Anti-censorship issueshttps://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues2020-06-27T13:40:31Zhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/30138Remove serene from snowflake bridge admin2020-06-27T13:40:31ZDavid Fifielddcf@torproject.orgRemove serene from snowflake bridge adminThe current set of users with access to admin accounts on the bridge is
```
AllowUsers dcf serene arlolra cohosh phw
```
It looks like serene has not used her account since it was created in January 2017. I propose that we remove the ac...The current set of users with access to admin accounts on the bridge is
```
AllowUsers dcf serene arlolra cohosh phw
```
It looks like serene has not used her account since it was created in January 2017. I propose that we remove the account.
I just checked, and there was never a serene account on the broker, so nothing to do there.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/30125Port server's log sanitization to client, broker, and proxy-go2020-06-27T13:40:31ZDavid Fifielddcf@torproject.orgPort server's log sanitization to client, broker, and proxy-golegacy/trac#21304 added a log sanitizer to the server (bridge) code that searches for IP addresses in logs and elides them. We noted in comment:17:ticket:21304 that the other components--client, broker, and proxy-go--can benefit from the...legacy/trac#21304 added a log sanitizer to the server (bridge) code that searches for IP addresses in logs and elides them. We noted in comment:17:ticket:21304 that the other components--client, broker, and proxy-go--can benefit from the same log sanitization.
comment:18:ticket:21304 suggests a way to do it: move the `logScrubber` code into a new top-level subdirectory and `safelog` package, and have the other programs `import git.torproject.org/pluggable-transports/snowflake.git/safelog`.Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/trac/-/issues/30056Bridges doesn't work with ExcludeNodes2021-07-29T15:02:51ZTracBridges doesn't work with ExcludeNodesBridges doesn't work with ExcludeNodes. I used all bridges that aren't in countries mentioned in Exclude, but it also isn't working.
My torrc:
ExcludeNodes {RU},{BY},{US},{DE},{UA}
ExitNodes {SE},{NL},{FI}
bridge obfs4 94.242.249.2:3847...Bridges doesn't work with ExcludeNodes. I used all bridges that aren't in countries mentioned in Exclude, but it also isn't working.
My torrc:
ExcludeNodes {RU},{BY},{US},{DE},{UA}
ExitNodes {SE},{NL},{FI}
bridge obfs4 94.242.249.2:38479 039C0803213355DCC9961876B5650B0BE5691915 cert=8+QodvOgR4ufCz/82xjEE/wQIV0qBPgKIXIEQFohS0J+BNA+m8l+cZyh2TxZhDgZOHTiAw iat-mode=0
**Trac**:
**Username**: dECENTRALhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/30008Remove unused FIFO copy paste code from snowflake client2020-06-27T13:40:31ZCecylia BocovichRemove unused FIFO copy paste code from snowflake clientWe are no longer doing ICE signaling manually and so don't need to information to be copy pasted between the terminal and browser.We are no longer doing ICE signaling manually and so don't need to information to be copy pasted between the terminal and browser.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/29985Give phw access to Snowflake infrastructure hosts2020-06-27T13:40:31ZDavid Fifielddcf@torproject.orgGive phw access to Snowflake infrastructure hosts * broker
* bridge * broker
* bridgehttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/29871Meek-Azure Pluggable Transport Not working2020-06-27T13:44:11ZTracMeek-Azure Pluggable Transport Not workingMeek-Azure pluggable transport is not working. Results in error- Establishing an encrypted directory connection failed. The problem has been replicated across several devices and several separate implementations of Tor across several ISP...Meek-Azure pluggable transport is not working. Results in error- Establishing an encrypted directory connection failed. The problem has been replicated across several devices and several separate implementations of Tor across several ISPs within the Untied States. Tor log file has been attached to this ticket.
**Trac**:
**Username**: bakertaylor28David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/29861Snowflake is not working right now for some reason2021-07-09T18:26:25ZcypherpunksSnowflake is not working right now for some reasonCecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/29857Snowflake as browser add on2020-06-27T13:40:32ZTracSnowflake as browser add onI wanted to add snowflake at my website, however there where to much small issues which prevented me from doing that.
One of the issues I have was that snowflake uses cookies (and I hate cookies).
So I thought of other ways for the endu...I wanted to add snowflake at my website, however there where to much small issues which prevented me from doing that.
One of the issues I have was that snowflake uses cookies (and I hate cookies).
So I thought of other ways for the enduser to indicate that it is fine that his browser acts as a Tor bridge. The most straightforward way is to let the user install a snowflake browser add on.
