Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T18:31:29Zhttps://gitlab.torproject.org/legacy/trac/-/issues/34258Create a shim that hooks up wolpertinger with bridgestrap2020-06-13T18:31:29ZPhilipp Winterphw@torproject.orgCreate a shim that hooks up wolpertinger with bridgestrapWe designed bridgestrap to help BridgeDB with testing bridges but it can also help us measure censorship. The idea is to deploy bridgestrap instances on VPSs and have them ask wolpertinger for bridges to test. [This diagram](https://list...We designed bridgestrap to help BridgeDB with testing bridges but it can also help us measure censorship. The idea is to deploy bridgestrap instances on VPSs and have them ask wolpertinger for bridges to test. [This diagram](https://lists.torproject.org/pipermail/anti-censorship-team/attachments/20200512/e2509feb/attachment-0001.pdf) shows the big picture.
We could build this functionality directly into bridgestrap but it would be cleaner to write a separate tool that relays information between wolpertinger and bridgestrap.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/34153Use emma to learn where our bridge distribution mechanisms (don't) work2020-06-13T18:31:28ZPhilipp Winterphw@torproject.orgUse emma to learn where our bridge distribution mechanisms (don't) workWe have [BridgeDB usage metrics](https://collector.torproject.org/archive/bridgedb-metrics/) that allow us to infer where our HTTPS frontend works and probably doesn't work. This is not as easy for email and for moat because we currently...We have [BridgeDB usage metrics](https://collector.torproject.org/archive/bridgedb-metrics/) that allow us to infer where our HTTPS frontend works and probably doesn't work. This is not as easy for email and for moat because we currently don't see the source address of a client (see #32276).
Emma however can tell us if a user can use each of BridgeDB's distribution mechanisms:
1. It checks if the page behind https://bridges.torproject.org contains the string "The Tor Project" (for the HTTPS distributor).
2. It checks if the page behind https://ajax.aspnetcdn.com contains the string "Microsoft Ajax Content Delivery Network" (for the moat distributor).
3. It checks if the page behind https://accounts.google.com/ServiceLogin contains the string "Sign in" (for the email distributor).
4. It checks if the page behind https://mail.riseup.net/rc/ contains the string "Welcome to mail.riseup.net" (also for the email distributor).
What remains is to ask volunteers in different countries to run emma, so we can get a better idea of where our distribution mechanisms (don't) work.https://gitlab.torproject.org/legacy/trac/-/issues/33219Tor in China (Android) stops at 5%2020-06-13T18:31:28ZTracTor in China (Android) stops at 5%== Description
I am currently in China and since yesterday morning I cannot connect my tor browser on my phone unless I use another VPN service (which is very slow, so I would like to not use it). It is always stopping at 5%, I changed f...== Description
I am currently in China and since yesterday morning I cannot connect my tor browser on my phone unless I use another VPN service (which is very slow, so I would like to not use it). It is always stopping at 5%, I changed from mobile data to wifi, both does not work. I guess this is coincidence, but the problem occurred after I had tor opened while playing the Chinese PUBG (吃鸡). \\
== Protocols
```
- Einstellungen im Tor-Dienst werden aktualisiert /updating Tor applications
- updating torrc custom configuration...
- success.
- checking binary version: 0.4.1.5-rc-openssl1.0.2p
- Orbot startet …
- Connecting to control port: 44003
- SUCCESS connected to Tor control port.
- SUCCESS - authenticated tor control port.
- Took ownership of tor control port.
- adding control port event handler
- SUCCESS added control port event handler
- NOTICE: Opening Socks listener on 127.0.0.1:9150
- NOTICE: Opened Socks listener on 127.0.0.1:9150
- NOTICE: Opening DNS listener on 127.0.0.1:5400
- NOTICE: Opened DNS listener on 127.0.0.1:5400
- NOTICE: Opening Transparent pf/netfilter listener on 127.0.0.1:9140
- NOTICE: Opened Transparent pf/netfilter listener on 127.0.0.1:9140
- NOTICE: Opening HTTP tunnel listener on 127.0.0.1:8218
- NOTICE: Opened HTTP tunnel listener on 127.0.0.1:8218
- Tor-Programm wird gestartet … abgeschlossen. /Tor program gets started - finished
- NOTICE: Bootstrapped 5% (conn): Connecting to a relay
- Netzwerkverbindung ist vorhanden. Tor wird aktiviert … /network connection available. Tor will be activated...
- NOTICE: Your system clock just jumped 134 seconds forward; assuming established circuits no longer work.
