Anti-censorship issueshttps://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues2024-02-27T18:55:47Zhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40004exporting Go functions make the Android build 4x larger2024-02-27T18:55:47Zeighthaveexporting Go functions make the Android build 4x largerI just noticed that the _snowflakeclient.aar_ that I've been building has ballooned in size from ~5mb to ~25mb by exporting a single function. Perhaps `gomobile bind` stops stripping the binary then? This is the diff that made it happe...I just noticed that the _snowflakeclient.aar_ that I've been building has ballooned in size from ~5mb to ~25mb by exporting a single function. Perhaps `gomobile bind` stops stripping the binary then? This is the diff that made it happen:
```diff
diff --git a/client/snowflake.go b/client/snowflake.go
index 02bbf1e..c024cd2 100644
--- a/client/snowflake.go
+++ b/client/snowflake.go
@@ -93,14 +93,14 @@ func parseIceServers(s string) []webrtc.ICEServer {
return servers
}
-func main() {
- iceServersCommas := flag.String("ice", "", "comma-separated list of ICE servers")
- brokerURL := flag.String("url", "", "URL of signaling broker")
- frontDomain := flag.String("front", "", "front domain")
- logFilename := flag.String("log", "", "name of log file")
- logToStateDir := flag.Bool("log-to-state-dir", false, "resolve the log file relative to tor's pt state dir")
+func Load() {
+ iceServersCommas := flag.String("ice", "stun:stun.l.google.com:19302", "comma-separated list of ICE servers")
+ brokerURL := flag.String("url", "https://snowflake-broker.azureedge.net/", "URL of signaling broker")
+ frontDomain := flag.String("front", "ajax.aspnetcdn.com", "front domain")
+ logFilename := flag.String("log", "snowflakeclient.log", "name of log file")
+ logToStateDir := flag.Bool("log-to-state-dir", true, "resolve the log file relative to tor's pt state dir")
keepLocalAddresses := flag.Bool("keep-local-addresses", false, "keep local LAN address ICE candidates")
- unsafeLogging := flag.Bool("unsafe-logging", false, "prevent logs from being scrubbed")
+ unsafeLogging := flag.Bool("unsafe-logging", true, "prevent logs from being scrubbed")
max := flag.Int("max", DefaultSnowflakeCapacity,
"capacity for number of multiplexed WebRTC peers")
```
Here are two builds with binary artifacts to compare:
* https://gitlab.torproject.org/eighthave/snowflake/-/jobs/659
* https://gitlab.torproject.org/eighthave/snowflake/-/jobs/721
@n8fr8https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/68Nondetermterisic Unit Testing Result Created by TestImapExistingInbox2021-12-10T15:45:08ZshelikhooNondetermterisic Unit Testing Result Created by TestImapExistingInboxCurrently, the unit testing named [TestImapExistingInbox](https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/blob/f7d0b7451e242a711f3c9887348b84a6ae054c38/pkg/presentation/distributors/common/email_test.go#L59) creates an [nondete...Currently, the unit testing named [TestImapExistingInbox](https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/blob/f7d0b7451e242a711f3c9887348b84a6ae054c38/pkg/presentation/distributors/common/email_test.go#L59) creates an [nondetermterisic](https://gitlab.torproject.org/shelikhoo/rdsys/-/pipelines/17310/builds) test result.
It is possible that is the issue is created by the race condition of listening on a port to create a IMAP test server and connecting to that port. If this is the case, this can be solved by waiting for a period of time before continuing to connect to that port (dirty solution) or passing a listener to the IMAP server so that any connection request created before the IMAP server is ready will be held instead of failing because of connection refuse.shelikhooshelikhoohttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/4630152: Monitor GetTor statistics2022-07-07T11:58:26ZHiro30152: Monitor GetTor statisticsWe should make sure logs are logrotated before being deleted and we should collect aggregated stats about services and languages requested.
- [ ] make sure that the exported csv is not getting deleted
- [ ] sanitize csv to be sure that ...We should make sure logs are logrotated before being deleted and we should collect aggregated stats about services and languages requested.
