Team issueshttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues2023-07-03T17:31:20Zhttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/86migrate away from git.torproject.org2023-07-03T17:31:20Zmeskiomeskio@torproject.orgmigrate away from git.torproject.orgThe plan is to deprecate git.tpo (https://gitlab.torproject.org/tpo/tpa/team/-/issues/40472). Let's migrate away from it.
Needed tasks:
* [ ] decide a commit signing workflow that works for us (https://gitlab.torproject.org/tpo/anti-cen...The plan is to deprecate git.tpo (https://gitlab.torproject.org/tpo/tpa/team/-/issues/40472). Let's migrate away from it.
Needed tasks:
* [ ] decide a commit signing workflow that works for us (https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/8)
* [x] migrate go packages to use gitlab.tpo instead of git.tpo as their module name.
* [x] https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure
* [x] https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek
* [x] https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake
* [x] move goptlib to gitlab.
* [x] make sure TB, guardian project and others use the new reposmeskiomeskio@torproject.orgmeskiomeskio@torproject.org2024-03-31https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/114GetTor is replying with TB win32 binary by default2023-01-11T15:54:13ZGusGetTor is replying with TB win32 binary by defaultWhen I email gettor@tpo with "windows" on the subject, the service is sharing automatically win32 binary:
```
This is an automated email response from GetTor.
You requested Tor Browser for win32.
Step 1: Download Tor Browser
...When I email gettor@tpo with "windows" on the subject, the service is sharing automatically win32 binary:
```
This is an automated email response from GetTor.
You requested Tor Browser for win32.
Step 1: Download Tor Browser
First, try downloading Tor Browser from our mirrors:
```meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/109Tor Browser 12.0 will only ship a single multi-locale bundle2022-12-13T14:06:40ZrichardTor Browser 12.0 will only ship a single multi-locale bundleThere will only be 1 version of Tor Browser per platform rather than the current 36; all locales will be bundled in a single package. Get Tor should be updated appropriately.There will only be 1 version of Tor Browser per platform rather than the current 36; all locales will be bundled in a single package. Get Tor should be updated appropriately.meskiomeskio@torproject.orgmeskiomeskio@torproject.org2022-12-16https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/99Do obfs4 settings bridges work better in china and hong knog?2022-11-28T13:25:47Zmeskiomeskio@torproject.orgDo obfs4 settings bridges work better in china and hong knog?Right now in China in the circumvention map we recommend snowflake, which in user research has being behaving very slow there. And in Hong Kong we don't provide any configuration, so if tor fails to connect TB will try to use the builtin...Right now in China in the circumvention map we recommend snowflake, which in user research has being behaving very slow there. And in Hong Kong we don't provide any configuration, so if tor fails to connect TB will try to use the builtin bridges.
Let's configure both countries to use obfs4 settings bridges. We'll wait 10 days after enabling them and see if there is an increase of users and/or complains from them in the support channels.
cc: @gus @duncanSponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetmeskiomeskio@torproject.orgmeskiomeskio@torproject.org2022-11-09https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/100meek-azure bridge (cymrubridge02) is offline since October 42022-11-15T18:41:38ZGusmeek-azure bridge (cymrubridge02) is offline since October 4Following the [survival guide](https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Survival-Guides/meek-Survival-Guide), we discovered that cymrubridge02 is offline and so meek-azure. Although there is a deprecation plan for t...Following the [survival guide](https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Survival-Guides/meek-Survival-Guide), we discovered that cymrubridge02 is offline and so meek-azure. Although there is a deprecation plan for this PT, I still think it's very useful for users.micahmicah@torproject.orgmicahmicah@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/31Bump the version of snowflake used in the plugin2022-11-07T17:23:58ZCecylia BocovichBump the version of snowflake used in the pluginWe're using an old version of Snowflake for this event. We should probably bump it and make sure it works for the test event.We're using an old version of Snowflake for this event. We should probably bump it and make sure it works for the test event.itchyonionitchyonionhttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/89review signal gettor bot2022-10-04T17:57:42Zmeskiomeskio@torproject.orgreview signal gettor bothttps://gitlab.com/george/signal-gettor
https://gitlab.torproject.org/n0toose/signal-gettorhttps://gitlab.com/george/signal-gettor
https://gitlab.torproject.org/n0toose/signal-gettorSponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetmeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/83Creating a version of Tor Browser with patched Snowflake client that includes...2022-10-04T17:51:03ZshelikhooCreating a version of Tor Browser with patched Snowflake client that includes supported_groups censorship countermeasure@dcf suggested that we could create a version of Tor Browser that includes Snowflake with [patch](https://github.com/pion/dtls/pull/474) applied to help users that could potentially impact by [this](https://gitlab.torproject.org/tpo/anti...@dcf suggested that we could create a version of Tor Browser that includes Snowflake with [patch](https://github.com/pion/dtls/pull/474) applied to help users that could potentially impact by [this](https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40030) type of censorship.
