do to reduce our circumvention suite's disk footprint? The obvious answer would be to re-implement obfs4 and snowflake in a dynamically-linked language. What else can we do?https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40023Understand where gettor distribution providers are blocked2022-11-27T22:36:00ZCecylia BocovichUnderstand where gettor distribution providers are blockedWe should get a better understanding of where our different gettor providers are blocked. Right now we use four different providers:
- `gitlab.com`
- `github.com`
- `archive.org`
- `docs.google.com`
However, some of these domains resolv...We should get a better understanding of where our different gettor providers are blocked. Right now we use four different providers:
- `gitlab.com`
- `github.com`
- `archive.org`
- `docs.google.com`
However, some of these domains resolve to a different URL in the process of downloading the file. For example, binaries uploaded to github used to retrieved from `raw.githubusercontent.com` and now it redirects to `github-production-release-asset-2e65be.s3.amazonaws.com`.
Perhaps we can use OONI data to stay on track of when gettor becomes unavailable due to blocking these URLs?https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/32677Find a way to notify deployed proxy-go instances of updates2024-03-13T06:57:03ZCecylia BocovichFind a way to notify deployed proxy-go instances of updatesWe've had a few people run proxy-go instances in the past and express interest in running them. These instances should be updated periodically or when there is a critical reason to do so. Right now we don't have a good way to notify depl...We've had a few people run proxy-go instances in the past and express interest in running them. These instances should be updated periodically or when there is a critical reason to do so. Right now we don't have a good way to notify deployed instances of updates.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/issues/32550Static tor in docker container2020-10-29T20:26:58ZTracStatic tor in docker containerI was wondering about how to improve the docker image. The current version of provided image, in such case for bridges, uses debian. This ends up in a "big" image that, in my honest opinion waste a lot of space.
In order to improve the ...I was wondering about how to improve the docker image. The current version of provided image, in such case for bridges, uses debian. This ends up in a "big" image that, in my honest opinion waste a lot of space.
In order to improve the deployment and the space required by such container, which can be even extended for all relay, I wrote a Makefile for statically build tor. Once there is a statically build of tor, it should be enough provide just it inside the container.
```
PREFIX=$(shell pwd)/dist
RELEASE=$(shell pwd)/release
TOR=https://dist.torproject.org
TOR_VER=0.4.1.6
LIBEVENT=https://github.com/libevent/libevent/releases/download
LIBEVENT_VER=2.1.11-stable
OPENSSL=https://github.com/openssl/openssl/archive
OPENSSL_VER=1_0_2t
ZLIB=https://zlib.net
ZLIB_VER=1.2.11
CLEAN_DIRS=$(dir .)
all: tor
tor: tor-${TOR_VER} libevent libseccomp zlib openssl
cd $< && \
./configure \
--prefix=${RELEASE} \
--enable-static-tor \
--with-openssl-dir=${PREFIX} \
--with-libevent-dir=${PREFIX} \
--with-zlib-dir=${PREFIX} \
--disable-asciidoc \
--disable-system-torrc \
--disable-seccomp \
&& $(MAKE) $(MAKEFLAGS) && $(MAKE) install
libevent: libevent-${LIBEVENT_VER}
cd $< && \
./configure --prefix=${PREFIX} --enable-shared=no && \
$(MAKE) $(MAKEFLAGS) && $(MAKE) install
openssl: OpenSSL_${OPENSSL_VER}
cd $< && \
./config no-shared no-dso no-zlib --prefix=${PREFIX} && \
$(MAKE) depend && $(MAKE) $(MAKEFLAGS) && $(MAKE) install_sw
zlib: zlib-${ZLIB_VER}
cd $< && \
./configure --prefix=${PREFIX} --static && \
$(MAKE) $(MAKEFLAGS) && $(MAKE) install
## Download and extract source if required
tor-${TOR_VER}:
wget -qO- ${TOR}$@.tar.gz | \
bsdtar xzf -
libevent-${LIBEVENT_VER}:
wget -qO- ${LIBEVENT}/release-${LIBEVENT_VER}/$@.tar.gz | \
bsdtar xzf -
OpenSSL_${OPENSSL_VER}:
wget -qO- ${OPENSSL}/$@.tar.gz | \
bsdtar xzf -
mv openssl-$@ $@
zlib-${ZLIB_VER}:
wget -qO- ${ZLIB}/$@.tar.gz | \
bsdtar xzf -
```
**Trac**:
**Username**: thymbahutymbahttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/issues/32439tor can't bootstrap with obfs4 bridge and skewed clock2022-06-22T07:35:54Zintrigeritor can't bootstrap with obfs4 bridge and skewed clockEnvironment: Debian unstable, Tor Browser 9.0.1, system clock set 2h in the future.
