Anti-censorship issueshttps://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues2021-07-09T18:29:19Zhttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/15198Cyberoam blocking connections to Tor2021-07-09T18:29:19ZJacob AppelbaumCyberoam blocking connections to TorI'm currently in Istanbul, Turkey at a local university. The network blocks connections to the Tor network (using Tails) with a layered approach to censorship, I suspect.
I've tried to configure regular bridges, obfs2,3,scramblesuit PT ...I'm currently in Istanbul, Turkey at a local university. The network blocks connections to the Tor network (using Tails) with a layered approach to censorship, I suspect.
I've tried to configure regular bridges, obfs2,3,scramblesuit PT and direct connections. None appear to function. I am able to ssh out - so I can connect to Tor by binding a local SOCKS proxy and configuring Tor to connect over a SOCKS proxy. That is how I've filed this bug report.
The Cyberoam device is clearly acting as a MITM - it is highly annoying. It is a captive portal, which is easy to bypass with a login/password (ironically, not deployed with https!), after the captive portal, it filters conections by protocol, ip address and port number - I haven't yet fingerprinted the device upstream but I'll add information as I find it.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/10099wiki: DontBlockMe project / ListOfServicesBlockingTor doc2020-06-27T13:43:42Zcypherpunkswiki: DontBlockMe project / ListOfServicesBlockingTor docThe current meta ticket for these two wiki pages.
DontBlockMe
ListOfServicesBlockingTor
Join related tickets to this parent.The current meta ticket for these two wiki pages.
DontBlockMe
ListOfServicesBlockingTor
Join related tickets to this parent.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/9549Tor hacked when starting up in Aspen, CO, 19AUG20132020-06-27T13:43:42ZTracTor hacked when starting up in Aspen, CO, 19AUG2013This is the first ticket... just wanted to let you guys know I'm, apparently, a COINTELPRO target and have been for a couple of years since I began activating after the oil spill crisis in Louisiana.
I just downloaded Tor last May, an...This is the first ticket... just wanted to let you guys know I'm, apparently, a COINTELPRO target and have been for a couple of years since I began activating after the oil spill crisis in Louisiana.
I just downloaded Tor last May, and it worked without a hitch.
After yesterday's hack-a-thon (as versus a hacktivist-a-thon), I had to reload Tor via Google Chrome a few minutes ago (yuk)since the Tor application files were erased from my harddrive. (This has happened often with Google over the last couple of years...)
Now am having FireFox proxy issues, FYI, and had to use Chrome to send this message... I thought I should let you know what's happened in case security has been breached... if that's possible.
Hope this message isn't a waste of your time.
Best regards,
Elizabeth
aerguyton.wordpress.com
**Trac**:
**Username**: Elizabethhttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/8591GFW actively probes obfs2 bridges2020-06-27T13:43:42ZPhilipp Winterphw@torproject.orgGFW actively probes obfs2 bridgesIt looks like the GFW is now actively probing obfs2. After hearing rumours yesterday, I wasn't able to reproduce this. Today, however, I got my private obfs2 bridge probed just milliseconds after my own connection from China. I got hit b...It looks like the GFW is now actively probing obfs2. After hearing rumours yesterday, I wasn't able to reproduce this. Today, however, I got my private obfs2 bridge probed just milliseconds after my own connection from China. I got hit by two random Chinese addresses as we already know it from the Tor probing. After the probing, my obfs2 connection timed out and the SYN/ACK segments from the bridge were dropped when trying to establish a new connection. I could reproduce all of this several times.
I haven't tested obfs3 yet and I suppose we can skip the old looking-for-the-fingerprint game. Depending on what protocols they are trying to detect, they might have to probe several times since it's not clear what's behind all that entropy. It might be obfs2, obfs3 or VPN PSK and perhaps even more protocols.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/8097I think tor is blocked by my internet provider2021-07-09T18:29:20ZTracI think tor is blocked by my internet providerSorry, I'm really new to Tor, and proxies/etc. The other day, I downloaded the Tor Bundle for Mac OS X, and it would get stuck at "Establishing an encrypted directory connection".