IRC Log:
```
[5:21:03 pm] <dcf1> Okay my discussion point is about DTLS fingerprinting in Russia
[5:21:23 pm] <+shelikhoo> yes
[5:21:35 pm] <+shelikhoo> right now, according to the vantage point we have
[5:21:57 pm] <+shelikhoo> snowflake is working in our vantage point in russia
[5:22:04 pm] <dcf1> The summary is that UDP packets matching the pattern `^\x16\xfe[\xfd\xff].{X}\x00\x1d\x00\x17\x00\x18` are getting blocked, where X is a small number of distinct offsets
[5:22:53 pm] <dcf1> My understanding is that snowflake only works in some configurations of pion/browser and client/server. Sorry, let me check my notes quick.
[5:24:05 pm] <dcf1> The concise way of saying it is: snowflake fails to connect if either side uses a Pion client.
[5:24:13 pm] <dcf1> Pion peer acts as TLS server -> ok
[5:24:19 pm] <dcf1> *DTLS
[5:24:25 pm] <dcf1> Browser peer acts as DTLS client -> ok
[5:24:37 pm] <dcf1> Pion peer acts as DTLS client -> not ok
[5:25:01 pm] <dcf1> Pion peer could be snowflake-client, or could be proxy-go.
[5:25:30 pm] <dcf1> The choice of whether a user's snowflake-client acts as a DTLS client or server may depend on their NAT
[5:25:41 pm] <dcf1> So the blocking rule may affect some NAT types more than others
[5:26:23 pm] <dcf1> Another way of stating the above rule is: snowflake only works if using a browser proxy (not a proxy-go proxy), and only if snowflake-client takes the DTLS server role in the connection
[5:27:11 pm] <dcf1> ValdikSS has a pull request with pion https://github.com/pion/dtls/pull/474 to change up the supported_groups extension that is part of the matching rule
[5:27:31 pm] <dcf1> I'm not so sure about this idea, because it may make the snowflake fingerprint even more distinctive
[5:27:58 pm] <+arma2> shelikhoo: sounds like we might want to split the vantage point test into several tests, where we try various types of snowflake proxies
[5:28:27 pm] <dcf1> One thought I had was to insert a padding or other no-op extension to adjust the offsets. that would create a new fingerprint too, but is probably less work to implement and more agile
[5:29:33 pm] <dcf1> There is perhaps no need for urgent action on this, but I am wondering if there is some class of users for whom snowflake is completely blocked. maybe, maybe not
[5:29:39 pm] <+shelikhoo> dcf1: yes, and we would need a world wide deployment of this for the snowflake proxy
[5:29:52 pm] <dcf1> shelikhoo: no, not necessarily.
[5:30:56 pm] <dcf1> If we patch snowflake-client, that takes care of one end of the connection. If the blocking rule was "Pion client", and it happened that all of a certain class of users were *always* clients, then altering the Pion fingerprint on the client side alone could be sufficient
[5:31:54 pm] <dcf1> One way forward would be to (temporarily) fork pion/dtls in the Tor Browser alpha. Then we could ask users to try the alpha release. Or even a one-off special build of the browser like we sometimes do.
[5:32:25 pm] <+shelikhoo> arma2: I think right now we don't have a way to specify whether a WebRTC peer is a client or server
[5:32:41 pm] <+shelikhoo> but I can look into this
[5:33:06 pm] <+shelikhoo> dcf1: Yes. we can try to create a version of snowflake-client with the patch applied
[5:33:08 pm] <dcf1> https://gitweb.torproject.org/builders/tor-browser-build.git/commit/?id=7ffd69a21b8a408a2be9cfdbe7401e1a7f974310
[5:33:12 pm] <+shelikhoo> and see how it works
[5:33:20 pm] <dcf1> ^ example of when we temporarily forked pion/dtls before
[5:34:55 pm] <dcf1> https://archive.org/details/@torproject
[5:35:02 pm] <dcf1> https://archive.org/details/snowflake-ru_snowflake_fix-20211208-ae7cc478fd34
[5:35:07 pm] <dcf1> https://archive.org/details/tor-browser-snowflake-ampcache-10.5.3
[5:35:17 pm] <dcf1> ^ examples of one-off Tor Browser builds made for testing
[5:36:37 pm] <dcf1> That is all from me on this topic, I just wanted to refresh awareness of it
[5:36:41 pm] <+shelikhoo> I will create a ticket for creating an specialized version of snowflake with this patch applied
[5:36:52 pm] <+shelikhoo> is there such a ticket already?
