Anti-censorship issueshttps://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues2024-03-05T12:21:14Zhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40344Snowflake works unreliably in China, 2024 Q12024-03-05T12:21:14ZshelikhooSnowflake works unreliably in China, 2024 Q1We have been receiving conflicting report about connectivity interruptions in China.
There was one report from user that highlighted this issue: https://github.com/net4people/bbs/issues/325. We was able to observe similar interruption o...We have been receiving conflicting report about connectivity interruptions in China.
There was one report from user that highlighted this issue: https://github.com/net4people/bbs/issues/325. We was able to observe similar interruption on our vantage point: https://gitlab.torproject.org/tpo/anti-censorship/connectivity-measurement/bridgestatus/-/blob/dc663e36d7dc81467a63f59c5d435b9f93e9e3ab/recentResult_cnnext#L89 .
The exact way connection get interrupted differ from report to report. The report from github user shows the connection can be established, but was interrupted soon. The report from vantage point show dtls connection handshake was unsuccessful, or the remote server was unreachable.
As of now, the censorship we are observing is decreasing, as some report's subsequent report show successful connection after waiting sufficiently long.https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/137A new home for bridges.tpo/info2024-03-04T17:40:00Zmeskiomeskio@torproject.orgA new home for bridges.tpo/infohttps://bridges.torproject.org/info lists all the bridge distribution mechanisms. AFAIK the only place this is being linked from is the *Bridge distribution mechanism* on the bridge page in metrics.tpo. We might have a better place for t...https://bridges.torproject.org/info lists all the bridge distribution mechanisms. AFAIK the only place this is being linked from is the *Bridge distribution mechanism* on the bridge page in metrics.tpo. We might have a better place for this page than BridgeDB (soon to be rdsys).meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBot/-/issues/60Some languages are not appearing in the 'Change Language' menu2024-03-04T16:49:34Zmeskiomeskio@torproject.orgSome languages are not appearing in the 'Change Language' menuThe following translations are installed but don't appear in the menu: ar, be, bg, ca, hr, cs, is, it, ja, pt_BR, roThe following translations are installed but don't appear in the menu: ar, be, bg, ca, hr, cs, is, it, ja, pt_BR, romeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgestrap/-/issues/41issue when downloading from https://bridges.torproject.org/bridgestrap-collector2024-03-19T13:15:07ZHiroissue when downloading from https://bridges.torproject.org/bridgestrap-collectorI have noticed an issue when collector-02 is downloading from: https://bridges.torproject.org/bridgestrap-collector
This is the error I see in java.
```
2024-03-01 09:45:13,880 WARN o.t.m.c.b.BridgestrapStatsDownloader:70 Failed downl...I have noticed an issue when collector-02 is downloading from: https://bridges.torproject.org/bridgestrap-collector
This is the error I see in java.
```
2024-03-01 09:45:13,880 WARN o.t.m.c.b.BridgestrapStatsDownloader:70 Failed downloading https://bridges.torproject.org/bridgestrap-collector.
java.io.IOException: Premature EOF
at java.base/sun.net.www.http.ChunkedInputStream.readAheadBlocking(ChunkedInputStream.java:567)
at java.base/sun.net.www.http.ChunkedInputStream.readAhead(ChunkedInputStream.java:611)
at java.base/sun.net.www.http.ChunkedInputStream.read(ChunkedInputStream.java:705)
at java.base/java.io.FilterInputStream.read(FilterInputStream.java:132)
at java.base/sun.net.www.protocol.http.HttpURLConnection$HttpInputStream.read(HttpURLConnection.java:3698)
at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:244)
at java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:284)
at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:343)
at org.torproject.metrics.collector.downloader.Downloader.downloadFromHttpServer(Downloader.java:55)
at org.torproject.metrics.collector.downloader.Downloader.downloadFromHttpServer(Downloader.java:26)
at org.torproject.metrics.collector.bridgestrap.BridgestrapStatsDownloader.startProcessing(BridgestrapStatsDownloader.java:68)
at org.torproject.metrics.collector.cron.CollecTorMain.run(CollecTorMain.java:55)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
```
I made some little measurements from bash and got this:
```
time_namelookup: 0.050899s
time_connect: 0.097606s
time_appconnect: 0.159109s
time_pretransfer: 0.159138s
time_redirect: 0.000000s
time_starttransfer: 0.209088s
----------
time_total: 5.969495s
```
Seems nothing is really amiss. Any idea what is happening? Is this a web server issue or should I talk to anti-censorship instead?meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/194Unable to load Moat captchas in Tor Browser2024-03-04T13:34:53Zebanamebanam@torproject.orgUnable to load Moat captchas in Tor BrowserThe request is timing out after a few moments with the message "Solve the CAPTCHA to request a bridge" but no accompanying image.