Pros
- The user in in control
- The software is decentralized
- You don't need website owners to spread snowflake via iframe
**Trac**:
**Username**: snowflakesuggestionhttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/29855TOR was blocked by my company.2021-07-09T18:29:19ZTracTOR was blocked by my company.My company studied the tor connection methods and blocked them. You should allow tor to connect using an anonymous web proxy server. All one would need is to insert it as a connection option and tor will establish a circuit through the ...My company studied the tor connection methods and blocked them. You should allow tor to connect using an anonymous web proxy server. All one would need is to insert it as a connection option and tor will establish a circuit through the anonymous proxy server
**Trac**:
**Username**: wanjeDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/29736Use WebSocket protocol to communicate between snowflake proxies and broker2022-07-26T20:47:14ZCecylia BocovichUse WebSocket protocol to communicate between snowflake proxies and brokerTo create a versioned and extensible protocol for each piece of snowflake to talk to each other, we should consider using WebSockets (RFC 6455) to send these messages.
This requires creating a WebSocket-based handler at the broker and m...To create a versioned and extensible protocol for each piece of snowflake to talk to each other, we should consider using WebSockets (RFC 6455) to send these messages.
This requires creating a WebSocket-based handler at the broker and modifying the proxies to make websocket connections.Alexander Færøyahf@torproject.orgAlexander Færøyahf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/29734Broker should receive country stats information from Proxy and Client2021-05-20T19:40:10ZCecylia BocovichBroker should receive country stats information from Proxy and ClientWe can use existing geoip data to collect statistics about where clients are connecting from in order to detect possible blocking events. These should be gathered both from the initial domain-fronted client connection and from the proxie...We can use existing geoip data to collect statistics about where clients are connecting from in order to detect possible blocking events. These should be gathered both from the initial domain-fronted client connection and from the proxies (to be passed to the broker) in order to detect the blocking of individual proxies or the blocking of the WebRTC connections.Sponsor 28: Reliable Anonymous Communication Evading Censors and Repressors (RACECAR)Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/29686filenames conflict on case-insensitive filesystems2020-06-27T13:42:49ZTaylor Yufilenames conflict on case-insensitive filesystemsTrying to clone the bridgedb repository on macOS on a case-insensitive filesystem results in:
```
warning: the following paths have collided (e.g. case-sensitive paths
on a case-insensitive filesystem) and only one from the same
collidi...Trying to clone the bridgedb repository on macOS on a case-insensitive filesystem results in:
```
warning: the following paths have collided (e.g. case-sensitive paths
on a case-insensitive filesystem) and only one from the same
colliding group is in the working tree:
'bridgedb/Bridges.py'
'bridgedb/bridges.py'
'bridgedb/test/test_Bridges.py'
'bridgedb/test/test_bridges.py'
'doc/sphinx/source/bridgedb.Bridges.rst'
'doc/sphinx/source/bridgedb.bridges.rst'
```
We should rename stuff so the code is easier to work on in a case-insensitive filesystem.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/29597Cleanup bridgedb-admin git repository2020-06-27T13:42:50ZDavid Gouletdgoulet@torproject.orgCleanup bridgedb-admin git repositoryIt is full of either out of date scripts or thing that aren't used.
The branch will probably have many commits touching many things ;). Spring cleanup!It is full of either out of date scripts or thing that aren't used.
The branch will probably have many commits touching many things ;). Spring cleanup!David Gouletdgoulet@torproject.orgDavid Gouletdgoulet@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/29596Cleanup bridgedb crontab2020-06-27T13:42:50ZDavid Gouletdgoulet@torproject.orgCleanup bridgedb crontabOverall cleanup to what the server is actually running.Overall cleanup to what the server is actually running.David Gouletdgoulet@torproject.orgDavid Gouletdgoulet@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/29594Remove OpenSSL.rand.bytes from code2020-06-27T13:42:50ZDavid Gouletdgoulet@torproject.orgRemove OpenSSL.rand.bytes from codeIt is now deprecated in favor of `os.urandom()`:
```
OpenSSL.rand is deprecated - you should use os.urandom instead
```
This is needed if we want to upgrade the requirements.txt.It is now deprecated in favor of `os.urandom()`:
```
OpenSSL.rand is deprecated - you should use os.urandom instead
```
This is needed if we want to upgrade the requirements.txt.David Gouletdgoulet@torproject.orgDavid Gouletdgoulet@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/29565Fix broker robots.txt to disallow crawling2020-06-27T13:40:32ZDavid Fifielddcf@torproject.orgFix broker robots.txt to disallow crawlingFrom comment:11:ticket:28848 and https://github.com/ahf/snowflake-notes/blob/fb4304a7df08c6ddeeb103f38fc9103721a20cd9/Broker.markdown#the-robotstxt-handler:
> - Was the question about crawling ever answered? I can't think of a very good...From comment:11:ticket:28848 and https://github.com/ahf/snowflake-notes/blob/fb4304a7df08c6ddeeb103f38fc9103721a20cd9/Broker.markdown#the-robotstxt-handler:
> - Was the question about crawling ever answered? I can't think of a very good reason not to allow it. Even if censors were crawling the web for Snowflake brokers, they could get this information much more easily just from the source code.