I added bridges, tried the "Firewall only connects to cer...Sorry, I'm really new to Tor, and proxies/etc. The other day, I downloaded the Tor Bundle for Mac OS X, and it would get stuck at "Establishing an encrypted directory connection".
I added bridges, tried the "Firewall only connects to certain ports" option, and even redownloaded to the 64-bit version. I'm not sure if I'm doing something wrong or I am somehow blocked from Tor? Also, I live in Japan.
Here is an image of how my message log looks: http://i46.tinypic.com/23u8ole.png
**Trac**:
**Username**: 48ineGeorge KadianakisGeorge Kadianakishttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/7141How is Iran blocking Tor?2020-06-27T13:43:43ZPhilipp Winterphw@torproject.orgHow is Iran blocking Tor?Note that currently it looks like there might be more than just one filtering technique in place. The following was the initial report describing one possible filtering technique and [this comment](https://trac.torproject.org/projects/to...Note that currently it looks like there might be more than just one filtering technique in place. The following was the initial report describing one possible filtering technique and [this comment](https://trac.torproject.org/projects/tor/ticket/7141#comment:8) describes another technique.
----
Some users reported that the Iranian ISP "[Pars Online](https://en.wikipedia.org/wiki/Pars_Online)" is (partially?) blocking Tor.
One user looked into it and believes that Tor is identified based on the server_name extension in the TLS client hello. It looks like DPI boxes extract the domain and do a DNS lookup for it. If the domain resolves and the relay/bridge is listening on port 443, the connection passes. Apparently, an omitted server_name or a server_name rewritten to `www.google.com` passed the filter.
Obfsproxy seems to work.
Some open questions:
* Can we reproduce and verify the existing hypothesis?
* Is this an attempt to only allow HTTPS and no other SSL/TLS-based protocols? Or is it targeting only Tor?
* Can we modify [brdgrd](https://gitweb.torproject.org/brdgrd.git) to evade the server_name extraction?
* Is this type of block limited to Pars Online?Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/7137Build a tool that a censored developer can run to discover why their Tor is f...2020-06-27T13:43:43ZKarsten LoesingBuild a tool that a censored developer can run to discover why their Tor is failing to connectWe should develop an automated censorship diagnostics toolkit for Tor. It gets deployed when someone says something like "tor doesn't work in my country anymore". The goal is to have them download this toolkit, which will automatically...We should develop an automated censorship diagnostics toolkit for Tor. It gets deployed when someone says something like "tor doesn't work in my country anymore". The goal is to have them download this toolkit, which will automatically figure out if tor is blocked, how it might be blocked, and if any of the known ways to bypass tor censorship works, and if so, tell the client "you need X." Where X is bridges, private bridges, obfsproxy, private obfsproxy. If nothing works, it collects lots of data, and sends it back to tor.
Tor then analyzes the data and learns a new way of blocking tor as feedback into our anti-censorship work. Maybe there is a quick solution for the user in blocked country, maybe there isn't.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6651Someone's blocking Tor in Mexico?2020-06-27T13:43:43ZRuna SandvikSomeone's blocking Tor in Mexico?One user in Mexico reported that he is unable to connect to Tor, even with a private bridge. We have enough data to analyze the situation.One user in Mexico reported that he is unable to connect to Tor, even with a private bridge. We have enough data to analyze the situation.Runa SandvikRuna Sandvikhttps://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6258The Philippines are blocking Tor?2020-06-27T13:43:43ZPhilipp Winterphw@torproject.orgThe Philippines are blocking Tor?A user mentioned in the [ethiopian blog post](https://blog.torproject.org/blog/update-censorship-ethiopia):
_two of the biggest ISP's here in the philippines blocked tor recently! _
The [statistic for directly connecting users](https...A user mentioned in the [ethiopian blog post](https://blog.torproject.org/blog/update-censorship-ethiopia):
_two of the biggest ISP's here in the philippines blocked tor recently! _
The [statistic for directly connecting users](https://metrics.torproject.org/users.html?graph=direct-users&start=2012-03-31&end=2012-06-29&country=ph&dpi=72#direct-users) indeed shows a sudden drop in usage in the beginning of May. The [bridge usage statistic](https://metrics.torproject.org/users.html?graph=bridge-users&start=2012-03-31&end=2012-06-29&country=ph&dpi=72#bridge-users) shows a suspicious usage drop in the middle of June.