![moat-captcha-2](/uploads/1f9dc45b8eecac9d2f32561187c286dd/moat-captcha-2.png){width=50%}The request is timing out after a few moments with the message "Solve the CAPTCHA to request a bridge" but no accompanying image.
![moat-captcha-2](/uploads/1f9dc45b8eecac9d2f32561187c286dd/moat-captcha-2.png){width=50%}https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/136renew Docker-Sponsored Open Source Program2024-03-26T10:35:25Zmeskiomeskio@torproject.orgrenew Docker-Sponsored Open Source ProgramThe billing tab of our docker organization says:
> Your Docker-Sponsored Open Source status will expire on Apr 15, 2024.
> To keep your Docker-Sponsored Open Source status, look for our email containing renewal information and follow t...The billing tab of our docker organization says:
> Your Docker-Sponsored Open Source status will expire on Apr 15, 2024.
> To keep your Docker-Sponsored Open Source status, look for our email containing renewal information and follow the link within to reapply.
I got the mentioned email. I was assuming it was a phishing email as the renew link points to *docker.my.site.com*, but I guess is legit (site.com is a salesforce domain and the DKIM of the email looks valid):
```
We would like to kindly remind you that your current subscription to
the Docker-Sponsored Open Source Program is set to expire in 45 days.
We highly value your participation in the program and would like to
invite you to renew your subscription.
[1]Click Here to Renew
By renewing, you'll continue to benefit from the program's offerings
if your project still meets the [2] qualification criteria. An annual
Docker Team subscription will be allocated to the following project
organization: Docker ID - thetorproject
Here are the benefits you'll continue to enjoy:
* Autobuilds
* Free team seats
* Rate-limit removal for all users pulling public images from your
project namespace
* Sponsored OSS badge on Docker Hub and being prioritized in search
results
* Usage reporting
Before you proceed with the renewal application, we kindly request
that you take a moment to complete a [3]brief survey. Your feedback
in the survey does not impact the review of your application; it will
only be used to inform improvements to the program so that we can
better serve the open-source community.
If you have any questions or encounter any technical issues during
the renewal process, please don't hesitate to contact
support@docker.com. Our team is here to assist you and ensure a
smooth renewal experience.
Thank you!
The Docker Team
```
Anyway, I guess we should follow the email instructions and renew the subscription. Depending on how much work is that we might want to consider more seriously to move to our gitlab container registry (#121)meskiomeskio@torproject.orgmeskiomeskio@torproject.org2024-03-28https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40343Make the client automatic try and report to user what snowflake options combi...2024-03-04T10:16:38Zsnowflake_user_40314Make the client automatic try and report to user what snowflake options combination workI think current we have too many snowflake options combination(e.g. front domains, STUN servers, URLs of brokers at various CDN, and others).\
Thus, I think perhaps we should provide a way let user input the potential options as front do...I think current we have too many snowflake options combination(e.g. front domains, STUN servers, URLs of brokers at various CDN, and others).\
Thus, I think perhaps we should provide a way let user input the potential options as front domains list, STUN servers list, URLs of brokers list, and others; then automatic try report to user what options combination(or bridge line) work.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40342Shadow integration tests occasionally panic2024-03-07T22:51:40ZCecylia BocovichShadow integration tests occasionally panicA recent job failed: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/jobs/491691
This is likely runner-dependent, since no changes were made to the Shadow tests since it last passed:
```
$ shadow --log...A recent job failed: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/jobs/491691
This is likely runner-dependent, since no changes were made to the Shadow tests since it last passed:
```
$ shadow --log-level=debug --model-unblocked-syscall-latency=true snowflake-minimal.yaml > shadow.log
** Starting Shadow v3.0.0-557-g193924aa 2023-08-25--13:24:51 with GLib v2.66.8
thread 'shadow-worker' panicked at 'called `Result::unwrap()` on an `Err` value: ENOSYS', main/utility/childpid_watcher.rs:269:37
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'shadow-worker' panicked at 'called `Result::unwrap()` on an `Err` value: PoisonError { .. }', main/utility/childpid_watcher.rs:268:43
thread 'shadow-worker' panicked at 'called `Result::unwrap()` on an `Err` value: PoisonError { .. }thread '', shadow-workermain/utility/childpid_watcher.rs' panicked at ':assertion failed: self.shim_shmem_lock.borrow().is_none()268', :main/host/host.rs43:
