Anti-censorship issueshttps://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues2023-06-27T18:34:40Zhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/55Update description in Snowflake extension pages on Firefox and Chrome2023-06-27T18:34:40ZrayaUpdate description in Snowflake extension pages on Firefox and ChromeThere was a discussion in the Tor IRC channel that the description in the Snowflake extension Chrome webstore and Firefox add-ons page does not clearly distinguish between censored/uncensored users:
- https://addons.mozilla.org/en-GB/fir...There was a discussion in the Tor IRC channel that the description in the Snowflake extension Chrome webstore and Firefox add-ons page does not clearly distinguish between censored/uncensored users:
- https://addons.mozilla.org/en-GB/firefox/addon/torproject-snowflake/
- https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie
Opening the issue to say that I could work on updating the description in the next hour if the priority is high!
cc: @arma @gus @shelikhoo @meskioCecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBot/-/issues/32add ways to process parameters based on argparse and/or environment variables...2022-09-22T11:58:45Zn0tooseadd ways to process parameters based on argparse and/or environment variables instead of just .jsonhttps://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBot/-/issues/28how to get conversations deleted?2023-10-03T18:41:53Zn0toosehow to get conversations deleted?Unfortunately, bot accounts cannot delete conversations from someone's history. Only users can.
How do we properly instruct users how and why to do that, if they are in a risky environment?
Related to https://gitlab.torproject.org/tpo/...Unfortunately, bot accounts cannot delete conversations from someone's history. Only users can.
How do we properly instruct users how and why to do that, if they are in a risky environment?
Related to https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/onionsproutsbot/-/issues/14n0toosen0toosehttps://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBot/-/issues/26Investigate whether operating system names need to be translated2022-09-30T15:18:37Zn0tooseInvestigate whether operating system names need to be translatedIn Western countries, using the names of the operating systems in English works out just fine.
However, we do that *everywhere*, even for countries that do not always use a Latin alphabet by default.
![image](/uploads/be863b5474f0ce29f...In Western countries, using the names of the operating systems in English works out just fine.
However, we do that *everywhere*, even for countries that do not always use a Latin alphabet by default.
![image](/uploads/be863b5474f0ce29f9ea912be893a688/image.png)
Now, most places (which aren't "Western") present their brands in both English and the primary language, or sometimes, just in English:
![image](/uploads/12c2d483b8787048493e8ad8b3ba582c/image.png)
![image](/uploads/a8c4e2f016f97d55b1c8d68b1473b52a/image.png)
This very often seems to depend on whether the brand name has an equivalent word in the language itself.
We should find out whether we should make the brand names of operating systems translatable.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/issues/40009Considering add a server version indication as connection parameter in obfs42022-10-04T17:06:02ZshelikhooConsidering add a server version indication as connection parameter in obfs4Currently, we are encountering the issue that obfs4 servers are not updating to the most recent version which are creating connection stability issues during handshake phase.
We already propose an [amendment](https://gitlab.torproject.o...Currently, we are encountering the issue that obfs4 servers are not updating to the most recent version which are creating connection stability issues during handshake phase.
We already propose an [amendment](https://gitlab.torproject.org/tpo/core/torspec/-/merge_requests/63) However, it will take a while to get it accepted and working.
One of the way we could fix this right now, is add a new connection parameter to indicate protocol version. This will allow client to connect to server in a way server can understand.https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/93Setting up a staging server for anti-censorship services2023-06-26T13:04:25ZshelikhooSetting up a staging server for anti-censorship servicesWe are currently looking forward to have a staging server that deploy in development anti-censorship service from continuous integration automatically.
We need to:
- Create a machine to run these staging service at TPA
- Create differ...We are currently looking forward to have a staging server that deploy in development anti-censorship service from continuous integration automatically.
We need to:
- Create a machine to run these staging service at TPA
- Create different account for different services
- Create an auto update system(ssh connect to staging service from CI)https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/83Host the privacy policy on snowflake.torproject.org2023-04-11T18:38:11Zmeskiomeskio@torproject.orgHost the privacy policy on snowflake.torproject.orgLet's host the privacy policy (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/34) on the website:
https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/privacy/Let's host the privacy policy (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/34) on the website:
https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/privacy/https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/issues/12Add Early Data support to WebTunnel2024-02-27T19:06:29ZshelikhooAdd Early Data support to WebTunnelCurrently, the early data support(send first chunk of client data together with HTTP GET Request) is not implemented in WebTunnel.