We should analyze the situation.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6246UAE uses DPI to block Tor2020-06-27T13:43:43ZRuna SandvikUAE uses DPI to block TorThe Emirates Telecommunications Corporation, also known as Etisalat, started blocking Tor using DPI on June 25 2012. It seems they are doing something similar to Ethiopia (legacy/trac#6045) and Kazakhstan (legacy/trac#6140), but we shoul...The Emirates Telecommunications Corporation, also known as Etisalat, started blocking Tor using DPI on June 25 2012. It seems they are doing something similar to Ethiopia (legacy/trac#6045) and Kazakhstan (legacy/trac#6140), but we should figure out how these cases are different.
We know that:
* The three bridges in https://blog.torproject.org/blog/update-censorship-ethiopia are working. These are bridges with a patch that removes 0x0039 from SERVER_CIPHER_LIST.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6149"Censorship-timeline" for Tor2020-06-27T13:43:43ZPhilipp Winterphw@torproject.org"Censorship-timeline" for TorIt was shortly discussed on #tor-dev that some sort of "censorship-timeline" for Tor would be helpful. In particular, this should provide:
* Detailed technical analyses of the censorship mechanisms in place (DPI fingerprints and manufa...It was shortly discussed on #tor-dev that some sort of "censorship-timeline" for Tor would be helpful. In particular, this should provide:
* Detailed technical analyses of the censorship mechanisms in place (DPI fingerprints and manufacturers, traceroutes, ...)
* Code and data to reproduce all experiments
* Tor patches and standalone tools to evade the censorship devices
After all, this timeline should serve as a comprehensive archive for all people interested in how Tor is getting blocked. It should make it easy to answer questions such as _"What happened to Tor in country X back in Y?"_.
There are also some open questions:
* How should the data be structured? In form of a timeline? Or country based? Something else?
* What data should be published and when? Full disclosure too early in the process helps the censors.
* How should it be presented? In a wiki page or a standalone web site?https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6140Kazakhstan uses DPI to block Tor2020-06-27T13:43:43ZRuna SandvikKazakhstan uses DPI to block TorTwo blog posts published in the beginning of March talks about Kazakhstan using DPI to block Tor. The posts say that Kazakhstan is identifying and blocking the SSL client key exchange during the setup of an SSL connection. It seems the K...Two blog posts published in the beginning of March talks about Kazakhstan using DPI to block Tor. The posts say that Kazakhstan is identifying and blocking the SSL client key exchange during the setup of an SSL connection. It seems the Kazakhstan firewall finds something unique in the TLS "Server Hello" message as sent by the Tor relay or bridge and therefore blocks subsequent communications. IP address and TCP port are irrelevant to the censorship.
From legacy/trac#6045 (where we discuss Ethiopia blocking Tor based on ServerHello), we know that:
* The normal Tor Browser Bundle with a special bridge works; the bridge with the patch that causes the final hello done TLS record to be sent in a separate packet.
* The three bridges in https://blog.torproject.org/blog/update-censorship-ethiopia are also working in Kazakhstan. These are bridges with a patch that removes 0x0039 from SERVER_CIPHER_LIST.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/6045Ethiopia blocks Tor based on ServerHello2020-06-27T13:43:43ZGeorge KadianakisEthiopia blocks Tor based on ServerHelloEthiopia is blocking Tor by DPIing the ServerHello TLS record. We
found out that changing the ciphersuite selected (from the default
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA (0x0039)) bypasses the censorship.
This is a ticket to see how we can...Ethiopia is blocking Tor by DPIing the ServerHello TLS record. We
found out that changing the ciphersuite selected (from the default
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA (0x0039)) bypasses the censorship.
This is a ticket to see how we can handle this issue. We should also
be think about how legacy/trac#4744 and proposal 198 influence this.
