Anti-censorship issueshttps://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues2020-06-27T13:43:27Zhttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/6125bridges.torproject.org lacks contact information2020-06-27T13:43:27Zweasel (Peter Palfrader)bridges.torproject.org lacks contact informationHi,
the website at https://bridges.torproject.org/ does not provide any contact information. It also does not say where to report issues.
It probably should have these things, in a small footer maybe, on every page. If the place to re...Hi,
the website at https://bridges.torproject.org/ does not provide any contact information. It also does not say where to report issues.
It probably should have these things, in a small footer maybe, on every page. If the place to report issues is our trac, it should also mention which component to file bugs against.
It could also link its git in that footer.https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/6126bridges.tpo does not work at all over ipv62020-06-27T13:43:27Zweasel (Peter Palfrader)bridges.tpo does not work at all over ipv6When I visit bridges.tpo via ipv6:
/usr/lib/python2.6/dist-packages/twisted/web/server.py, line 125 in process
123 try:
124 resrc = self.site.getResourceFor(self)
125 self.render(resrc)
126 except:
Self
site twisted.web...When I visit bridges.tpo via ipv6:
/usr/lib/python2.6/dist-packages/twisted/web/server.py, line 125 in process
123 try:
124 resrc = self.site.getResourceFor(self)
125 self.render(resrc)
126 except:
Self
site twisted.web.server.Site instance @ 0x256bcb0 <twisted.web.server.Site
instance at 0x256bcb0>
Locals
resrc bridgedb.Server.WebResource instance @ 0x22ae998
<bridgedb.Server.WebResource instance at 0x22ae998>
self twisted.web.server.Request instance @ 0x37c0ef0 <GET / HTTP/1.1>
/usr/lib/python2.6/dist-packages/twisted/web/server.py, line 132 in render
130 def render(self, resrc):
131 try:
132 body = resrc.render(self)
133 except UnsupportedMethod, e:
Locals
resrc bridgedb.Server.WebResource instance @ 0x22ae998
<bridgedb.Server.WebResource instance at 0x22ae998>
self twisted.web.server.Request instance @ 0x37c0ef0 <GET / HTTP/1.1>
Globals
UnsupportedMethod <class 'twisted.web.error.UnsupportedMethod'>
/usr/lib/python2.6/dist-packages/twisted/web/resource.py, line 210 in render
208 from twisted.web.error import UnsupportedMethod
209 raise UnsupportedMethod(getattr(self, 'allowedMethods', ()))
210 return m(request)
211
Locals
m <bound method WebResource.render_GET of <bridgedb.Server.WebResource
instance at 0x22ae998>>
self bridgedb.Server.WebResource instance @ 0x22ae998
<bridgedb.Server.WebResource instance at 0x22ae998>
request twisted.web.server.Request instance @ 0x37c0ef0 <GET / HTTP/1.1>
/srv/bridges.torproject.org/local/lib/python2.6/site-packages/bridgedb/
Server.py, line 88 in render_GET
86 return HTML_CAPTCHA_TEMPLATE
87 else:
88 return self.getBridgeRequestAnswer(request)
89
Locals
self bridgedb.Server.WebResource instance @ 0x22ae998
<bridgedb.Server.WebResource instance at 0x22ae998>
request twisted.web.server.Request instance @ 0x37c0ef0 <GET / HTTP/1.1>
/srv/bridges.torproject.org/local/lib/python2.6/site-packages/bridgedb/
Server.py, line 137 in getBridgeRequestAnswer
135
136 if geoip:
137 countryCode = geoip.country_code_by_addr(ip)
138
Locals
countryCode None
ip None
Globals
geoip <GeoIP object at 0x7f4dab0562e8>
<type 'exceptions.TypeError'>: argument 1 must be string, not NoneAaron GibsonAaron Gibsonhttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/6127bridges.tpo runs in development mode2020-06-27T13:43:27Zweasel (Peter Palfrader)bridges.tpo runs in development modethe service at https://bridges.torproject.org/ runs in development mode, meaning it dumps the callstack, including all local variables, to the user whenever it backtraces.
That's probably not a good idea.the service at https://bridges.torproject.org/ runs in development mode, meaning it dumps the callstack, including all local variables, to the user whenever it backtraces.
