Anti-censorship issueshttps://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues2023-11-23T10:57:38Zhttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/186Implement the email distributor2023-11-23T10:57:38Zmeskiomeskio@torproject.orgImplement the email distributormeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/182Implement a moat captcha API on top of circumvention settings2024-03-21T17:27:19Zmeskiomeskio@torproject.orgImplement a moat captcha API on top of circumvention settingsImplement the CAPTCHA API in rdsys with a static CAPTCHA. So we can turn off BridgeDB without the need to deprecate the API yet. It should have a single captcha that is always the same and easy to solve, but don't even check if the solut...Implement the CAPTCHA API in rdsys with a static CAPTCHA. So we can turn off BridgeDB without the need to deprecate the API yet. It should have a single captcha that is always the same and easy to solve, but don't even check if the solution is correct.meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/issues/38503 error when contacting registration server2024-02-27T11:11:15ZCecylia Bocovich503 error when contacting registration serverTrying to use Conjure today results in a 503 error from the registration server:
```
[10:11:45] error in registration attempt: non-success response code 503 on https://registration.refraction.network.global.prod.fastly.net/api/register-b...Trying to use Conjure today results in a 503 error from the registration server:
```
[10:11:45] error in registration attempt: non-success response code 503 on https://registration.refraction.network.global.prod.fastly.net/api/register-bidirectional
```Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBot/-/issues/56"The Tor Browser" -> "Tor Browser"2024-02-27T11:04:51ZRoger Dingledine"The Tor Browser" -> "Tor Browser"In working on https://gitlab.torproject.org/tpo/web/support/-/issues/341 I noticed that gettor has "the Tor Browser" in its strings too.
We should go through and get rid of the "the" when appropriate.
There is also a screenshot on the ...In working on https://gitlab.torproject.org/tpo/web/support/-/issues/341 I noticed that gettor has "the Tor Browser" in its strings too.
We should go through and get rid of the "the" when appropriate.
There is also a screenshot on the https://tb-manual.torproject.org/downloading/ page that could probably use an update once the new strings are in place.
We could also use this opportunity to update the rest of the strings as needed, but it is fine if not too. :) Thanks!https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40304Update the list of RFC 5780 compatible STUN servers2024-02-27T11:04:02ZCecylia BocovichUpdate the list of RFC 5780 compatible STUN serversWhen looking at some client logs, I noticed several of the following messages:
```
WARNING: 2023/11/02 18:40:42 Error: NAT discovery feature not supported by this server
```
It appears that several of our default STUN servers at the cli...When looking at some client logs, I noticed several of the following messages:
```
WARNING: 2023/11/02 18:40:42 Error: NAT discovery feature not supported by this server
```
It appears that several of our default STUN servers at the client no longer support this feature. This may partially explain the high number of unknown client NAT types that we see in the metrics.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40303Show number of currently open connections in hourly standalone proxy log output2023-12-13T19:18:04ZCecylia BocovichShow number of currently open connections in hourly standalone proxy log outputFrom @arma in #40302:
> as an operator I want to hear about how many connections are open right now. This number might be quite a bit higher than our current stats imply, if some small fraction of connections stay open for many epochs. O...From @arma in #40302:
> as an operator I want to hear about how many connections are open right now. This number might be quite a bit higher than our current stats imply, if some small fraction of connections stay open for many epochs. Or it might not be, I'm not sure.https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/178Deploy whatsapp2024-03-27T00:03:34Zmeskiomeskio@torproject.orgDeploy whatsappWe'll need a phone number for it and an actual smartphone on running all the time. And a user in rdsys-fronted-01 to deploy it.We'll need a phone number for it and an actual smartphone on running all the time. And a user in rdsys-fronted-01 to deploy it.Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetmeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40300snowflake client is lazy for exact 24 hours2024-02-27T13:22:50Ztoralfsnowflake client is lazy for exact 24 hoursHappened for 2 clients within last few days with latest git-HEAD : The client is up and running and has network connections to _snowflake-01_, but it is doing nothing - and is working in a normal way without any intervention after 1 day....Happened for 2 clients within last few days with latest git-HEAD : The client is up and running and has network connections to _snowflake-01_, but it is doing nothing - and is working in a normal way without any intervention after 1 day. Here're the Grafana metrics:
![image](/uploads/5c2ce560adc435eda8433179e3410f02/image.png)https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40290standalone snowflake README still says go 1.15+ needed2023-10-20T15:25:32ZRoger Dingledinestandalone snowflake README still says go 1.15+ neededThe proxy/README.md file still says you need Go 1.15+, but it appears from e.g. https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/184 like the go version requirement is now 1.21.
