Snowflake WebExtension issueshttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues2024-03-18T17:30:14Zhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/91Start disabled2024-03-18T17:30:14ZcypherpunksStart disabledRegardless of any other settings, I would suggest Snowflake never begin operating automatically upon installation, instead requiring the first use on any given device to be initiated manually.
I briefly had Snowflake installed on a pers...Regardless of any other settings, I would suggest Snowflake never begin operating automatically upon installation, instead requiring the first use on any given device to be initiated manually.
I briefly had Snowflake installed on a personal device, where it was disabled while I looked into the possibility of using a DNS sinkhole to prevent the use of my connection for undesirable purposes. I had preemptively turned services.sync.addons.ignoreUserEnabledChanges on so that, once I was comfortable, enabling Snowflake on my personal device I would not inadvertently enable it on my work computer. I unexpectedly needed to have the work machine reset and did not disable this flag, so Snowflake was installed and enabled when I synchronised my settings. I responded quickly and uninstalled the extension entirely, but it appears to have been active for long enough to have routed a connection to the website of a violent extremist group that was identified and flagged by our IT systems. This incident has caused me to seriously reconsider the risk using Snowflake creates, not just to myself but also by inadvertently enabling uses like the connection in question despite my efforts to prevent doing so, and as a result I am highly unlikely to reinstall it.
That this situation involved a mistake on my part does not justify it as a possibility. It cannot be expected that no user will ever make such a mistake - even advanced users cannot be expected to never forget things - and if such a simple and potentially-unavoidable mistake can cause automatic operation to put the user at risk like this then safeguards should be put in place both to protect them and to avoid deterring them entirely.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/88Firefox Android support2024-02-27T11:18:30ZcypherpunksFirefox Android supportHi. 14 December, 2023 onwards, Firefox Android has now allowed all extensions to be installed on Android, as long as they are made (and marked as) compatible with it.
Could the Snowflake addon be updated to allow Android installs? Or is...Hi. 14 December, 2023 onwards, Firefox Android has now allowed all extensions to be installed on Android, as long as they are made (and marked as) compatible with it.
Could the Snowflake addon be updated to allow Android installs? Or is there any pending work before that can happen?https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/84Snowflake web badge need 3rd-party cookies to run, which is unskilled in toda...2023-05-16T18:24:05ZsolidsSnowflake web badge need 3rd-party cookies to run, which is unskilled in today's most browsersToday most browser set the default config to disable 3rd-party cookie, in Safari it's called "Prevent corss-site tracking", in Chromium-based browser it's called "Block third-party cookies". For example, the badge in website [relay.love]...Today most browser set the default config to disable 3rd-party cookie, in Safari it's called "Prevent corss-site tracking", in Chromium-based browser it's called "Block third-party cookies". For example, the badge in website [relay.love](https://relay.love) will show "Cookies are not enabled." in my browser and it's not possible to run without re-enabling 3rd-party cookies, which will allow tracking websites sneak in my privacy.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/81Snowflake is Off / WebRTC feature is not detected.2023-04-23T10:27:21ZcypherpunksSnowflake is Off / WebRTC feature is not detected.I've just installed Snowflake via Chrome and it's not working. Can you confirm the process has been followed correctly? What have I done wrong - or not done at all? Thanks.I've just installed Snowflake via Chrome and it's not working. Can you confirm the process has been followed correctly? What have I done wrong - or not done at all? Thanks.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/79meta: fill the "donate" link on addons.mozilla.org2023-08-01T18:44:42ZWofWcawofwca@protonmail.commeta: fill the "donate" link on addons.mozilla.org![image](/uploads/1f3d212fb7ff1f3a2389c92ad083720e/image.png)
This will add the buttons on the extensions list and on the store page:
<details><summary>Like this</summary>
![image](/uploads/e4727d45059eb5d3b3ce8adb5ed2ff02/image.png)
...![image](/uploads/1f3d212fb7ff1f3a2389c92ad083720e/image.png)
This will add the buttons on the extensions list and on the store page:
<details><summary>Like this</summary>
![image](/uploads/e4727d45059eb5d3b3ce8adb5ed2ff02/image.png)
![image](/uploads/9f7bf215b4235e0871f29d235f7f8e4a/image.png)
</details>
Related: #77https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/76Toggle "Keep running when the browser is closed" doesn't activate when clicked2023-01-10T19:11:35ZcypherpunksToggle "Keep running when the browser is closed" doesn't activate when clickedInfos about my system :