```
**Trac**:
**Username**: TiChttps://gitlab.torproject.org/legacy/trac/-/issues/32095Analyse the "Carbon Reductor DPI X" DPI system2020-06-13T18:31:27ZPhilipp Winterphw@torproject.orgAnalyse the "Carbon Reductor DPI X" DPI systemSee https://github.com/net4people/bbs/issues/15
Let's take a look at the DPI system and see what we can learn from it. Hopefully, it will help us refine our threat models.See https://github.com/net4people/bbs/issues/15
Let's take a look at the DPI system and see what we can learn from it. Hopefully, it will help us refine our threat models.https://gitlab.torproject.org/legacy/trac/-/issues/32026Using An Alternative To TCP To Avoid Packet Injection?2020-06-13T18:31:26ZTracUsing An Alternative To TCP To Avoid Packet Injection?According to https://www.cs.tufts.edu/comp/116/archive/fall2016/ctang.pdf , the GFW only injects packets, mostly TCP RST signals. What if TOR has bridges/servers that do not respond to TCP RST? This would render the connection interferin...According to https://www.cs.tufts.edu/comp/116/archive/fall2016/ctang.pdf , the GFW only injects packets, mostly TCP RST signals. What if TOR has bridges/servers that do not respond to TCP RST? This would render the connection interfering part of GFW useless. Here, a connection ends only when both sides send a "END" signal to the other side with their private key for the connection only that is shared through the connection. We don't even need to obfuscate TOR traffic anymore as the packets are not blocked. With the DNS inspection, we could have IPs for bridges/servers, which do the DNS queries on non censored DNS servers.
**Trac**:
**Username**: Aphrodites1995https://gitlab.torproject.org/legacy/trac/-/issues/31998Linked Tor Relays To Bypass Probing?2020-06-13T18:31:26ZTracLinked Tor Relays To Bypass Probing?As tor bridges are obtainable, one idea would be for a tor bridge to "link" with another tor bridge. Here, the bridges are obtained in pairs. What linking does is that the client has to send the exact message with sync(using different ke...As tor bridges are obtainable, one idea would be for a tor bridge to "link" with another tor bridge. Here, the bridges are obtained in pairs. What linking does is that the client has to send the exact message with sync(using different keys of course) to both bridges, after the bridges receive the message, one server claims the connection and then sees whether the other receives the message as well. This way, there are a lot more combinations to check for the censor.
**Trac**:
**Username**: Aphrodites1995https://gitlab.torproject.org/legacy/trac/-/issues/31586Browser problems2020-06-13T18:31:25ZTracBrowser problemsHi,
I am using a Windows 7 laptop and have been using your browser but lately after your updates the tabs are not loading anymore. I stay in UAE and your site is blocked here therefore had to reinstall a lower version to get access to y...Hi,
I am using a Windows 7 laptop and have been using your browser but lately after your updates the tabs are not loading anymore. I stay in UAE and your site is blocked here therefore had to reinstall a lower version to get access to your site.
**Trac**:
**Username**: fantasy_man59@yahoo.comhttps://gitlab.torproject.org/legacy/trac/-/issues/31258Directly Connect to tor2020-06-13T18:31:25ZTracDirectly Connect to torIn china mainland, the tor nodes are blocked many years ago. But recently, I found I can connect to tor without using Meek bridge.
What's happening? It is related to tor changes(is New technology created?) or the network environment chan...In china mainland, the tor nodes are blocked many years ago. But recently, I found I can connect to tor without using Meek bridge.
What's happening? It is related to tor changes(is New technology created?) or the network environment changes in China mainland(are the Nodes released)?
If not above, what's happening?
**Trac**:
**Username**: tor_projecthttps://gitlab.torproject.org/legacy/trac/-/issues/30872Test BridgeDB's distribution channels in controlled experiment2020-06-13T18:31:25ZPhilipp Winterphw@torproject.orgTest BridgeDB's distribution channels in controlled experimentAs of June 2019, BridgeDB distributes bridges over HTTPS, email, and moat. We should find out which ones of these three distribution channels censors can break by injecting test bridges into all of them, and monitoring for how long these...As of June 2019, BridgeDB distributes bridges over HTTPS, email, and moat. We should find out which ones of these three distribution channels censors can break by injecting test bridges into all of them, and monitoring for how long these bridges continue to be reachable. For now, we should focus on China.
1. Set up at least three bridges; one for each of our three distribution channels. The bridges can use the `BridgeDistribution` tor option to tell BridgeDB how they choose to be distributed.
2. We may also want to disable the bridges' ORPort and use `AssumeReachable` to rule out the possibility that the censor found the bridge by discovering its ORPort somehow.
3. Have a client in China continuously test these bridges at random times, so we can learn when (and if) they stop being reachable.
4. Wait and keep an eye on the country code of clients who use these bridges. We shouldn't be collecting any more data because the bridges will be used by real users.