That's probably not a good idea.Isis LovecruftIsis Lovecrufthttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6140Kazakhstan uses DPI to block Tor2020-06-27T13:43:43ZRuna SandvikKazakhstan uses DPI to block TorTwo blog posts published in the beginning of March talks about Kazakhstan using DPI to block Tor. The posts say that Kazakhstan is identifying and blocking the SSL client key exchange during the setup of an SSL connection. It seems the K...Two blog posts published in the beginning of March talks about Kazakhstan using DPI to block Tor. The posts say that Kazakhstan is identifying and blocking the SSL client key exchange during the setup of an SSL connection. It seems the Kazakhstan firewall finds something unique in the TLS "Server Hello" message as sent by the Tor relay or bridge and therefore blocks subsequent communications. IP address and TCP port are irrelevant to the censorship.
From legacy/trac#6045 (where we discuss Ethiopia blocking Tor based on ServerHello), we know that:
* The normal Tor Browser Bundle with a special bridge works; the bridge with the patch that causes the final hello done TLS record to be sent in a separate packet.
* The three bridges in https://blog.torproject.org/blog/update-censorship-ethiopia are also working in Kazakhstan. These are bridges with a patch that removes 0x0039 from SERVER_CIPHER_LIST.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6149"Censorship-timeline" for Tor2020-06-27T13:43:43ZPhilipp Winterphw@torproject.org"Censorship-timeline" for TorIt was shortly discussed on #tor-dev that some sort of "censorship-timeline" for Tor would be helpful. In particular, this should provide:
* Detailed technical analyses of the censorship mechanisms in place (DPI fingerprints and manufa...It was shortly discussed on #tor-dev that some sort of "censorship-timeline" for Tor would be helpful. In particular, this should provide:
* Detailed technical analyses of the censorship mechanisms in place (DPI fingerprints and manufacturers, traceroutes, ...)
* Code and data to reproduce all experiments
* Tor patches and standalone tools to evade the censorship devices
After all, this timeline should serve as a comprehensive archive for all people interested in how Tor is getting blocked. It should make it easy to answer questions such as _"What happened to Tor in country X back in Y?"_.
There are also some open questions:
* How should the data be structured? In form of a timeline? Or country based? Something else?
* What data should be published and when? Full disclosure too early in the process helps the censors.
* How should it be presented? In a wiki page or a standalone web site?https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/6150bridges@tpo does not give out bridges anymore2020-06-27T13:43:27ZRuna Sandvikbridges@tpo does not give out bridges anymoreI tried emailing bridges@tpo yesterday and just got the following back:
<bridges@gettor.torproject.org>: delivery temporarily suspended: connect to 86.59.21.36[86.59.21.36]:6725: Connection refusedI tried emailing bridges@tpo yesterday and just got the following back:
<bridges@gettor.torproject.org>: delivery temporarily suspended: connect to 86.59.21.36[86.59.21.36]:6725: Connection refusedhttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/6175BridgeDB learns to choose a reasonable number of bridges to give out2020-06-27T13:43:26ZAaron GibsonBridgeDB learns to choose a reasonable number of bridges to give outBridgeDB should learn to give out a variable number of bridges based on the number of bridges available.
For example, if a user requests bridges with transport foo, and there are only 20 bridges with this transport, BridgeDB could choos...BridgeDB should learn to give out a variable number of bridges based on the number of bridges available.
For example, if a user requests bridges with transport foo, and there are only 20 bridges with this transport, BridgeDB could choose to give out 1 bridge. If there are 21-100 bridges available, give out 2, and more than 100: 3 bridges (or the distributor maximum)
e.g.
```
if len(ring) < 20: n_bridges_per_answer = 1
if 20 < len(ring) < 100: n_bridges_per_answer = min(2,DISTRIBUTOR_N_BRIDGES_PER_ANSWER)
if len(ring) > 100: n_bridges_per_answer = DISTRIBUTOR_N_BRIDGES_PER_ANSWER
```
Or, BridgeDB could choose to avoid giving out more than 5 percent of bridges at a time; and return a minimum of 1 bridge and maximum of the configured DISTRIBUTOR_N_BRIDGES_PER_ANSWER
e.g.
```
n_bridges_per_answer = min(min(len(ring) * .05,1),DISTRIBUTOR_N_BRIDGES_PER_ANSWER)
```Aaron GibsonAaron Gibsonhttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6246UAE uses DPI to block Tor2020-06-27T13:43:43ZRuna SandvikUAE uses DPI to block TorThe Emirates Telecommunications Corporation, also known as Etisalat, started blocking Tor using DPI on June 25 2012. It seems they are doing something similar to Ethiopia (legacy/trac#6045) and Kazakhstan (legacy/trac#6140), but we shoul...The Emirates Telecommunications Corporation, also known as Etisalat, started blocking Tor using DPI on June 25 2012. It seems they are doing something similar to Ethiopia (legacy/trac#6045) and Kazakhstan (legacy/trac#6140), but we should figure out how these cases are different.