Opera browser Version : 93.0.4585.37 (Stable)
System: Windows 10 64-bit
Chromium version: 107.0.5304.122
Version of the Snowflake chrome extension : 0.7.0
The toggle on the Snowflake web extension called "Keep ru...Infos about my system :
Opera browser Version : 93.0.4585.37 (Stable)
System: Windows 10 64-bit
Chromium version: 107.0.5304.122
Version of the Snowflake chrome extension : 0.7.0
The toggle on the Snowflake web extension called "Keep running when the browser is closed" doesn't activate . I've installed the extension through the Chrome web-store (since Opera can install extensions directly from the chrome webstore). But when I click on the toggle to activate it, nothing happens, it doesn't move, it doesn't activate and stays in the default disabled state. the other toggle titled "Enabled" above it works correctly though.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/74State that closing the browser while serving a client is ok2022-12-13T17:04:10ZWofWcawofwca@protonmail.comState that closing the browser while serving a client is okWell, it's not super ok (otherwise maybe we need something like "close the browser after serving all clients"), but some people may get annoyed that they can't close the browser out of fear of dropping someone else's connection, so they ...Well, it's not super ok (otherwise maybe we need something like "close the browser after serving all clients"), but some people may get annoyed that they can't close the browser out of fear of dropping someone else's connection, so they might start turning off the extension some time before they're planning on closing the browser. So I think we need to state somewhere in the UI.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/72perf: reuse WebRTC certificates between connections2022-11-15T18:34:01ZWofWcawofwca@protonmail.comperf: reuse WebRTC certificates between connectionsGenerating certificates takes a while, and by default (at least in browsers) they're generated for each new `RTCPeerConnection`. In Firefox generating 1000 certificates takes 4 seconds (4ms per certificate) and 100% of one CPU core for m...Generating certificates takes a while, and by default (at least in browsers) they're generated for each new `RTCPeerConnection`. In Firefox generating 1000 certificates takes 4 seconds (4ms per certificate) and 100% of one CPU core for me.
```js
(async () => {
const promises = [];
for (let i = 0; i < 1000; i++) {
arr.push(RTCPeerConnection.generateCertificate({ name: "ECDSA", namedCurve: "P-256" }))
}
await Promise.all(promises);
console.log('done');
})()
```
I don't think this affects bootstrapping performance much as in a good implementation they're generated in parallel. It's only a matter of not hogging device's resources.
Applies to the web extension as well.
Not sure how it affects privacy and security, but I don't think it should be a problem at least for proxies.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/57Visually modify snowflake extension badge to indicate NAT type?2023-01-12T12:19:55ZRoger DingledineVisually modify snowflake extension badge to indicate NAT type?As one concrete idea for the broader goal in https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/4 of gamification -- which I will define as steering users toward behaviors that are more valua...As one concrete idea for the broader goal in https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/4 of gamification -- which I will define as steering users toward behaviors that are more valuable -- it occurred to me that NAT type (restricted vs unrestricted) is a super important feature for Snowflake volunteers these days.
What if we made the badge one color when snowflake decides it is restricted, and a different if it decides it's unrestricted?
Then the next step would be some mechanism when you click on it for it to steer you toward what to do to become the better color -- which overlaps with https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40128.
(Doesn't have to be color based, since colorblindness etc is a thing. Just something that looks more successful and not quite as successful.)
Cc'ing @tpo/ux since gamification if totally a ux topic.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/49perf: separate proxy message handling into a `Worker`2023-05-21T15:32:41ZWofWcawofwca@protonmail.comperf: separate proxy message handling into a `Worker`Unless there is a way to do #48, running `onmessage` handlers on a separate thread should reduce latency by allowing main thread code and `onmessage` to be executed at the same time, not sequentially. I think a `Worker` should be created...Unless there is a way to do #48, running `onmessage` handlers on a separate thread should reduce latency by allowing main thread code and `onmessage` to be executed at the same time, not sequentially. I think a `Worker` should be created for each `ProxyPair` (maybe even two workers, for client -> relay and relay -> client, but I'm not sure if it's possible to share a single `WebSocket`/`RTCPeerConnection` between two workers), although right now the default `maxNumClients` is `1` anyway.