- [ ] make sure that the exported csv is not getting deleted
- [ ] sanitize csv to be sure that is safe for collectormeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/40023Go through process of distributing private bridges2021-07-15T17:32:56ZPhilipp Winterphw@torproject.orgGo through process of distributing private bridgesOver at legacy/trac#31872, we created a process for distributing private bridges to NGOs:
https://trac.torproject.org/projects/tor/wiki/org/teams/AntiCensorshipTeam/NGOBridgeSupport
It's now time to go through this process with a non-tr...Over at legacy/trac#31872, we created a process for distributing private bridges to NGOs:
https://trac.torproject.org/projects/tor/wiki/org/teams/AntiCensorshipTeam/NGOBridgeSupport
It's now time to go through this process with a non-trivial number of censored users. Once we did, we need to document our experience and iteratively improve the process.Sponsor 30 - Objective 2.3GusGushttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40060server is still logging io.ErrClosedPipe errors because of wrapped errors2022-01-07T16:46:16ZDavid Fifielddcf@torproject.orgserver is still logging io.ErrClosedPipe errors because of wrapped errorsDespite !30, the Snowflake server is still logging `io.ErrClosedPipe` errors:
```
2021/06/24 17:41:12 error copying WebSocket to ORPort readfrom tcp [scrubbed]->[scrubbed]: io: read/write on closed pipe
2021/06/24 17:46:11 acceptStreams...Despite !30, the Snowflake server is still logging `io.ErrClosedPipe` errors:
```
2021/06/24 17:41:12 error copying WebSocket to ORPort readfrom tcp [scrubbed]->[scrubbed]: io: read/write on closed pipe
2021/06/24 17:46:11 acceptStreams: io: read/write on closed pipe
2021/06/24 17:46:33 error copying WebSocket to ORPort readfrom tcp [scrubbed]->[scrubbed]: io: read/write on closed pipe
2021/06/24 18:20:20 error copying ORPort to WebSocket io: read/write on closed pipe
```
The reason is that the errors are not really `io.ErrClosedPipe`; they are wrapped by [`errors.WithStack`](https://pkg.go.dev/github.com/pkg/errors#WithStack) in kcp-go. You can see the different using `log.Printf("%T", err)`, which yields `*errors.withStack`.
I was having the same problem in the dnstt server. I solved it by using [`errors.Is`](https://pkg.go.dev/errors#Is) from the [go1.13 errors interface](https://blog.golang.org/go1.13-errors), rather than plain equality.
https://repo.or.cz/dnstt.git/commitdiff/e4dc2883efea932f1da62ef35c3e88806aed9eeahttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/18Implement an association table for proxies and users2020-10-23T20:19:49ZPhilipp Winterphw@torproject.orgImplement an association table for proxies and usersThe current mapping in Salmon between proxies and users is messy. It would be simpler to implement a data structure that implements a bi-directional mapping between proxies and users.The current mapping in Salmon between proxies and users is messy. It would be simpler to implement a data structure that implements a bi-directional mapping between proxies and users.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgestrap/-/issues/10Follow Prometheus's suggestions on metrics and label naming2020-12-18T23:17:15ZPhilipp Winterphw@torproject.orgFollow Prometheus's suggestions on metrics and label namingAnarcat [pointed out](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40080#note_2717373) that bridgestrap's use of Prometheus metrics is not idiomatic. Our metrics names need to be revised and we can simplify metrics collections by ...Anarcat [pointed out](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40080#note_2717373) that bridgestrap's use of Prometheus metrics is not idiomatic. Our metrics names need to be revised and we can simplify metrics collections by [using labels](https://prometheus.io/docs/practices/naming/).Sponsor 30 - Objective 2.3Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/19Move distributors to their own packages2020-10-23T20:38:12ZPhilipp Winterphw@torproject.orgMove distributors to their own packagesBoth our HTTPS and Salmon distributors currently live in the same package and therefore share a namespace. That's not a good idea, so let's make a separate package for each distributor.Both our HTTPS and Salmon distributors currently live in the same package and therefore share a namespace. That's not a good idea, so let's make a separate package for each distributor.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgestrap/-/issues/11Why did bridgestrap's obfs4proxy terminate?2022-07-09T04:22:27ZPhilipp Winterphw@torproject.orgWhy did bridgestrap's obfs4proxy terminate?When bridgestrap starts, it spawns a tor process, which spawns obfs4proxy. I just noticed that obfs4proxy terminated but tor was still running. Here are tor's last three log messages:
```
Dec 02 22:42:02.000 [notice] Tor 0.4.6.0-alpha-de...When bridgestrap starts, it spawns a tor process, which spawns obfs4proxy. I just noticed that obfs4proxy terminated but tor was still running. Here are tor's last three log messages:
```
Dec 02 22:42:02.000 [notice] Tor 0.4.6.0-alpha-dev (git-3c1d58870cee7e56) opening log file.