So, two t...The proxy/README.md file still says you need Go 1.15+, but it appears from e.g. https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/184 like the go version requirement is now 1.21.
So, two things:
* We should update the README to reflect current requirements
and
* We should figure out what we want to tell people on Debian, who can no longer build snowflake, if they don't want to engage in installing and maintaining the whole toolchain manually. Do they stick with v2.6.1? Do they turn off their snowflake? Something even smarter? ...and then write that in the README too.https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/176run some experiments with CAPTCHAs2023-12-18T18:28:37Zmeskiomeskio@torproject.orgrun some experiments with CAPTCHAsAs we are planning to phase out CAPTCHAs (#173), can we run some experiments and see if they can be still effective?
We could either use the existing moat CAPTCHA API as we have some months until clients stop using it, or we could do it...As we are planning to phase out CAPTCHAs (#173), can we run some experiments and see if they can be still effective?
We could either use the existing moat CAPTCHA API as we have some months until clients stop using it, or we could do it in the HTTPS distributor as soon as we have migrated it to rdsys (#2).
There was a thread in the mailing list some years ago about this:
https://lists.torproject.org/pipermail/tor-dev/2021-July/014604.html
We should explore the space and see what better options for CAPTCHAs exist now a days.meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40289prometheus metrics: inbound traffic is a magnitude higher than outbound ?2023-10-20T15:24:55Ztoralfprometheus metrics: inbound traffic is a magnitude higher than outbound ?Me wonders about these numbers :
```
~/devel/tor-relays $ hcloud server list --output columns=name | grep -v NAME | sort | while read i; do echo; echo $i; ssh -n $i 'curl -s localhost:9999/internal/metrics | grep "^tor.*traffic"'; done
...Me wonders about these numbers :
```
~/devel/tor-relays $ hcloud server list --output columns=name | grep -v NAME | sort | while read i; do echo; echo $i; ssh -n $i 'curl -s localhost:9999/internal/metrics | grep "^tor.*traffic"'; done
buddelflink
tor_snowflake_proxy_traffic_inbound_bytes_total 1.5137087637e+10
tor_snowflake_proxy_traffic_outbound_bytes_total 1.842859221e+09
drehrumbum
tor_snowflake_proxy_traffic_inbound_bytes_total 2.616226932e+10
tor_snowflake_proxy_traffic_outbound_bytes_total 2.428826961e+09
elster2
tor_snowflake_proxy_traffic_inbound_bytes_total 2.4824487988e+10
tor_snowflake_proxy_traffic_outbound_bytes_total 2.756696966e+09
hoppel2
tor_snowflake_proxy_traffic_inbound_bytes_total 1.8561349297e+10
tor_snowflake_proxy_traffic_outbound_bytes_total 1.831598894e+09
igel
tor_snowflake_proxy_traffic_inbound_bytes_total 2.203970161e+10
tor_snowflake_proxy_traffic_outbound_bytes_total 2.038998589e+09
moppi3
tor_snowflake_proxy_traffic_inbound_bytes_total 2.1562580774e+10
tor_snowflake_proxy_traffic_outbound_bytes_total 2.572686488e+09
nickeneck
tor_snowflake_proxy_traffic_inbound_bytes_total 1.7488402935e+10
tor_snowflake_proxy_traffic_outbound_bytes_total 1.840865957e+09
pittiplatsch
tor_snowflake_proxy_traffic_inbound_bytes_total 2.0007601682e+10
tor_snowflake_proxy_traffic_outbound_bytes_total 1.980735179e+09
putzi
tor_snowflake_proxy_traffic_inbound_bytes_total 2.2191193167e+10
tor_snowflake_proxy_traffic_outbound_bytes_total 2.005800589e+09
schwarzrock
tor_snowflake_proxy_traffic_inbound_bytes_total 2.2477079962e+10
tor_snowflake_proxy_traffic_outbound_bytes_total 2.340506538e+09
```https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/172bridges.torproject.org's alternative ways to get bridges doesn't mention tele...2024-03-04T15:32:55ZRoger Dingledinebridges.torproject.org's alternative ways to get bridges doesn't mention telegramOn https://bridges.torproject.org/options/ we have "I need an alternative way of getting bridges!" which mentions email, but it doesn't mention any of our newer mechanisms, like telegram, circumvention settings, etc.