Here's the current message passing code:
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/blob/4b56f7a350ef78ac2f8888cdd15d529dada30f72/proxypair.js#L227-239
FYI `RTCDataChannel`s are [transferable](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Transferable_objects) objects (but it's not implemented in the majority of browsers yet) (but I'm not saying that the implementation would necessarily have to make use of that fact).https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/46perf: keep-alive connection to broker/bridge2023-02-04T09:39:10ZWofWcawofwca@protonmail.comperf: keep-alive connection to broker/bridgeI was snooping around in devtools and noticed that each `/proxy` request involves a new TLS handshake, if I'm not mistaken:
![image](/uploads/c66866d619447f9ebe97e725212252ae/image.png)
I think it'd be good for performance to keep the ...I was snooping around in devtools and noticed that each `/proxy` request involves a new TLS handshake, if I'm not mistaken:
![image](/uploads/c66866d619447f9ebe97e725212252ae/image.png)
I think it'd be good for performance to keep the connection alive between requests.
This issue may also apply to [other pieces of the Snowflake project](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake), so maybe need to transfer it.
This shouldn't affect the bootstrap speed for clients since we connect to the bridge in parallel, so maybe not that important.
Looks like the `Keep-Alive` and `Connection` headers can't be set from within JS: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name. Idk how this can be done then.
Related: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/29736, https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40133,https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/43There are gaps between polling requests for new clients2023-01-02T16:53:54ZWofWcawofwca@protonmail.comThere are gaps between polling requests for new clientsI noticed that the request to the broker lasts for 10 seconds (if there are no available clients) and then finishes with "no clients" response, but the extension doesn't make a new request right away and waits for (I think) a minute or s...I noticed that the request to the broker lasts for 10 seconds (if there are no available clients) and then finishes with "no clients" response, but the extension doesn't make a new request right away and waits for (I think) a minute or so. Which to me sounds bad. Practically we can't get a new client during that gap. Is there a reason for this? Should we change this? Also I noticed that sometimes there is a delay when connecting to Tor using a Snowflake bridge. Could this be related to this?https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/36Lockscreen, screensaver disabled while a proxy session is active2022-09-28T21:30:47ZpromeneurLockscreen, screensaver disabled while a proxy session is activeopenSUSE 15.3
Chrome 96
snowflake 0.5.4
When someone uses snowflake and uses webrtc protocol
then
my PC lokscreen and screensaver are disabled.
It's normal if I use webrtc but not if someone uses webrtc via snowflake.openSUSE 15.3
Chrome 96
snowflake 0.5.4
When someone uses snowflake and uses webrtc protocol
then
my PC lokscreen and screensaver are disabled.
It's normal if I use webrtc but not if someone uses webrtc via snowflake.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/35Add a consent prompt to the snowflake webextension2024-03-28T04:37:35ZCecylia BocovichAdd a consent prompt to the snowflake webextensionThe update to [Mozilla's addon policy](https://blog.mozilla.org/addons/2021/11/03/add-on-policy-changes-2021/) requires that users **opt-in** to the collection of personal information. Since IP addresses are considered personal informati...The update to [Mozilla's addon policy](https://blog.mozilla.org/addons/2021/11/03/add-on-policy-changes-2021/) requires that users **opt-in** to the collection of personal information. Since IP addresses are considered personal information, and the IP address of snowflake proxies are sent to the broker and then to the connecting client, we should reflect this in our privacy policy (#34) and also make sure the user consents to this before enabling the Snowflake addon.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/29Migrate to Manifest V32024-02-13T21:15:19ZArlo BreaultMigrate to Manifest V3https://developer.chrome.com/docs/extensions/mv3/intro/mv3-migration/
> Replace background.page or background.scripts with background.service_worker in manifest.json. Note that the service_worker field takes a string, not an array of st...https://developer.chrome.com/docs/extensions/mv3/intro/mv3-migration/
> Replace background.page or background.scripts with background.service_worker in manifest.json. Note that the service_worker field takes a string, not an array of strings.