We probably want more than one bridge per distribution channel. For example, if our HTTPS bridge becomes blocked, we don't know for sure that the GFW is able to enumerate a large fraction of the HTTPS pool. Theoretically, a GFW engineer could have gotten the bridge after a single request to bridges.torproject.org. The more bridges we have, the more confident can we be in our results.
Also, we should understand how BridgeDB maintains its sub-hashrings per distribution channel.David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/30794Create lightweight censorship analyser for users2020-06-13T18:31:24ZPhilipp Winterphw@torproject.orgCreate lightweight censorship analyser for usersUsers occasionally show up on #tor and wonder why they are unable to connect to the network. We sometimes suspect censorship but it's often difficult to confirm this hypothesis. It would be useful to have a lightweight censorship analysi...Users occasionally show up on #tor and wonder why they are unable to connect to the network. We sometimes suspect censorship but it's often difficult to confirm this hypothesis. It would be useful to have a lightweight censorship analysis tool for users to run. Think of it as a small, specialised OONI: It should be a self-contained executable that tests if the user's computer can do the following:
* Connect to the TCP port of our directory authorities.
* Connect to the TCP port of a handful of relays.
* Connect to the TCP port of our default bridges.
* Resolve critical domains (e.g., bridges.tp.o) correctly.
* Fetch the index page of critical websites (e.g., bridges.tp.o) over HTTPS.
* Establish a TLS connection with a bridge authority and a relay.
* ...
The output of the tool can be a simple text file that the user can then email to us, or paste in a chat window. We originally had this idea several years ago and [documented it in a research paper](https://censorbib.nymity.ch/#Winter2013a) but nobody every followed up. Such a tool could also be useful as part of an anti-censorship rapid response process.
If this sounds like a good idea, then I suggest that we build the tool in Go because 1) we have several talented Go hackers, 2) Go binaries are self-contained, and 3) [since Go 1.5](https://github.com/golang/go/wiki/WindowsCrossCompiling), cross-compiling for Windows seems relatively simple.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/30500Can the GFW still do DPI for "new" vanilla Tor?2020-06-13T18:31:23ZPhilipp Winterphw@torproject.orgCan the GFW still do DPI for "new" vanilla Tor?I heard from a team of researchers that they failed to get their vanilla bridge probed by the GFW, despite connections from several vantage points in China. I set out to test this myself. Here are the results:
1. I repeatedly establishe...I heard from a team of researchers that they failed to get their vanilla bridge probed by the GFW, despite connections from several vantage points in China. I set out to test this myself. Here are the results:
1. I repeatedly established a vanilla Tor connection from a VPS in China (running 0.3.2.10) to a bridge in the U.S. (running 0.2.9.16, and later 0.4.1.0-alpha-dev).
2. All bridge connections bootstrapped to 100%. There was neither active probing nor blocking.
3. I then used the tool [tcis](https://github.com/nullhypothesis/tcis) on the China VPS to simulate a Tor handshake. The tool creates a TLS client hello as sent by a rather old Tor version -- I don't remember how old, exactly.
4. After running tcis, I immediately got my bridge probed and blocked.
The above makes me wonder if newer Tor versions changed their TLS handshake in a way that the GFW's DPI rules haven't caught up yet. It would be interesting to test this hypothesis and, if it's true, to find out what Tor changed in its TLS handshake.https://gitlab.torproject.org/legacy/trac/-/issues/29855TOR was blocked by my company.2020-06-13T18:31:23ZTracTOR was blocked by my company.My company studied the tor connection methods and blocked them. You should allow tor to connect using an anonymous web proxy server. All one would need is to insert it as a connection option and tor will establish a circuit through the ...My company studied the tor connection methods and blocked them. You should allow tor to connect using an anonymous web proxy server. All one would need is to insert it as a connection option and tor will establish a circuit through the anonymous proxy server
**Trac**:
**Username**: wanjeDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/28898Huge drop of users in UAE2021-03-27T04:55:11ZanadahzHuge drop of users in UAEThere is a huge [decrease of directly connecting clients from the United Arab Emirates](https://metrics.torproject.org/userstats-relay-country.html?start=2018-09-19&end=2018-12-18&country=ae&events=off):
![userstats-relay-country-ae-20...There is a huge [decrease of directly connecting clients from the United Arab Emirates](https://metrics.torproject.org/userstats-relay-country.html?start=2018-09-19&end=2018-12-18&country=ae&events=off):
![userstats-relay-country-ae-2018-09-19-2018-12-18-off.png, 75%](uploads/userstats-relay-country-ae-2018-09-19-2018-12-18-off.png, 75%)
Is this in any way related to #21345?David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/28748Казахстан2020-06-13T18:31:21ZTracКазахстанВсем привет. Не могу запустить Тор в Казахстане.