Dec 02 22:42:02.000 [notice] Dropping existing bridge descriptor for $REDACTED
Dec 02 22:42:02.000 [warn] Pluggable Transport process terminated with status code 0
```
Obfs4proxy dying on us basically breaks bridgestrap. We gotta figure out what went wrong.https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/20Split Salmon code into separate source code files2021-01-21T21:55:53ZPhilipp Winterphw@torproject.orgSplit Salmon code into separate source code filessalmon.go currently counts 609 lines of code. We should take some of its functionality (in particular the data structures for proxies, users, and associations) and move it to separate source code files.salmon.go currently counts 609 lines of code. We should take some of its functionality (in particular the data structures for proxies, users, and associations) and move it to separate source code files.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgestrap/-/issues/13Create a Prometheus dashboard for bridgestrap metrics2020-12-12T17:24:02ZPhilipp Winterphw@torproject.orgCreate a Prometheus dashboard for bridgestrap metricsWe are now collecting metrics and it's time to turn these metrics into a dashboard that shows all things we care about, at a glance.We are now collecting metrics and it's time to turn these metrics into a dashboard that shows all things we care about, at a glance.Sponsor 30 - Objective 2.3Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/bridgestrap/-/issues/14Listing microseconds in bridgestrap status output is confusing2021-06-10T14:16:52ZRoger DingledineListing microseconds in bridgestrap status output is confusing(This ticket is just a simple UX improvement, but hopefully still a useful one :) I've tagged it as 'First Contribution' since it's a good opportunity for somebody to get some experience making a git commit etc.)
Compare the current out...(This ticket is just a simple UX improvement, but hopefully still a useful one :) I've tagged it as 'First Contribution' since it's a good opportunity for somebody to get some experience making a git commit etc.)
Compare the current output format:
```
* obfs4: dysfunctional
Error: timed out waiting for bridge descriptor
Last tested: 2021-01-17 10:38:22.671859857 +0000 UTC (8h41m42.941665234s ago)
```
to this simpler alternative:
```
* obfs4: dysfunctional
Error: timed out waiting for bridge descriptor
Last tested: 2021-01-17 10:38:22 +0000 UTC (8h41m42s ago)
```
At present, having so much precision in the fraction of the seconds draws the reader's eye to that number, and that number is the least important part of the output.
Thanks!https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40081debian package fails to build in i3862022-05-03T19:23:11Zmeskiomeskio@torproject.orgdebian package fails to build in i386It looks like the tests are failing on the debian package build:
https://buildd.debian.org/status/fetch.php?pkg=snowflake&arch=i386&ver=1.1.0-2&stamp=1637172884&raw=0
```
=== RUN TestBrokerInteractions
Proxy connections to broker ✔...It looks like the tests are failing on the debian package build:
https://buildd.debian.org/status/fetch.php?pkg=snowflake&arch=i386&ver=1.1.0-2&stamp=1637172884&raw=0
```
=== RUN TestBrokerInteractions
Proxy connections to broker ✔
polls broker correctly ✔✔✔
handles poll error ✔2021/11/17 18:04:40 Error reading broker response: invalid character 'e' in literal true (expecting 'r')
2021/11/17 18:04:40 body: test
✔✔
sends answer to broker ✔✔✔✔✔
handles answer error panic: test timed out after 10m0s
```meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/issues/14Build conjure reproducibly in Tor Browser2023-02-01T15:13:39ZCecylia BocovichBuild conjure reproducibly in Tor BrowserAdd a conjure project to [tor-browser-build](https://gitlab.torproject.org/tpo/applications/tor-browser-build/) to produce a Conjure client binary and relevant torrc defaults.Add a conjure project to [tor-browser-build](https://gitlab.torproject.org/tpo/applications/tor-browser-build/) to produce a Conjure client binary and relevant torrc defaults.Ship Conjure in Alpha versions of Tor BrowserCecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/30878Set up snowbox to simulate censorship2021-02-16T22:11:38ZCecylia BocovichSet up snowbox to simulate censorshipWe can use the VPS in china to see how current blocking affects Tor clients. But it doesn't tell us:
- How this impacts the user experience of Tor Browser