We know that:
* The three bridges in https://blog.torproject.org/blog/update-censorship-ethiopia are working. These are bridges with a patch that removes 0x0039 from SERVER_CIPHER_LIST.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6258The Philippines are blocking Tor?2020-06-27T13:43:43ZPhilipp Winterphw@torproject.orgThe Philippines are blocking Tor?A user mentioned in the [ethiopian blog post](https://blog.torproject.org/blog/update-censorship-ethiopia):
_two of the biggest ISP's here in the philippines blocked tor recently! _
The [statistic for directly connecting users](https...A user mentioned in the [ethiopian blog post](https://blog.torproject.org/blog/update-censorship-ethiopia):
_two of the biggest ISP's here in the philippines blocked tor recently! _
The [statistic for directly connecting users](https://metrics.torproject.org/users.html?graph=direct-users&start=2012-03-31&end=2012-06-29&country=ph&dpi=72#direct-users) indeed shows a sudden drop in usage in the beginning of May. The [bridge usage statistic](https://metrics.torproject.org/users.html?graph=bridge-users&start=2012-03-31&end=2012-06-29&country=ph&dpi=72#bridge-users) shows a suspicious usage drop in the middle of June.
We should analyze the situation.https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/6396Reachability tests for obfuscated bridges2020-06-27T13:43:26ZGeorge KadianakisReachability tests for obfuscated bridgesBridge authorities are supposed to do reachability tests to bridges.
This becomes problematic when pluggable transports are deployed since the bridge authority will need a pluggable transport to properly communicate with an obfuscated ...Bridge authorities are supposed to do reachability tests to bridges.
This becomes problematic when pluggable transports are deployed since the bridge authority will need a pluggable transport to properly communicate with an obfuscated bridge.
Here are some solutions:
a) All the pluggable transports of a bridge will be considered reachable if the ORPort of the bridge is reachable.
b) The above + a TCP scan on each transport port to make sure that the port is open.
c) The bridge authority supports many the known and widely used pluggable transports and does robust reachability tests on all the transport ports. When it does not recognize a transport, it falls back to a) or b).
As part of legacy/trac#4568 it was decided to go with a) for now. In the future, we should probably drift towards c) since it seems to be the right thing to do (Thandy deployment would also make it a bit easier).
Any ahas, opinions, thoughts or possible solutions?Isis LovecruftIsis Lovecrufthttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/6513Set up separate bridge email autoresponder for SponsorJ2020-06-27T13:43:26ZRoger DingledineSet up separate bridge email autoresponder for SponsorJSponsorJ wants us to give out the 75 fast bridges through a separate email autoresponder mechanism from bridgedb's bridges@tp.o.
Since these bridges will be mostly static, I think the right way to start out would be to just have a stati...SponsorJ wants us to give out the 75 fast bridges through a separate email autoresponder mechanism from bridgedb's bridges@tp.o.
Since these bridges will be mostly static, I think the right way to start out would be to just have a static string get returned -- the same three bridges from our list. When those stop working, we can reevaluate what to do next.
It would be great to have this set up by mid August. Aaron, are you a good person to pop one of these up next to / part of bridgedb?https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6651Someone's blocking Tor in Mexico?2020-06-27T13:43:43ZRuna SandvikSomeone's blocking Tor in Mexico?One user in Mexico reported that he is unable to connect to Tor, even with a private bridge. We have enough data to analyze the situation.One user in Mexico reported that he is unable to connect to Tor, even with a private bridge. We have enough data to analyze the situation.Runa SandvikRuna Sandvikhttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/6652migrate phw's brdgrd code to Tor git repo2020-06-27T13:43:26ZRoger Dingledinemigrate phw's brdgrd code to Tor git repoI think we removed all appropriate trac components for this sort of thing, so picking a related one.
We should make a brdgrd Torproject git repo, and let phw (who already has an ldap account) commit to it.
The code is currently at http...I think we removed all appropriate trac components for this sort of thing, so picking a related one.
We should make a brdgrd Torproject git repo, and let phw (who already has an ldap account) commit to it.