We should either:
...On https://bridges.torproject.org/options/ we have "I need an alternative way of getting bridges!" which mentions email, but it doesn't mention any of our newer mechanisms, like telegram, circumvention settings, etc.
We should either:
* flesh out this page to properly list the various ways you can get bridges
or
* identify that there is a better page that already does this up to date list, and change the text here to simply point there.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40286On IPv6-only server, always "NAT type: unknown" even with firewall disabled2023-10-21T16:18:43Zcatharsis71On IPv6-only server, always "NAT type: unknown" even with firewall disabledI have an IPV6-only VPS server, using NAT64 DNS servers for outbound access to IPV4-only hostnames
hostnames with no AAAA records get synthetic AAAA records set by the DNS server so that traffic goes through the NAT64 service
hostnames w...I have an IPV6-only VPS server, using NAT64 DNS servers for outbound access to IPV4-only hostnames
hostnames with no AAAA records get synthetic AAAA records set by the DNS server so that traffic goes through the NAT64 service
hostnames with AAAA records resolve normally and go out directly
there is no access to raw IPv4 IP addresses
running snowflake-proxy, I always get "NAT type: unknown" even if my firewall is completely disabled... is this intended behavior?
I've tested both the Docker container and compiling/running locally but the results are the same
the proxy does seem to work but normally only gets 0-3 connections per hour per proxy (seemingly unaffected by whether the firewall is up or down)
perhaps this is due to the small pool of IPV6 clients wanting to connect, but I'm not sure
snowflake.torproject.net has an AAAA record so traffic to it does not go through NAT64
likewise stun.l.google.com has an AAAA record so traffic to it does not go through NAT64
I am unable to determine the cause of the "NAT type: unknown"https://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/28Set daily max bucket distribution and adjust other settings for production2024-02-15T16:52:09ZonyinyangSet daily max bucket distribution and adjust other settings for productionWe likely need to decide on an upper bound of buckets that can be distributed each day so that we don't run out of open invitation buckets. We currently have buckets being distributed to k users before a new bucket is used but if buckets...We likely need to decide on an upper bound of buckets that can be distributed each day so that we don't run out of open invitation buckets. We currently have buckets being distributed to k users before a new bucket is used but if buckets are continuously requested, we will eventually run out of buckets each day. These variables should be part of a configuration file for Lox.Lox Ready for Open Testing Callonyinyangonyinyanghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40284Publish container in our gitlab registry2023-10-01T15:24:43Zmicahmicah@torproject.orgPublish container in our gitlab registryNow that Tor [has enabled container registry support in Gitlab](https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/89), it is possible to build and publish a container that is hosted in the container registry [here in the snowflake pr...Now that Tor [has enabled container registry support in Gitlab](https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/89), it is possible to build and publish a container that is hosted in the container registry [here in the snowflake project](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/container_registry).
It would be ideal if we could host our own container, and point people to use that. We don't have to stop using the 3rd party registry.
This should be done automatically in the CI.https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/170Set up a staging server2023-12-07T17:35:38Zmeskiomeskio@torproject.orgSet up a staging serverTo be able to experiment with things we want a staging server of rdsys.