- How future plausible censorship events will impact the experience of Tor Browse...We can use the VPS in china to see how current blocking affects Tor clients. But it doesn't tell us:
- How this impacts the user experience of Tor Browser
- How future plausible censorship events will impact the experience of Tor Browser
- How misbehaving snowflake proxies will impact the experience of Tor Browser
We should try to set up our current testing environment to do some of these things.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/30350Hello, in China, currently, Tor Browser 8.5a11 version can't connect to Tor n...2023-08-02T00:08:18ZTracHello, in China, currently, Tor Browser 8.5a11 version can't connect to Tor network through Snowflake bridge.Hello, in China, currently, Tor Browser 8.5a11 version can't connect to Tor network through Snowflake bridge. On this April 17th, in China, Tor Browser 8.5a11 version can connect to Tor network through Snowflake bridge. But currently, in...Hello, in China, currently, Tor Browser 8.5a11 version can't connect to Tor network through Snowflake bridge. On this April 17th, in China, Tor Browser 8.5a11 version can connect to Tor network through Snowflake bridge. But currently, in China, Tor Browser 8.5a11 version can't connect to Tor network through Snowflake bridge. Does China's firewall block all of the Snowflake bridges? " Tor failed to establish a Tor network connection. Connected to a Tor relay failed. (done - 0.0.3.0:1) " is showed in connection interface.
Below is Tor log messages.
```
5/1/19, 05:10:31.667 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
5/1/19, 05:10:37.818 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
5/1/19, 05:10:37.818 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
5/1/19, 05:10:37.818 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
5/1/19, 05:10:37.818 [NOTICE] Opening Socks listener on 127.0.0.1:9150
5/1/19, 05:10:37.818 [NOTICE] Opened Socks listener on 127.0.0.1:9150
5/1/19, 05:10:38.802 [NOTICE] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
5/1/19, 05:10:38.803 [NOTICE] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
5/1/19, 05:11:21.559 [NOTICE] Bootstrapped 10% (conn_done): Connected to a relay
5/1/19, 05:11:51.686 [WARN] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (DONE; DONE; count 1; recommendation warn; host 2B280B23E1107BB62ABFC40DDCC8824814F80A72 at 0.0.3.0:1)
5/1/19, 05:11:51.687 [WARN] 1 connections have failed:
5/1/19, 05:11:51.687 [WARN] 1 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE
5/1/19, 05:11:51.702 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
5/1/19, 05:11:51.702 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
5/1/19, 05:11:51.702 [WARN] Pluggable Transport process terminated with status code 0
```
Could you please solve this problem? Thank you very much for your help. I really appreciate it.
**Trac**:
**Username**: amiableclarity2011https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/issues/20943Clarify documentation for obfs4 setup2020-06-27T13:43:47ZTracClarify documentation for obfs4 setupI'd like to provide feedback on configuring a Tor bridge with obfs4 enabled.
It was difficult, and it took me several hours to figure it out, because the installation guides that I found weren't clear enough.
Maybe this feedback can he...I'd like to provide feedback on configuring a Tor bridge with obfs4 enabled.
It was difficult, and it took me several hours to figure it out, because the installation guides that I found weren't clear enough.
Maybe this feedback can help to clarify the existing guides that talk about obfs4 configuration.
First, I read a suggestion somewhere to use
ExtORPort auto
which defines the port used by obfs(4)proxy, and that port should ideally be bound to localhost only.
The above was a major source of confusion, it never worked for me. Only when I eventually looked at the README for obfs4proxy, which suggested to use a
ServerTransportListenAddr
configuration, I realized that the earlier statement might have been incorrect.
Second, it seems that ORPort must be port 443. With other ports, TBB gave me complaints that it failed to access the bridge IP with the configured bridge port, although that port was clearly reachable. Only after I configured ORPort to use 443 that error message on the client side went away.
Third, it was confusing which hash/fingerprint must to be used in the bridge configuration line.