[5:37:23 pm] <dcf1> not that I'm aware, there is only https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40030 for the general observation of blocking
[5:37:24 pm] [+zwiebelbot] tor:tpo/anti-censorship/censorship-analysis#40030: IRC Tip about Signature used to block Snowflake in Russia, 2022-May-16 - https://bugs.torproject.org/tpo/anti-censorship/censorship-analysis/40030
[5:38:30 pm] <+shelikhoo> No, I think I can create one. It should give this issue more visibility
```https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/62Prepare for s28 PI meeting: May 10 20222022-09-01T23:42:21ZCecylia BocovichPrepare for s28 PI meeting: May 10 2022We've got to make slides, wrap up any ongoing work that we want to report, and coordinate with the rest of our group about what our story/goals are.
We should gather the information we need some days before May 11 (say, by May 5 latest)...We've got to make slides, wrap up any ongoing work that we want to report, and coordinate with the rest of our group about what our story/goals are.
We should gather the information we need some days before May 11 (say, by May 5 latest), so there is enough time to organize it into a coherent presentation and enough time to notice missing things (e.g. graphs and diagrams) and collect them too.Sponsor 28: ONLY PHASE 3 Reliable Anonymous Communication Evading Censors and Repressors (RACECAR)2022-05-11https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/85is Wolpertinger being used?2022-07-21T10:22:02ZGabagaba@torproject.orgis Wolpertinger being used?It seems that nobody is using Wolpertinger anymore. If nobody is using it we are going to
- [x] turn off the service and
- [x] archive the project.
Please add any concern or comment to this ticket if not.
https://gitlab.torproject....It seems that nobody is using Wolpertinger anymore. If nobody is using it we are going to
- [x] turn off the service and
- [x] archive the project.
Please add any concern or comment to this ticket if not.
https://gitlab.torproject.org/tpo/anti-censorship/wolpertingermeskiomeskio@torproject.orgmeskiomeskio@torproject.org2022-07-22https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/73Write and submit a defcon 2022 talk: censorship, russia, snowflake, bridge di...2022-06-22T18:52:29ZRoger DingledineWrite and submit a defcon 2022 talk: censorship, russia, snowflake, bridge distribution, etcWe have two general directions we might take this talk submission:
My original idea had been to focus on network health and bad relays: in particular, what it means to be a good relay, patterns of bad relays, attacks we've seen in the p...We have two general directions we might take this talk submission:
My original idea had been to focus on network health and bad relays: in particular, what it means to be a good relay, patterns of bad relays, attacks we've seen in the past and how we handled them and what we need to change to handle them better -- generally, how that arms race can go, so we have clearer public discussion of the topics, and a video that can get everybody up to speed over the next few years.
Isa and the comms team are lobbying for a different topic though, which is a follow-up to the 2019 censorship talk, focusing on what's going on with Russia / Ukraine, the previous data points from Kazakhstan, the huge ramp-up in bridges and snowflakes and snowflake users, alternate bridge distribution approaches like via telegram, what is working well and what needs more work, and generally how the Tor geek audience can help.
I have to say that second one has some strong arguments in favor: the two biggest arguments are (a) it is a *timely* topic, i.e. now really is much better than later, and (b) I am already gathering a lot of this info, and organizing it into presentations, for the s28 talks, so pulling it together the rest of the way isn't so big a lift.
Cc'ing @gk and @meskio and @shelikhoo so they can know this is a topic (and that we are deciding between topics).Roger DingledineRoger Dingledinehttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/9Implement conjure as a pluggable transport2021-09-02T14:28:37ZGabagaba@torproject.orgImplement conjure as a pluggable transportGet [the refraction networking client](https://github.com/refraction-networking/gotapdance)'s code into a pluggable transport for Tor.
- [ ] get familiar with the Go code https://github.com/refraction-networking/gotapdance
- [x] create...Get [the refraction networking client](https://github.com/refraction-networking/gotapdance)'s code into a pluggable transport for Tor.
- [ ] get familiar with the Go code https://github.com/refraction-networking/gotapdance
- [x] create conjure repo in https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports for this new PT
- https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure
Any new issue to convert it into a PT will live in the new repository:
- Decide how we're going to do signaling -- maybe by reusing our Fastly domain fronting thing, if we don't like the signaling component Conjure uses now.
- Integrate into Tor Browser (including reproducible build)
- Verify that obfs4+conjure actually works
- Deploy bridge somewhere to receive traffic from already setup infrastructure
- Make sure we can still get our extorport-style metrics: if the conjure infra de-obfs4's the traffic, do we lose the features of the extorport, like passing along the country of the original user? If yes fix it somehow.Sponsor 30 - Objective 2.3Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/2Task 1.1 Get some manual vantage points in key regions2021-03-09T16:55:14ZGabagaba@torproject.orgTask 1.1 Get some manual vantage points in key regionsGet some manual vantage points in key regions, and automate scans of vanilla Tor, default Tor Browser bridges, vanilla and obfs4 bridges (both from bridgedb and unpublished), and meek.Get some manual vantage points in key regions, and automate scans of vanilla Tor, default Tor Browser bridges, vanilla and obfs4 bridges (both from bridgedb and unpublished), and meek.Sponsor 28: Reliable Anonymous Communication Evading Censors and Repressors (RACECAR)