* [x] get a new VM for it (https://gitlab.torproject.org/tpo/tpa/team/-/issues/41297)
* [x] generate fake descriptors (#171)
* [ ] test accounts for gettor
* [ ] ...To be able to experiment with things we want a staging server of rdsys.
* [x] get a new VM for it (https://gitlab.torproject.org/tpo/tpa/team/-/issues/41297)
* [x] generate fake descriptors (#171)
* [ ] test accounts for gettor
* [ ] github
* [ ] gitlab
* [ ] archive.org
* [ ] google drive
* [ ] test account for telegram bot
* [x] write an script to automatize the cleanup and deploy
* [x] document the setup in the wikimeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/130HTTP based PT protocol2023-10-09T16:19:25Zmeskiomeskio@torproject.orgHTTP based PT protocolSOCKS has many problems:
* We have to do hacks to do things like passing arguments, and they come with many problems ( #104)
* There are not many SOCKS server implementations and many PTs end up needing to implement their own ([goptlib]...SOCKS has many problems:
* We have to do hacks to do things like passing arguments, and they come with many problems ( #104)
* There are not many SOCKS server implementations and many PTs end up needing to implement their own ([goptlib](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/goptlib/-/blob/v1.4.0/socks.go) and [proteus](https://github.com/unblockable/proteus/tree/99751539b78782d4477411786e4df03b68213e5d/src/net/proto/socks) have done it)
We could use [HTTP CONNECT](https://www.rfc-editor.org/rfc/rfc9110#CONNECT) or [MASQUE](https://datatracker.ietf.org/wg/masque/about/) as a base that will give use the option of having headers to encode arguments and hopefully they are easy to implement based on standard HTTP/QUIC libraries.https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/129Recommend not exposing OrPort for bridges2024-02-27T18:53:18Zmeskiomeskio@torproject.orgRecommend not exposing OrPort for bridgesEnabling `AssumeReachable 1` in torrc we can avoid publishing the OrPort in bridges. Are we ok recommending to do that to bridge operators?
If we decide to move forward with this those are the steps needed for it:
* [ ] Don't use the r...Enabling `AssumeReachable 1` in torrc we can avoid publishing the OrPort in bridges. Are we ok recommending to do that to bridge operators?
If we decide to move forward with this those are the steps needed for it:
* [ ] Don't use the running flag in metrics ( https://gitlab.torproject.org/tpo/network-health/team/-/issues/318)
* [ ] update Docker images to don't expose OrPort
* [ ] obfs4
* [ ] webtunnel
* [ ] update documentation https://community.torproject.org/relay/setup/bridge/
* [ ] write an email to tor-relays@lists.torproject.org about itmeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/24Implement Metrics Reporting for Lox2023-10-31T21:19:34ZonyinyangImplement Metrics Reporting for LoxFrom the [Lox Roadmap](https://gitlab.torproject.org/tpo/anti-censorship/lox-rs/-/wikis/Lox-Roadmap) we want to include strategic reporting of metrics in our Lox deployment so that we are able to determine the effectiveness of Lox. The m...From the [Lox Roadmap](https://gitlab.torproject.org/tpo/anti-censorship/lox-rs/-/wikis/Lox-Roadmap) we want to include strategic reporting of metrics in our Lox deployment so that we are able to determine the effectiveness of Lox. The minimum metrics to measure are the following:
- [x] Prometheus metrics for counts of how often each library function is called from distributor
- [ ] How many bridges are in each rank
- [ ] Blockages from deployed bridgestrap instance
- [x] Remaining capacity (or if/when we run out of bridges to hand out to open inv)
Discussion, development of these and additional metrics to include in the initial deployment will be tracked in this issue.onyinyangonyinyanghttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/169Gettor: distribute TB in bitbucket.org2024-02-27T18:23:51Zmeskiomeskio@torproject.orgGettor: distribute TB in bitbucket.orgIt looks like bitbucket is not blocked in some places where others are.It looks like bitbucket is not blocked in some places where others are.