This can slightly increase performance at the cost of increased code complexity.Currently, the early data support(send first chunk of client data together with HTTP GET Request) is not implemented in WebTunnel.
This can slightly increase performance at the cost of increased code complexity.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/issues/9Fix unreliable bufio usage in HTTP Upgrade transport2024-02-27T19:08:49ZshelikhooFix unreliable bufio usage in HTTP Upgrade transportCurrently, there are a few TODO marked bufio usage that are unreliable as the buffer is not drained before original buffer is reused.Currently, there are a few TODO marked bufio usage that are unreliable as the buffer is not drained before original buffer is reused.shelikhooshelikhoohttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/issues/8Add Tor PT Log feedback to WebTunnel Client2024-02-27T19:08:35ZshelikhooAdd Tor PT Log feedback to WebTunnel Client[Add](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/merge_requests/1#note_2832380) Tor PT Log feedback will make it easier to debug issues in the pluggable transport.[Add](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/merge_requests/1#note_2832380) Tor PT Log feedback will make it easier to debug issues in the pluggable transport.shelikhooshelikhoohttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/issues/17Better handling of rejected connections at bridge2022-11-28T19:31:30ZCecylia BocovichBetter handling of rejected connections at bridgeSince the Conjure PT bridge is just a generic haproxy server, we have an allowlist to only allow traffic from known Conjure stations. Commit https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/commit/e0cc5a96...Since the Conjure PT bridge is just a generic haproxy server, we have an allowlist to only allow traffic from known Conjure stations. Commit https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/commit/e0cc5a9660848b7e5756cdd80561fc05e3b5838a fixed this feature, but we still seem to be opening OR connections for connections that are rejected by the allowlist policy.
To conserve resources, perhaps we can check to see if the connection has been closed first, and improve logging.Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/issues/16Implement PT LOG messages for conjure client2024-02-14T16:59:40ZCecylia BocovichImplement PT LOG messages for conjure clientThere are many reasons why a client fails to make a connection to the bridge:
- phantom proxy registration fails
- the conjure station is overloaded
- the bridge rejects the connection due to its allowlist policy
Before we ask the dev ...There are many reasons why a client fails to make a connection to the bridge:
- phantom proxy registration fails
- the conjure station is overloaded
- the bridge rejects the connection due to its allowlist policy
Before we ask the dev community to test Conjure, let's make sure the error messages are informative and usefulhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/52write text about changes in manifest v32022-08-23T14:20:15ZGabagaba@torproject.orgwrite text about changes in manifest v3https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBot/-/issues/18add CI that checks for formatting2022-10-12T17:58:34Zn0tooseadd CI that checks for formattingBlack defaults, 88 character limit (when reasonable).Black defaults, 88 character limit (when reasonable).https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBot/-/issues/17author comments for translators2023-06-27T18:51:02Zn0tooseauthor comments for translatorsn0toosen0toosehttps://gitlab.torproject.org/tpo/anti-censorship/connectivity-measurement/bridgestatus/-/issues/1Unify the bridgestatus and bridgestrap output formats2023-01-26T15:46:45ZRoger DingledineUnify the bridgestatus and bridgestrap output formatsI see some bridgestatus output files in this repo
and then there are the bridgestrap output files that we're tracking at e.g. https://collector.torproject.org/archive/bridgestrap/
Wouldn't it be cool if they both used the same output f...I see some bridgestatus output files in this repo
and then there are the bridgestrap output files that we're tracking at e.g. https://collector.torproject.org/archive/bridgestrap/
Wouldn't it be cool if they both used the same output format? Since they are essentially measuring very similar / same things.
