Skip to content

Draft: feat: allow client to specify relayURL directly

...instead of relying on the broker to know the URL by fingerprint.

This change is backwards-compatible, i.e. clients can still specify servers by fingerprint.

A side effect is that clients can now ask proxies to connect to an arbitrary port of the server, and provide an arbitrary HTTP path and query parameters (as long the proxy allows the specified hostname). Path being arbitrary should not really be a big concern for security, since the data being sent to the server through WebSocket is already arbitrary. The port thing can be fixed by !381 (closed).

This change does not affect proxy, since it is already receiving relayURL in the offer from the broker and checks that URL against its RelayDomainNamePattern.

It's worth mentioning that the broker, unlike the proxy, doesn't check the requested relayURL's scheme, so in fact the proxy might reject the client's offer based on the scheme, despite the client's request passing the broker's allowed-relay-pattern check.

With this change it is now possible to get rid of the broker's bridge-list-path parameter: the broker needs not be aware of the concept of "fingerprints". It only needs to check whether the proxies are able to connect to the server requested by the client (see allowed-relay-pattern). But of course we'd want to keep the "old way" at least for backwards-compatibility.

Motivation for the change

Snowflake is advertised to be a generic pluggable transport not specific to Tor, and the "fingerprint" thing is specific to Tor, so it is desirable to make Snowflake not reliant on that.

To be more practical, the current way (mapping fingerprints to URLs on the broker side) requires that the broker knows all the URLs that the clients might want to access through proxies. This is not good if someone wants to set up a Snowflake network where the proxies can connect to arbitrary (or more or less arbitrary) addresses. See

Things to check

  • Does the metrics code need to be updated?
  • I did not test the client binary with Tor browser (the relay-url SOCKS parameter). Using as a library works good.
  • If you are feeling conservative, we can add a parameter to the broker that disallows the new behavior (i.e. disallow clients to specify relayURL directly).
Edited by WofWca

Merge request reports