Summary about this migration in Chrome from the anti-censorship meeting on August 18th, 2022
```
16:29 <+cohosh> <summary>
16:29 <+cohosh> google proposed manifest v3 a while ago, and has come up with a timeline for deprecating support for manifest v2
16:29 <+cohosh> v2 extensions will no longer be supported on chrome/chromium starting january 2023
16:29 <+cohosh> the difference between v2 and v3 extensions is extensive, and drastically limits the types of actions and apis that extensions have access to
16:29 <+cohosh> this decrease in extension capabilities was done in the name of security and privacy, but as some have pointed out, is actually a privacy loss since it limits the performance of add
blockers
16:29 <+cohosh> the EFF has written a few articles about it. most recently:
16:29 <+cohosh> https://www.eff.org/deeplinks/2021/12/googles-manifest-v3-still-hurts-privacy-security-innovation
16:29 <+cohosh> the biggest issue for us is the move in v3 from allowing background pages, that have pretty much the same access as any javascript running in the browser, to what are called "service
workers"
16:29 <+cohosh> service workers have access to a very limited set of apis: https://developer.chrome.com/docs/extensions/reference/
16:29 <+cohosh> note specifically that they do not have access to the webrtc api, which is what caused the issue that arlolra ran into when trying an initial update to v3 (snowflake-webext!21)
16:29 -tor:#tor-meeting- https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/merge_requests/21 - Draft: Migrate to Manifest v3
16:29 <+cohosh> there is an open issue in the chromium bug tracker for this: https://bugs.chromium.org/p/chromium/issues/detail?id=1207214
16:29 <+cohosh> and we've added to the discussion in both the web extension working group: https://github.com/w3c/webrtc-extensions/issues/77 and https://github.com/w3c/webextensions/issues/72
16:29 <+cohosh> unfortunately there's been no interest from google in supporting this for chrome so it seems unlikely that we'll be able to run snowflake proxies from a webextension in chrome based
browsers after January 2023
16:29 <+cohosh> there are some other pain points of google's manifest v3 that affect snowflake in less fundamental ways
16:29 <+cohosh> including that extension icons are no longer visible from the browser bar, but hidden behind a puzzle icon
16:29 <+cohosh> the snowflake icon shows whether or not the proxy is currently in use and whether snowflake is been turned off due to errors
16:29 <+cohosh> some good news is that mozilla has responded to the discussions i linked above and is preserving support for background pages in their v3 implementation:
https://blog.mozilla.org/addons/2022/05/18/manifest-v3-in-firefox-recap-next-steps/ (thanks to arlolra for finding this)
16:30 <+cohosh> there are a few differences to how things work before, but i'm optimistic that we'll be able to get the current snowflake extension working for firefox's manifest v3
16:30 <+cohosh> although the timeline for that is not as urgent since firefox has not announced a deprecation timeline for v2 and it's likely to be supported for at least another year
16:30 <+cohosh> </summary>
16:33 <+shelikhoo> so if we take no action, then snowflake proxy will stop working on chrome and some of its forks from next year
```Arlo BreaultArlo Breaulthttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/19Make sure browser proxies are terminating connections properly2023-02-04T09:41:52ZCecylia BocovichMake sure browser proxies are terminating connections properlyWe had a user in #tor mention that their snowflake icon is staying green for hours. If this really is a multi-hour browsing session, that's fine. But if it's due to a closed connection that keeps the snowflake out of commission then we s...We had a user in #tor mention that their snowflake icon is staying green for hours. If this really is a multi-hour browsing session, that's fine. But if it's due to a closed connection that keeps the snowflake out of commission then we should look into it.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/1Make a build for Safari and publish to the App Store2022-09-28T21:32:18ZArlo BreaultMake a build for Safari and publish to the App Storehttps://developer.apple.com/videos/play/wwdc2020/10665/https://developer.apple.com/videos/play/wwdc2020/10665/https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/11localize screenshots on snowflake page2021-06-17T14:19:28ZRoger Dingledinelocalize screenshots on snowflake pagehttps://snowflake.torproject.org/?lang=zh_CN
scroll down to the picture of Tor Browser's network settings. That's an English Tor Browser. Should the Chinese version of the page be showing people using a Tor Browser in Chinese?https://snowflake.torproject.org/?lang=zh_CN
scroll down to the picture of Tor Browser's network settings. That's an English Tor Browser. Should the Chinese version of the page be showing people using a Tor Browser in Chinese?