Hey. I can not control the Tor in Kazakhstan.
**Trac**:
**Username**: RidvanzВсем привет. Не могу запустить Тор в Казахстане.
Hey. I can not control the Tor in Kazakhstan.
**Trac**:
**Username**: RidvanzDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/27723Obfs4 stopped working 16 Sept 182021-03-27T04:55:11ZTracObfs4 stopped working 16 Sept 18I was using obfs4 on 15 Sept 18, but shortly after midnight, it stopped working, and I'm using azure. I assume that's the only thing that works when obfs4 fails.
**Trac**:
**Username**: mwolfeI was using obfs4 on 15 Sept 18, but shortly after midnight, it stopped working, and I'm using azure. I assume that's the only thing that works when obfs4 fails.
**Trac**:
**Username**: mwolfeDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/26807Venezuela blocks access to the Tor network2020-06-13T18:31:20ZTracVenezuela blocks access to the Tor networkhttps://www.accessnow.org/venezuela-blocks-tor/
> Access Now’s partners have confirmed that the Tor network — a widely used tool allowing users to browse the internet anonymously — was blocked in Venezuela last week over the government-o...https://www.accessnow.org/venezuela-blocks-tor/
> Access Now’s partners have confirmed that the Tor network — a widely used tool allowing users to browse the internet anonymously — was blocked in Venezuela last week over the government-owned internet service provider CANTV, by far the largest ISP in the country.
> “It seems that the government of Venezuela has found out how to do a very sophisticated block for the Tor network. It’s not only on the direct access channels, but also the bridges Tor provides to bypass that blocking,” said Melanio Escobar, Venezuelan technologist and journalist, and founder of Redes Ayuda.
**Trac**:
**Username**: ptdetectorDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/26087Growth in bridge users in Iran circa 2018-05-012020-06-13T18:31:19ZcypherpunksGrowth in bridge users in Iran circa 2018-05-01https://metrics.torproject.org/userstats-bridge-country.html?graph=userstats-bridge-country&country=ir
Seems worth investigating as there as well recent reports of Tor not working in Iran, e.g.: https://blog.torproject.org/comment/27526...https://metrics.torproject.org/userstats-bridge-country.html?graph=userstats-bridge-country&country=ir
Seems worth investigating as there as well recent reports of Tor not working in Iran, e.g.: https://blog.torproject.org/comment/275268#comment-275268David Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/26083Bridge detector. Fake?2020-06-13T18:31:19ZcypherpunksBridge detector. Fake?Some code for detection found. Is it real?Some code for detection found. Is it real?cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/25966Report on Tor in the UAE (and question about Snowflake)2020-06-13T18:31:18ZTracReport on Tor in the UAE (and question about Snowflake)Early in '17, Tor stopped working. Turned out, they'd turned on blocking, but obfs4 worked. Then obfs4 stopped, and someone suggested I try Snowflake, which worked back then. But Snowflake stopped working one day, and I learned it was al...Early in '17, Tor stopped working. Turned out, they'd turned on blocking, but obfs4 worked. Then obfs4 stopped, and someone suggested I try Snowflake, which worked back then. But Snowflake stopped working one day, and I learned it was alpha, and not well supported, so I switched to meek. Now I can't get Snowflake to work at all (Tor doesn't even load), but obfs4 is working again, and seems to work much better than meek.
**Trac**:
**Username**: mwolfeDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/25137Tor blocked in UAE2021-03-27T04:55:11ZTracTor blocked in UAEOn 1 Jan, I was unable to connect to a site I often use with Tor. It got 75% loaded and stopped. After 2 hours, I figured out the UAE had started blocking Tor, and switched to obfs4. This worked until today at midnight. So I switched to ...On 1 Jan, I was unable to connect to a site I often use with Tor. It got 75% loaded and stopped. After 2 hours, I figured out the UAE had started blocking Tor, and switched to obfs4. This worked until today at midnight. So I switched to meek, which worked. I connected to one yahoo mail account, finished, closed Tor before switching to my other yahoo mail account (I don't want yahoo to know they're both me). Tor only loaded 25%. It downloaded the network consensus, but could not load the network consensus. I closed Tor and tried meek-Amazon and meek-azure, but always, Tor could not load the network consensus. So I switched to Openvpn, and was able to use Tor in normal mode, without a bridge. (Of course, I had to reset my computer clock to match the VPN address). Does anyone know how the UAE is blocking Tor so that it cannot load the network status, and what I can do about it (in case they figure out how to block Openvpn).
**Trac**:
**Username**: mwolfeDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.org