The code is currently at https://github.com/NullHypothesis/brdgrd
I've been asking huge bridge operators to set it up, so we should make it into something more official (plus that way more people will look at it).Sebastian HahnSebastian Hahnhttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/7137Build a tool that a censored developer can run to discover why their Tor is f...2020-06-27T13:43:43ZKarsten LoesingBuild a tool that a censored developer can run to discover why their Tor is failing to connectWe should develop an automated censorship diagnostics toolkit for Tor. It gets deployed when someone says something like "tor doesn't work in my country anymore". The goal is to have them download this toolkit, which will automatically...We should develop an automated censorship diagnostics toolkit for Tor. It gets deployed when someone says something like "tor doesn't work in my country anymore". The goal is to have them download this toolkit, which will automatically figure out if tor is blocked, how it might be blocked, and if any of the known ways to bypass tor censorship works, and if so, tell the client "you need X." Where X is bridges, private bridges, obfsproxy, private obfsproxy. If nothing works, it collects lots of data, and sends it back to tor.
Tor then analyzes the data and learns a new way of blocking tor as feedback into our anti-censorship work. Maybe there is a quick solution for the user in blocked country, maybe there isn't.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/7141How is Iran blocking Tor?2020-06-27T13:43:43ZPhilipp Winterphw@torproject.orgHow is Iran blocking Tor?Note that currently it looks like there might be more than just one filtering technique in place. The following was the initial report describing one possible filtering technique and [this comment](https://trac.torproject.org/projects/to...Note that currently it looks like there might be more than just one filtering technique in place. The following was the initial report describing one possible filtering technique and [this comment](https://trac.torproject.org/projects/tor/ticket/7141#comment:8) describes another technique.
----
Some users reported that the Iranian ISP "[Pars Online](https://en.wikipedia.org/wiki/Pars_Online)" is (partially?) blocking Tor.
One user looked into it and believes that Tor is identified based on the server_name extension in the TLS client hello. It looks like DPI boxes extract the domain and do a DNS lookup for it. If the domain resolves and the relay/bridge is listening on port 443, the connection passes. Apparently, an omitted server_name or a server_name rewritten to `www.google.com` passed the filter.
Obfsproxy seems to work.
Some open questions:
* Can we reproduce and verify the existing hypothesis?
* Is this an attempt to only allow HTTPS and no other SSL/TLS-based protocols? Or is it targeting only Tor?
* Can we modify [brdgrd](https://gitweb.torproject.org/brdgrd.git) to evade the server_name extraction?
* Is this type of block limited to Pars Online?Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/trac/-/issues/7153Don't require pluggable transport proxies to be SOCKS proxies2021-06-17T14:30:51ZKarsten LoesingDon't require pluggable transport proxies to be SOCKS proxies(Re-using text from Zack Weinberg for this description.)
There are pluggable transport proxies that don't actually act as a SOCKS proxy. For example, StegoTorus has its own configuration; it ignores everything told it in the SOCKS dial...(Re-using text from Zack Weinberg for this description.)
There are pluggable transport proxies that don't actually act as a SOCKS proxy. For example, StegoTorus has its own configuration; it ignores everything told it in the SOCKS dialogue and always connects to the bridge that it knows about. If you want multiple StegoTorus bridges accessible to your Tor client, you need multiple `"ClientTransportPlugin ... exec"` specifications. This is only going to get worse when they move away from having everything set up on StegoTorus' command line, which has been direly needed for some time now.
Theoretically all of StegoTorus' configuration _could_ be encapsulated in the SOCKS key-value-pairs-in-the-password hack that's described in 180-pluggable-transport.txt, but they never implemented that and they don't want to. They want to rip out all of the SOCKS code, in fact. The way they want it to work is
```
Bridge storus1 direct [keyid=...]
ClientTransportPlugin storus1 direct 127.0.0.1:8888
```
In this case, `'storus1'` is *not* a "method", it's a human-readable identifier for the bridge that Tor will be connected to if it starts talking the OR protocol -- with no initial SOCKS exchange! -- on 127.0.0.1:8888.
`"direct"` should also be valid in CMETHOD/SMETHOD lines for the proxy-management protocol, with the same semantics. Zack says he hasn't really thought through how the server side of this stuff ought to work.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/trac/-/issues/7167Combine traffic obfuscation with address diversity of flash proxy2020-06-27T13:44:07ZKarsten LoesingCombine traffic obfuscation with address diversity of flash proxy(Quoting text written by David Fifield for this ticket description.)
Find out what current DPI capabilities are with respect to WebSocket, at least through product literature.