Looking at the tor logfile, it prints two different lines with fingerprints:
Your Tor server's identity key fingerprint is '...first-hash...'
Your Tor bridge's hashed identity key fingerprint is '...second-hash...'
From my naive point of view, it seemed obvious to use the second-hash, because it's labeled as being the bridge hash.
But I found that it only works, if I use the first server identity hash.
Fourth, for the configuration values PORT-FOR-OBFS4 and PORT-FOR-OBFS3, you should pick numbers greater than 1024, because otherwise obfs4proxy might have trouble using that port.
Also, because I am installing on a host with multiple IP addresses, I'm providing the additional configuration parameters that are required to bind everything to the correct IP.
Below is what I use in /etc/tor/torrc:
--------
ORPort IPADDRESS:443
Address IPADDRESS
OutboundBindAddress IPADDRESS
## 0 means: private bridge, do not publish
## 1 means: bridge information automatically published
PublishServerDescriptor 0
SocksPort 0
BridgeRelay 1
Exitpolicy reject *:*
ServerTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy --enableLogging --logLevel=INFO
ServerTransportListenAddr obfs4 IPADDRESS:PORT-FOR-OBFS4
ServerTransportListenAddr obfs3 IPADDRESS:PORT-FOR-OBFS3
NickName BRIDGE-NICKNAME
Log notice file /var/log/tor/notice.log
--------
Note you must replace all of the following identifiers with your own values:
- BRIDGE-NICKNAME
- IPADDRESS
- PORT-FOR-OBFS4
- PORT-FOR-OBFS3
Start Tor (e.g. service tor start)
Search for your fingerprint:
grep -i "server.*fingerprint" /var/log/tor/notice.log | tail -1
In the line that is printed, Use the code at the end, which looks like: ABDEF1234567890ABDEF1234567890ABDEF12345
(And use your own code below, where this document uses ABDEF1234567890ABDEF1234567890ABDEF12345)
Get some additional parameters that the obfs4 client configuration requires:
cat /var/lib/tor/pt_state/obfs4_bridgeline.txt
You need information from the line that looks like:
Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=bla-bla-bla-bla-bla-bla-bla-bla iat-mode=0
Now you can assemble the complete line to use your bridge, again, replace the values with the correct ones:
obfs4 IPADDRESS:PORT-FOR-OBFS4 ABDEF1234567890ABDEF1234567890ABDEF12345 cert=bla-bla-bla-bla-bla-bla-bla-bla iat-mode=0
The above configuration also enabled obfs3 on a separate port. The configuration line for the obfs3 bridge is simpler:
obfs3 IPADDRESS:PORT-FOR-OBFS4 ABDEF1234567890ABDEF1234567890ABDEF12345
**Trac**:
**Username**: kaiehttps://gitlab.torproject.org/tpo/anti-censorship/emma/-/issues/1Facilitate cross-compilation for OS X2020-06-22T17:28:17ZPhilipp Winterphw@torproject.orgFacilitate cross-compilation for OS XWe currently only compile emma for Windows and Linux. People on OS X want to run it too.We currently only compile emma for Windows and Linux. People on OS X want to run it too.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-mobile/-/issues/1WebSocket Initialization2020-06-28T00:04:55ZHashikDWebSocket InitializationWebSocket initialization or base code to make WebSocket connection work.WebSocket initialization or base code to make WebSocket connection work.Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/bridge-port-scan/-/issues/1/scan/ URL requires a trailing slash2020-07-02T00:54:18ZDavid Fifielddcf@torproject.org/scan/ URL requires a trailing slashDuring the [2020-06-30 Internet Measurement Village talk](https://www.youtube.com/watch?v=g6xEfNHkFKY), participants in chat tried to access a URL that doesn't work:
* https://bridges.torproject.org/scan ([archive](https://web.archive.or...During the [2020-06-30 Internet Measurement Village talk](https://www.youtube.com/watch?v=g6xEfNHkFKY), participants in chat tried to access a URL that doesn't work:
* https://bridges.torproject.org/scan ([archive](https://web.archive.org/save/https://bridges.torproject.org/scan)) gives status 404
It only works if you include the trailing slash:
* https://bridges.torproject.org/scan/ ([archive](https://web.archive.org/web/20200630152455/https://bridges.torproject.org/scan/))