Observed behavior: Tor Launcher says "Connected to bridge" but the progress bar is stuck at a very low percentage. After a while, the "Copy Tor Log To C...Environment: Debian unstable, Tor Browser 9.0.1, system clock set 2h in the future.
Observed behavior: Tor Launcher says "Connected to bridge" but the progress bar is stuck at a very low percentage. After a while, the "Copy Tor Log To Clipboard" button appears.
Impact: Tails users whose hardware clock is set to local time, in a timezone that's not close enough to UTC, cannot use obfs4 bridges. Unfortunately, that's quite common, because:
* Windows sets the hardware clock to local time by default (as opposed to Unix systems, that tend to assume the hardware clock is in UTC)
* many places where one needs obfs4 to use Tor are 4-7 hours ahead of UTC
* Tails can't guess whether the hardware clock is set to UTC time or to local time; it assumes it's UTC time
Corresponding tor log (actual obfs4 bridges IP & port redacted):
```
11/9/19, 16:39:11.903 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
11/9/19, 16:39:11.903 [NOTICE] Switching to guard context "bridges" (was using "default")
11/9/19, 16:39:11.903 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
11/9/19, 16:39:11.903 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
11/9/19, 16:39:11.903 [NOTICE] Opening Socks listener on 127.0.0.1:9150
11/9/19, 16:39:11.903 [NOTICE] Opened Socks listener on 127.0.0.1:9150
11/9/19, 16:39:11.903 [NOTICE] Renaming old configuration file to "/home/toto/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc.orig.1"
11/9/19, 16:39:12.885 [NOTICE] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
11/9/19, 16:39:12.887 [NOTICE] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
11/9/19, 16:40:06.330 [WARN] Proxy Client: unable to connect to $IP1:$PORT1 ("general SOCKS server failure")
11/9/19, 16:40:12.957 [WARN] Proxy Client: unable to connect to $IP2:$PORT2 ("general SOCKS server failure")
11/9/19, 16:40:13.120 [WARN] Proxy Client: unable to connect to $IP3:$PORT3 ("general SOCKS server failure")
11/9/19, 16:41:10.165 [WARN] Proxy Client: unable to connect to $IP1:$PORT1 ("general SOCKS server failure")
11/9/19, 16:41:14.240 [WARN] Proxy Client: unable to connect to $IP2:$PORT2 ("general SOCKS server failure")
11/9/19, 16:41:20.420 [WARN] Proxy Client: unable to connect to $IP3:$PORT3 ("general SOCKS server failure")
```https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/32095Analyse the "Carbon Reductor DPI X" DPI system2021-07-09T14:14:25ZPhilipp Winterphw@torproject.orgAnalyse the "Carbon Reductor DPI X" DPI systemSee https://github.com/net4people/bbs/issues/15
Let's take a look at the DPI system and see what we can learn from it. Hopefully, it will help us refine our threat models.See https://github.com/net4people/bbs/issues/15
Let's take a look at the DPI system and see what we can learn from it. Hopefully, it will help us refine our threat models.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/issues/32047Sharing Keys Through HTML?2021-06-17T14:23:19ZTracSharing Keys Through HTML?If you read how RSA works, it is obvious that decrypting something that is not meant to be decrypted still works to get random digits that are similar length. Here, an idea would be to hide some random digits in HTML, for example into th...If you read how RSA works, it is obvious that decrypting something that is not meant to be decrypted still works to get random digits that are similar length. Here, an idea would be to hide some random digits in HTML, for example into the first hundred colors in <style> or counting the number of letters inside the first fifty <p>s. These are numerical fields inside HTML that could have a string, encrypted by a Preshared RSA key (people know both the private and public key), put into it to be hidden. People will then decrypt that to get a public key to do the key sharing. While the censor cannot distinguish a regular HTML and a keysharing HTML because decrypting any regular HTML also gets you a salted public key, because both look like nothing. This is weak on its own because the censor could easily try to decrypt anything with the gotten key that originates from the requesting address, and if it works it is a tor connection, but at the same time, with two different connections originating from different addresses (could be two connections to WiFi to get different port forwarding), it is difficult for the censor to check every single connection against each HTML file for the key across the same public IP. I believe that obfs4 has this problem with the keysharing which reveals that it is a obfs4 connection.