Find out what existing, popular, WebSocket applications are...(Quoting text written by David Fifield for this ticket description.)
Find out what current DPI capabilities are with respect to WebSocket, at least through product literature.
Find out what existing, popular, WebSocket applications are used (chat, video, games?) that will be collateral damage to block. Write a short report on 1) how common they are, and 2) what their traffic looks like.
Implement a transport with an obfs2 stream transported over WebSocket.
We can imagine a new "obfs2-in-websocket" transport, but it might be a better design to allow chaining of proxies that don't necessarily have to know about one another. So you might have something like this on the client:
```
ClientTransportPlugin websocket socks4 127.0.0.1:9001
ClientTransportPlugin obfs2 exec /usr/local/bin/obfsproxy --managed
Bridge obfs2|websocket 0.0.1.0:1
```
On the server:
```
ServerTransportPlugin websocket proxy 127.0.0.1:9901
ServerTransportPlugin obfs2 exec /usr/local/bin/obfsproxy --managed
# And then some new configuration to say that things received on
# port 9901 need to be forwarded to the local obfsproxy port.
# Port 9901 won't be able to be used for plain websocket
# connections, and I guess this will have to be reflected in the
# descriptor somewhere.
```
A client tor can probably managed these chained proxies using SOCKS-in-SOCKS. There's a brief note on chaining proxies here: https://trac.torproject.org/projects/tor/ticket/2841#comment:12
See what other obfuscation possibilities exist. I don't think that TLS-wrapped WebSockets work for us (http://archives.seul.org/or/talk/Oct-2012/msg00190.html), but I haven't thought about it exhaustively. Replacing WebSocket with HTTP requests (the flash proxy POSTs bodies to both the client and the relay, and receives response bodies) would likely work, and would allow fuller control of the payloads (whereas with WebSocket we cannot escape the WebSocket framing). We gave up on using Flash, but Flash sockets allow us to control exactly what goes on the wire, except for an initial cross-domain request.George KadianakisGeorge Kadianakishttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/7207BridgeHerder: A tool to manage bridges2020-06-27T13:43:26ZAaron GibsonBridgeHerder: A tool to manage bridgesI am working on a tool that will make it easier to manage bridges on systems with multiple addresses. The tool currently detects the IP networks available on a system, configures addresses and ports and launches a configurable number of ...I am working on a tool that will make it easier to manage bridges on systems with multiple addresses. The tool currently detects the IP networks available on a system, configures addresses and ports and launches a configurable number of bridge instances.
Eventually the tool will be able to reconfigure the listening ports and addresses periodically and provide an interactive user nterface.
The idea is to make it easy to rent a dedicated server or VPS, add some IP networks, and use this tool to rotate addresses periodically (or in response to censorship events). I have a box from a provider who claims "Unlimited Free IP Addresses*" and started writing this tool so I could easily use all the addresses available, and then use this as justification for more addresses; rinse and repeat.
With a handful of people running a similar configuration we should be able to double the number of number of listening ports advertised by BridgeDB.
Some things to consider:
What frequency of address:port rotation helps the most people?
Do frequently rotating bridges (e.g. home users with dynamic IPs) see significant usage?
Should this tool be a component of TorCloud?
What other features would be useful?
Comments welcome!
*with justificationhttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/7296Make bridges.torproject.org more user friendly2020-06-27T13:43:26ZRuna SandvikMake bridges.torproject.org more user friendlyUsers who visit bridges.torproject.org to get obfsproxy bridges are required to specify the transport by name to get a set of IP address. Most users only know these addresses as "bridges", and will not be familiar with terms such as "obf...Users who visit bridges.torproject.org to get obfsproxy bridges are required to specify the transport by name to get a set of IP address. Most users only know these addresses as "bridges", and will not be familiar with terms such as "obfs2" and "obfs3". It would also be great if the page was updated to clearly separate the normal-bridges-page from the obfs2-bridges-page.Isis LovecruftIsis Lovecrufthttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/trac/-/issues/7319Organise deployment of pluggable transports2020-06-27T13:44:06ZGeorge KadianakisOrganise deployment of pluggable transportsWe are currently in the process of deploying pluggable transports, and we are doing a half-assed job; especially at helping users use pluggable transports.
This is a parent ticket in an attempt to organize the deployment better.We are currently in the process of deploying pluggable transports, and we are doing a half-assed job; especially at helping users use pluggable transports.
This is a parent ticket in an attempt to organize the deployment better.George KadianakisGeorge Kadianakis