The patch we used during tests removes 0x0039 from `SERVER_CIPHER_LIST`:
https://gitorious.org/mytor/mytor/commit/087de5215cada3320c8494fdc97b87746b45e1cb
A good short-term plan would be to set-up a few patched bridges,
update the blog post, and distribute the patched bridges to anyone who
asks for them.https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/5158in iran both obsfproxy and vidalia relays are too slow2020-06-27T13:43:44ZTracin iran both obsfproxy and vidalia relays are too slowseems iran's government is blocking tor network mostly faster relays. please do something about it.
**Trac**:
**Username**: pptp9seems iran's government is blocking tor network mostly faster relays. please do something about it.
**Trac**:
**Username**: pptp9https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/40000Gitlab Migration Milestone2020-06-13T18:30:28ZTracGitlab Migration MilestoneWe're creating this ticket as a part of the Trac-to-Gitlab migration, so that each project's numbering for new tickets will start with 40001.We're creating this ticket as a part of the Trac-to-Gitlab migration, so that each project's numbering for new tickets will start with 40001.https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/34318BridgeDB doesn't like non-UTF8 encoded requests2022-07-09T04:22:44ZPhilipp Winterphw@torproject.orgBridgeDB doesn't like non-UTF8 encoded requestsI stumbled upon the following exception in BridgeDB's log:
```
Traceback (most recent call last):
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/web/http.py", line 1755, in dataReceived
finishCallbac...I stumbled upon the following exception in BridgeDB's log:
```
Traceback (most recent call last):
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/web/http.py", line 1755, in dataReceived
finishCallback(data[contentLength:])
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/web/http.py", line 2171, in _finishRequestBody
self.allContentReceived()
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/web/http.py", line 2284, in allContentReceived
req.requestReceived(command, path, version)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/web/http.py", line 946, in requestReceived
self.process()
--- <exception caught here> ---
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/web/server.py", line 235, in process
self.render(resrc)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/web/server.py", line 302, in render
body = resrc.render(self)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/web/resource.py", line 265, in render
return m(request)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/bridgedb-0.10.0+34.ga6eb0d1c.dirty-py3.7.egg/bridgedb/distributors/https/server.py", line 722, in render_POST
return CaptchaProtectedResource.render_POST(self, request)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/bridgedb-0.10.0+34.ga6eb0d1c.dirty-py3.7.egg/bridgedb/distributors/https/server.py", line 573, in render_POST
request.args = stringifyRequestArgs(request.args)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/bridgedb-0.10.0+34.ga6eb0d1c.dirty-py3.7.egg/bridgedb/distributors/https/server.py", line 109, in stringifyRequestArgs
arg = arg if isinstance(arg, str) else arg.decode("utf-8")
builtins.UnicodeDecodeError: 'utf-8' codec can't decode byte 0xc2 in position 1: invalid continuation byte
```Armin HuremagicArmin Huremagichttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/34154Extend BlockedBridges table2020-06-27T13:42:44ZPhilipp Winterphw@torproject.orgExtend BlockedBridges tableBridgeDB has a (currently unused) table in its SQLite database that captures where a bridge is blocked. We are going to use this table as part of our work on legacy/trac#32740. It currently has the following fields:
* ID (primary key)
* ...BridgeDB has a (currently unused) table in its SQLite database that captures where a bridge is blocked. We are going to use this table as part of our work on legacy/trac#32740. It currently has the following fields:
* ID (primary key)
* hex_key (fingerprint)
* blocking_country (country code)
A fingerprint can relate to a bridge's OR port or any of its pluggable transports but these endpoints can be blocked independently. To remove this ambiguity, we should add additional fields for a bridge's IP address, port, and perhaps for an autonomous system because blocking isn't always uniform across a country.https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/34116Set up OONI's MetaDB on polyanthum2020-07-09T18:21:00ZPhilipp Winterphw@torproject.orgSet up OONI's MetaDB on polyanthumAs part of legacy/trac#32740, we need to sync OONI's test results with BridgeDB's SQLite database; in particular its BlockedBridges table. [Over here](https://trac.torproject.org/projects/tor/ticket/32126#comment:4) and [here](https://gi...As part of legacy/trac#32740, we need to sync OONI's test results with BridgeDB's SQLite database; in particular its BlockedBridges table. [Over here](https://trac.torproject.org/projects/tor/ticket/32126#comment:4) and [here](https://github.com/ooni/backend/issues/396#issuecomment-620611456), hellais suggested to set up a copy of OONI's MetaDB and have it sync with their canonical database. We can then use our local copy on polyanthum to update BridgeDB's SQLite database.