**Trac**:
**Username**: Aphrodites1995https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/31847Expand contribution guidelines for snowflake2022-03-01T15:55:52ZCecylia BocovichExpand contribution guidelines for snowflakeWe're getting more contributors to the project, we should expand CONTRIBUTING.md with some more basic guidelines like
- formatting of commit messages
- creating tickets for each pull request
- make sure the changes in the commit adhere t...We're getting more contributors to the project, we should expand CONTRIBUTING.md with some more basic guidelines like
- formatting of commit messages
- creating tickets for each pull request
- make sure the changes in the commit adhere to the commit message and the corresponding tickethttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/31804Authentication for proxy--bridge connections2022-04-05T15:26:33ZCecylia BocovichAuthentication for proxy--bridge connectionsAn DDoS attack surface was brought up in discussion on IRC yesterday (and has been talked about to some extent before).
To summarize the issue:
The Snowflake bridge accepts websocket connections from any other endpoint (this is in part ...An DDoS attack surface was brought up in discussion on IRC yesterday (and has been talked about to some extent before).
To summarize the issue:
The Snowflake bridge accepts websocket connections from any other endpoint (this is in part necessary because anyone can be a proxy and we want as many proxies as possible and the more ephemeral they are, the harder it is for a censor to block all of them)
This means that an malicious party with the ability to distribute malicious javascript can have unsuspecting clients execute javascript that makes a websocket connection to the bridge and use the Tor network to upgrade their websocket connection to a plain TCP connection.
This basically allows someone to use Tor in order to perform DDoS attacks on TCP services, using malicious javascript as the attack vector. While the effectiveness of this attack probably wouldn't be that good (all the attack traffic would be congested through the single Snowflake bridge), it could provide a way for a censor to more easily DDoS Snowflake itself.
We could provide some kind of authentication step involving the bridge, broker, and snowflake proxy.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/issues/31719obfs4proxy should be more helpful if state file is empty2021-06-17T14:23:19ZPhilipp Winterphw@torproject.orgobfs4proxy should be more helpful if state file is emptyWe had a user on IRC who ran into the following error message:
```
[warn] Server managed proxy encountered a method error. (obfs4 failed to load statefile '/var/db/tor/pt_state/obfs4_state.json': unexpected end of JSON input)
```
It turn...We had a user on IRC who ran into the following error message:
```
[warn] Server managed proxy encountered a method error. (obfs4 failed to load statefile '/var/db/tor/pt_state/obfs4_state.json': unexpected end of JSON input)
```
It turns out that the user's state file was empty. Removing the state file and then having obfs4proxy re-create it fixed the problem. Obfs4proxy should realise that the state file is empty (was opposed to corrupt) and either re-create it itself or advise the user to delete it and try again.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/31661Run multiple snowflake bridges and optimize for least latency most throughput...2022-07-25T17:59:44ZcypherpunksRun multiple snowflake bridges and optimize for least latency most throughput by GeoIP based route selectionAfter the publication of this [article](https://gigazine.net/news/20190812-tor-snowflake/) hundreds of Japanese people started installing the Snowflake WebExt (yay!), but despite having an Internet service that's orders of magnitudes bet...After the publication of this [article](https://gigazine.net/news/20190812-tor-snowflake/) hundreds of Japanese people started installing the Snowflake WebExt (yay!), but despite having an Internet service that's orders of magnitudes better than the average American household, the distance between then and the `nl` snowflake bridge seriously impacts the throughput, so much that some snowflake proxies from Japan - despite having more than 20MB/s upload/download - can't offer a download speed bigger than 150KiB/s. What if there were for instance 5 snowflake bridges in different geographical locations in the world and the broker associated with each snowflake proxy the nearest snowflake bridge and sent this information to the user (based on GeoIP, of course, not perfect but better than the status quo)?