971:9
fatal runtime error: thread local panicked on drop
thread 'shadow-worker' panicked at 'called `Result::unwrap()` on an `Err` value: PoisonError { .. }', main/utility/childpid_watcher.rs:268:43
thread 'shadow-worker' panicked at 'assertion failed: self.shim_shmem_lock.borrow().is_none()', main/host/host.rs:971:9/bin/bash: line 210: 30403 Aborted (core dumped) shadow --log-level=debug --model-unblocked-syscall-latency=true snowflake-minimal.yaml > shadow.log
```https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/135Fastly blocked domain fronting2024-03-15T17:12:53ZGusFastly blocked domain frontingIt seems Fastly has started to block domain fronting today (2024-03-01):
```
Requested host does not match any Subject Alternative Names (SANs) on TLS certificate [0cc7e46ae66a20cf2bce81a1fb4bc83c2b27d310f7177487dfb9665316892903] in use...It seems Fastly has started to block domain fronting today (2024-03-01):
```
Requested host does not match any Subject Alternative Names (SANs) on TLS certificate [0cc7e46ae66a20cf2bce81a1fb4bc83c2b27d310f7177487dfb9665316892903] in use with this connection.
```
@ValdikSS reported this issue 3 days ago on Net4people BBS: https://github.com/net4people/bbs/issues/309#issuecomment-1968514057
This issue is affecting:
- Moat, Connection Assist, and Snowflake.
For Snowflake, meek-azure broker seems to be working fine:
```
Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://snowflake-broker.azureedge.net/ fronts=ajax.aspnetcdn.com ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA https://snowflake-broker.azureedge.net/ fronts=ajax.aspnetcdn.com ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
```Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40341Encode AWS credentials for SQS rendezvous2024-03-12T11:26:12ZCecylia BocovichEncode AWS credentials for SQS rendezvousAmazon's automatic scraping of Github has found our public credentials shared on https://github.com/net4people/bbs/issues/335 which leads to their support team requiring us to rotate them. We may be able to avoid this by encoding our cre...Amazon's automatic scraping of Github has found our public credentials shared on https://github.com/net4people/bbs/issues/335 which leads to their support team requiring us to rotate them. We may be able to avoid this by encoding our credentials (for example with base64) and having users pass in the encoded strings.
cc @mpuhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40340Add a mechanism to retest the client NAT type2024-03-04T08:42:02ZCecylia BocovichAdd a mechanism to retest the client NAT typeWhile we do periodically retest the NAT type of proxies, a client's NAT type is only checked once on startup. The result is that if, after the initial check, a client's network conditions change, they may have difficulty connecting to pr...While we do periodically retest the NAT type of proxies, a client's NAT type is only checked once on startup. The result is that if, after the initial check, a client's network conditions change, they may have difficulty connecting to proxies in their pool. Since client usage of snowflake is much more time-sensitive than proxies, the trigger for a retest could be a threshold of a certain number of failed Datachannel attempts.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40339Avoid SQS queue reuse errors2024-03-05T17:40:02ZCecylia BocovichAvoid SQS queue reuse errorsAs described in https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40323#note_3002284, the reuse of the `sqsClientID` can cause errors on subsequent rendezvous attempts.As described in https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40323#note_3002284, the reuse of the `sqsClientID` can cause errors on subsequent rendezvous attempts.mpumpuhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40337AWS warning about public IAM credentials for SQS rendezvous2024-03-08T12:58:24ZCecylia BocovichAWS warning about public IAM credentials for SQS rendezvousI got the following email from AWS:
```
We have become aware that the AWS Access Key AKIA5AIF4WJJXS7YHEG3 , belonging to IAM User SQS-client ,
along with the corresponding Secret Key is publicly available online at
https://github.com/n...I got the following email from AWS:
```
We have become aware that the AWS Access Key AKIA5AIF4WJJXS7YHEG3 , belonging to IAM User SQS-client ,
along with the corresponding Secret Key is publicly available online at
https://github.com/net4people/bbs/issues/335#issue-2157478835 .
Your security is important to us and this exposure of your account’s IAM credentials poses a security
risk to your AWS account, could lead to excessive charges from unauthorized activity, and violates
the AWS Customer Agreement or other agreement with us governing your use of our Services.