I believe the intention behind the robots.txt handler is to prevent search engines from indexing any pages on the site, because there's no permanent information there, not for any security or anti-enumeration reason.
ahf points out that the current robots.txt achieves the opposite: it allows crawling of all pages by anyone. Instead of
```
User-agent: *
Disallow:
```
it should be
```
User-agent: *
Disallow: /
```Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek/-/issues/29559meek-client-torbrowser should exit on stdin close, even while waiting on brow...2020-06-27T13:44:12ZDavid Fifielddcf@torproject.orgmeek-client-torbrowser should exit on stdin close, even while waiting on browser outputEdit the browser extension not to output the `meek-http-helper: listen` line, or hack meek-client-torbrowser to break `grepHelperAddress`. Start Tor Launcher, select meek, and Connect. Now Cancel and exit Tor Browser. The bug is that mee...Edit the browser extension not to output the `meek-http-helper: listen` line, or hack meek-client-torbrowser to break `grepHelperAddress`. Start Tor Launcher, select meek, and Connect. Now Cancel and exit Tor Browser. The bug is that meek-client-torbrowser and its child process firefox will continue running.
It happens because meek-client-torbrowser's `TOR_PT_EXIT_ON_STDIN_CLOSE` and SIGTERM logic happen only after `grepHelperAddr`. meek-client-torbrowser should pay attention to its stdin the whole time so that it can exit correctly in this case.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/29489Set up automated local testing environment for Snowflake2020-06-27T13:40:32ZCecylia BocovichSet up automated local testing environment for SnowflakeThe goal is to set up a locally networked testing environment for Snowflake that can be easily and automatically set up and run. This will include the easy installation and configuration of dependencies.
Hopefully this environment will ...The goal is to set up a locally networked testing environment for Snowflake that can be easily and automatically set up and run. This will include the easy installation and configuration of dependencies.
Hopefully this environment will be able to reproduce bugs that have occurred in the deployed system (such as legacy/trac#25688) that have so far not been reproducible locally. That will be one of the benchmarks for this ticket to see whether or not the local environment is close enough to a deployed one.
The current idea is to use networked docker containers.
Perhaps farther in the future, it might be interesting to see if we can do some kind of continuous integration with gitlab: https://docs.gitlab.com/ee/ci/#gitlab-cicd-for-docker.Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/29484Update the requirements.txt and freeze them on release2020-06-27T13:42:50ZDavid Gouletdgoulet@torproject.orgUpdate the requirements.txt and freeze them on releaseThe `requirements.txt` file has package versions that are pinned and some are very old by now.
I've done a quick test and using all the latest works with a very minor fix in the code so far.
We should have a development one that uses t...The `requirements.txt` file has package versions that are pinned and some are very old by now.
I've done a quick test and using all the latest works with a very minor fix in the code so far.
We should have a development one that uses the latest packages (maybe?) and then use a minimal one that we use when we release (pip freeze).
This way, we keep up to date with everything and do not fall into the risk of having huge security holes because old dependencies for instance.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/29483Use systemd init script for BridgeDB2020-06-27T13:42:50ZDavid Gouletdgoulet@torproject.orgUse systemd init script for BridgeDBThe bridgedb process is executed in a cron at bootup. So if it crashes, we do not know about it because lack of monitoring but also it won't be restarted.
Lets move this out of the cron and into a systemd init script. The machine is Deb...The bridgedb process is executed in a cron at bootup. So if it crashes, we do not know about it because lack of monitoring but also it won't be restarted.
Lets move this out of the cron and into a systemd init script. The machine is Debian 9.7 so systemd is stable there and what should be used.David Gouletdgoulet@torproject.orgDavid Gouletdgoulet@torproject.org