Instructions for setting up a MetaDB are available at:
https://github.com/ooni/sysadmin/blob/master/docs/metadb-sharing.mdPhilipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/33945Failed assertion breaks BridgeDB's email responder2021-07-09T18:27:09ZPhilipp Winterphw@torproject.orgFailed assertion breaks BridgeDB's email responderBridgeDB's email responder stops working after a while. The issue is probably related to the exception below but I don't know how exactly. As part of our Python 3 port, we [modifed the context manager](https://gitweb.torproject.org/bridg...BridgeDB's email responder stops working after a while. The issue is probably related to the exception below but I don't know how exactly. As part of our Python 3 port, we [modifed the context manager](https://gitweb.torproject.org/bridgedb.git/commit/?id=c1a48d1b568b00fab19a308e6497881f31d17680), which may be a good place to start debugging.
```
Unhandled Error
Traceback (most recent call last):
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/python/log.py", line 103, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/python/log.py", line 86, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/python/context.py", line 122, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/python/context.py", line 85, in callWithContext
return func(*args,**kw)
--- <exception caught here> ---
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
why = selectable.doRead()
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/internet/tcp.py", line 243, in doRead
return self._dataReceived(data)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/internet/tcp.py", line 249, in _dataReceived
rval = self.protocol.dataReceived(data)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/protocols/basic.py", line 454, in dataReceived
self.lineReceived(line)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/mail/smtp.py", line 445, in lineReceived
return getattr(self, 'state_' + self.mode)(line)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/mail/smtp.py", line 705, in dataLineReceived
m.eomReceived() for m in self.__messages
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/twisted/mail/smtp.py", line 705, in <listcomp>
m.eomReceived() for m in self.__messages
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/bridgedb-0.10.0+11.g4cdd6a61.dirty-py3.7.egg/bridgedb/distributors/email/server.py", line 230, in eomReceived
self.responder.reply()
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/bridgedb-0.10.0+11.g4cdd6a61.dirty-py3.7.egg/bridgedb/distributors/email/autoresponder.py", line 574, in reply
response = self.getMailData()
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/bridgedb-0.10.0+11.g4cdd6a61.dirty-py3.7.egg/bridgedb/distributors/email/autoresponder.py", line 392, in getMailData
client, lang)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/bridgedb-0.10.0+11.g4cdd6a61.dirty-py3.7.egg/bridgedb/distributors/email/autoresponder.py", line 101, in createResponseBody
bridges = context.distributor.getBridges(bridgeRequest, interval)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/bridgedb-0.10.0+11.g4cdd6a61.dirty-py3.7.egg/bridgedb/distributors/email/distributor.py", line 145, in getBridges
with bridgedb.Storage.getDB() as db:
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/bridgedb-0.10.0+11.g4cdd6a61.dirty-py3.7.egg/bridgedb/Storage.py", line 352, in __enter__
return next(self.gen)
File "/home/bridgedb/virtualenvs/bridgedb/lib/python3.7/site-packages/bridgedb-0.10.0+11.g4cdd6a61.dirty-py3.7.egg/bridgedb/Storage.py", line 472, in getDB
assert _REFCOUNT == 0
builtins.AssertionError:
```Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/33886bridges@torproject.org Don't respond to gmail2020-06-27T13:42:44ZTracbridges@torproject.org Don't respond to gmailhi,
i sent mail to bridges@torproject.org with body "get bridges" by gmail but it don't respond to me
**Trac**:
**Username**: mh828hi,
i sent mail to bridges@torproject.org with body "get bridges" by gmail but it don't respond to me
**Trac**:
**Username**: mh828Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.org