We could also use this as the opportunity to notice something that one of them records but the other doesn't, and consider it as a possible feature request.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40170Create a patch to remove Hello Verify Request in Snowflake's WebRTC2022-08-09T19:15:31ZshelikhooCreate a patch to remove Hello Verify Request in Snowflake's WebRTCThe Snowflake with [patched](https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/83) supported_groups [don't](https://ntc.party/t/testing-invitation-for-tor-browser-with-supported-groups-patch-countermeasure-in-snowflake-to-e...The Snowflake with [patched](https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/83) supported_groups [don't](https://ntc.party/t/testing-invitation-for-tor-browser-with-supported-groups-patch-countermeasure-in-snowflake-to-evade-censorship-observed-in-russia/2837/2) work. It is suggested that Hello Verify Request is now the signature being targeted.
```
16:07:39 <shelikhoo> the patched version we produced is not working]
16:08:12 <shelikhoo> and one of the possible reason that that Hello Verify is now censored
16:08:24 <shelikhoo> and one of the possible reason is that that Hello Verify is now censored
16:08:34 <dcf1> Hello Verify Request: https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40030#note_2823140
16:08:50 <shelikhoo> we could patch it again and generate an binary again
16:11:21 <shelikhoo> do we have an existing patch for removing Hello Verify?
16:11:28 <shelikhoo> that we can just apply?
16:11:48 <dcf1> Not as far as I know
16:15:26 <shelikhoo> I can create a ticket to track this issue.
16:16:34 <shelikhoo> https://gist.github.com/xiaokangwang/5cd4437d087b0159146b0cb9d09aa9a5
16:16:55 <shelikhoo> I received such an patch, but I forgot the exact context I got it...
16:18:14 <shelikhoo> I think it changes whether the local will be client or server to avoid some censorship
```https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40169Update Snowflake Proxy in third party Distribution Channel: umbrel2023-07-27T15:19:55ZshelikhooUpdate Snowflake Proxy in third party Distribution Channel: umbrelSome users requested advise on updating snowflake proxy on umbrel, a server management software that have a software store.
We need to update this file to get it updated.
https://github.com/getumbrel/umbrel-apps/blob/master/snowflake/do...Some users requested advise on updating snowflake proxy on umbrel, a server management software that have a software store.
We need to update this file to get it updated.
https://github.com/getumbrel/umbrel-apps/blob/master/snowflake/docker-compose.ymlhttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/117Implement all BridgeDB functionality2023-11-23T10:48:13Zmeskiomeskio@torproject.orgImplement all BridgeDB functionalityCurrently BridgeDB still has 3 distributors:
* [ ] https (#2)
* [ ] migrate lektor website from BridgeDB
* [x] ~~add captcha support~~
* [ ] implement IP based protections
* [ ] captcha moat
* [ ] implement /fetch and /check API ...Currently BridgeDB still has 3 distributors:
* [ ] https (#2)
* [ ] migrate lektor website from BridgeDB
* [x] ~~add captcha support~~
* [ ] implement IP based protections
* [ ] captcha moat
* [ ] implement /fetch and /check API with fake captchas (#173)
* [ ] email
* [ ] add dkim support
* [ ] implement bridge request email parsingmeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40166Dedicated Snowflake server port as a way to tell if host allows Snowflake con...2023-09-17T13:17:29ZWofWcawofwca@protonmail.comDedicated Snowflake server port as a way to tell if host allows Snowflake connectionsDisclaimer: I'm no networking / information security expert.
I was thinking about using Snowflake for non-Tor applications (like 1/2-hop VPN).
Currently Snowflake proxies are configured to only forward connections to certain domains / ...Disclaimer: I'm no networking / information security expert.
I was thinking about using Snowflake for non-Tor applications (like 1/2-hop VPN).
Currently Snowflake proxies are configured to only forward connections to certain domains / domain patterns (i.e. the Snowflake Tor relay), which constrains the usefulness of Snowflake network to Tor only. Not only that, but it also doesn't allow for truly distributed Snowflake relay network (#40129).
And I thought - how about we allow clients to ask proxies to connect to arbitrary addresses, but only to certain port(s)?
This should limit its use for malicious purposes as a botnet, like DDOS (from both malicious clients and malicious broker). For further DDOS protection, proxies could set a timeout for server / client if a connection is rejected by the server (port is closed, or port is open, but host rejected the protocol (either transport-level, or data-level (i.e. there is a Snowflake-specific handshake)), or rejected the client with this IP (if it's forwarded), maybe something else).
Also, as was said in https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40248#note_2869324, probably need to reject local addresses.
Of course, more thorough analysis is required.