```
They probably have some automated tools to search for secret keys in Github repositories.
I have replied to the open support ticket to confirm that the sharing of credentials was intentional. Hopefully they will allow us to continue to use them.Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/issues/40013version is reported as lyrebird-0.0.142024-03-04T19:48:23Ztoralfversion is reported as lyrebird-0.0.14shouldn't it be 0.1.0 ?shouldn't it be 0.1.0 ?meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40336Should we default enable SQS rendezvous of Snowflake in built-in bridge?2024-02-28T17:55:43Zsnowflake_user_40314Should we default enable SQS rendezvous of Snowflake in built-in bridge?The current default rendezvous(domain fronting) is [expect to stop work](https://lists.torproject.org/pipermail/anti-censorship-team/2023-October/000328.html).
Current 13.0.10 do not enable SQS rendezvous by default.The current default rendezvous(domain fronting) is [expect to stop work](https://lists.torproject.org/pipermail/anti-censorship-team/2023-October/000328.html).
Current 13.0.10 do not enable SQS rendezvous by default.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40335No release for version 2.9.02024-02-27T16:41:36ZPonchoNo release for version 2.9.0Hi there
Some time ago, you've tagged version 2.9.0
It's available under https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tags
But there is no corresponding release under https://gitlab.torproject.org/...Hi there
Some time ago, you've tagged version 2.9.0
It's available under https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tags
But there is no corresponding release under https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/releases and the release job was skipped https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/jobs/471273
Not sure whether this is all on purpose or if something went wrong. Therefore, opening this issue.Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBot/-/issues/59@gettor_bot on Telegram does not work2024-03-26T10:20:35Znina@gettor_bot on Telegram does not workit shows "loading" but nothing happensit shows "loading" but nothing happensmeskiomeskio@torproject.orgmeskiomeskio@torproject.org2024-02-22https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/890.7.3 rejected from mozilla2024-03-28T04:37:33Zmeskiomeskio@torproject.org0.7.3 rejected from mozillaWe got this email:
> Due to issues discovered during the review process, one or more versions of your add-on Snowflake will be disabled on addons.mozilla.org in 14 day(s). Please
> see the reviewer’s comments below for more information.
...We got this email:
> Due to issues discovered during the review process, one or more versions of your add-on Snowflake will be disabled on addons.mozilla.org in 14 day(s). Please
> see the reviewer’s comments below for more information.
>
> ********
> Details:
> - Reproducing the submitted release version based on the provided source code package and instructions failed.
>
> You can access the console output at https://paste.mozilla.org/kOCS6sFe
> Environment used for building: Node 20.10.0, npm 10.2.3 on Ubuntu 22.04 LTS x64 (10GB RAM, 6 CPUs)
>
> Please test your build in a clean environment to make sure it is reproducible. If necessary, update the source code package and/or the instructions to
> reproduce.
> Please read through the instructions at https://extensionworkshop.com/documentation/publish/source-code-submission/ .
>
> Version(s) affected:
> 0.7.3
> ********
>
> Please address the issues raised in the reviewer's notes and inquire about any unclear items. Afterwards, please upload a new version of your add-on at
> https://addons.mozilla.org/en-US/developers/addon/torproject-snowflake/versions.
>
> To respond, please reply to this email or visit https://addons.mozilla.org/en-US/developers/addon/torproject-snowflake/versions. If we do not hear from you
> within 14 day(s) of this notification, these versions will be removed from addons.mozilla.org. Current users of these versions will be unaffected.Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40334Post upgrade2024-02-17T22:19:10ZLinus Nordberglinus@torproject.orgPost upgrade- [x] apt autoremove; apt remove '~c'
- [x] apt-mark auto rsyslog && apt autoremove # https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html- [x] apt autoremove; apt remove '~c'
- [x] apt-mark auto rsyslog && apt autoremove # https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.htmlhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40333Perform upgrade2024-02-17T21:55:05ZLinus Nordberglinus@torproject.orgPerform upgrade- [x] APT sources prepared
- [x] apt update && apt -o APT::Get::Trivial-Only=true full-upgrade
- [x] apt upgrade --without-new-pkgs
- [x] apt full-upgrade
- [x] reboot- [x] APT sources prepared
- [x] apt update && apt -o APT::Get::Trivial-Only=true full-upgrade
- [x] apt upgrade --without-new-pkgs
- [x] apt full-upgrade
- [x] reboot