Team issueshttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues2024-03-15T17:12:53Zhttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/135Fastly blocked domain fronting2024-03-15T17:12:53ZGusFastly blocked domain frontingIt seems Fastly has started to block domain fronting today (2024-03-01):
```
Requested host does not match any Subject Alternative Names (SANs) on TLS certificate [0cc7e46ae66a20cf2bce81a1fb4bc83c2b27d310f7177487dfb9665316892903] in use...It seems Fastly has started to block domain fronting today (2024-03-01):
```
Requested host does not match any Subject Alternative Names (SANs) on TLS certificate [0cc7e46ae66a20cf2bce81a1fb4bc83c2b27d310f7177487dfb9665316892903] in use with this connection.
```
@ValdikSS reported this issue 3 days ago on Net4people BBS: https://github.com/net4people/bbs/issues/309#issuecomment-1968514057
This issue is affecting:
- Moat, Connection Assist, and Snowflake.
For Snowflake, meek-azure broker seems to be working fine:
```
Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://snowflake-broker.azureedge.net/ fronts=ajax.aspnetcdn.com ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA https://snowflake-broker.azureedge.net/ fronts=ajax.aspnetcdn.com ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
```Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/114GetTor is replying with TB win32 binary by default2023-01-11T15:54:13ZGusGetTor is replying with TB win32 binary by defaultWhen I email gettor@tpo with "windows" on the subject, the service is sharing automatically win32 binary:
```
This is an automated email response from GetTor.
You requested Tor Browser for win32.
Step 1: Download Tor Browser
...When I email gettor@tpo with "windows" on the subject, the service is sharing automatically win32 binary:
```
This is an automated email response from GetTor.
You requested Tor Browser for win32.
Step 1: Download Tor Browser
First, try downloading Tor Browser from our mirrors:
```meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/108what percentage of settings bridges are blocked in china?2024-03-05T18:14:47Zmeskiomeskio@torproject.orgwhat percentage of settings bridges are blocked in china?We want to know what percentage of bridges in the settings pool are blocked in china. We could test a subset of them manually from a vantage point.
But maybe we can work with logcollector to get this information constantly. We could tes...We want to know what percentage of bridges in the settings pool are blocked in china. We could test a subset of them manually from a vantage point.
But maybe we can work with logcollector to get this information constantly. We could test a different set of bridges on each run, we could even feed that information back into rdsys and don't distribute bridges being blocked after having test them.meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/109Tor Browser 12.0 will only ship a single multi-locale bundle2022-12-13T14:06:40ZrichardTor Browser 12.0 will only ship a single multi-locale bundleThere will only be 1 version of Tor Browser per platform rather than the current 36; all locales will be bundled in a single package. Get Tor should be updated appropriately.There will only be 1 version of Tor Browser per platform rather than the current 36; all locales will be bundled in a single package. Get Tor should be updated appropriately.meskiomeskio@torproject.orgmeskiomeskio@torproject.org2022-12-16https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/100meek-azure bridge (cymrubridge02) is offline since October 42022-11-15T18:41:38ZGusmeek-azure bridge (cymrubridge02) is offline since October 4Following the [survival guide](https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Survival-Guides/meek-Survival-Guide), we discovered that cymrubridge02 is offline and so meek-azure. Although there is a deprecation plan for t...Following the [survival guide](https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Survival-Guides/meek-Survival-Guide), we discovered that cymrubridge02 is offline and so meek-azure. Although there is a deprecation plan for this PT, I still think it's very useful for users.micahmicah@torproject.orgmicahmicah@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/99Do obfs4 settings bridges work better in china and hong knog?2022-11-28T13:25:47Zmeskiomeskio@torproject.orgDo obfs4 settings bridges work better in china and hong knog?Right now in China in the circumvention map we recommend snowflake, which in user research has being behaving very slow there. And in Hong Kong we don't provide any configuration, so if tor fails to connect TB will try to use the builtin...Right now in China in the circumvention map we recommend snowflake, which in user research has being behaving very slow there. And in Hong Kong we don't provide any configuration, so if tor fails to connect TB will try to use the builtin bridges.
Let's configure both countries to use obfs4 settings bridges. We'll wait 10 days after enabling them and see if there is an increase of users and/or complains from them in the support channels.
cc: @gus @duncanSponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetmeskiomeskio@torproject.orgmeskiomeskio@torproject.org2022-11-09https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/89review signal gettor bot2022-10-04T17:57:42Zmeskiomeskio@torproject.orgreview signal gettor bothttps://gitlab.com/george/signal-gettor
https://gitlab.torproject.org/n0toose/signal-gettorhttps://gitlab.com/george/signal-gettor
https://gitlab.torproject.org/n0toose/signal-gettorSponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetmeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/86migrate away from git.torproject.org2023-07-03T17:31:20Zmeskiomeskio@torproject.orgmigrate away from git.torproject.orgThe plan is to deprecate git.tpo (https://gitlab.torproject.org/tpo/tpa/team/-/issues/40472). Let's migrate away from it.
Needed tasks:
* [ ] decide a commit signing workflow that works for us (https://gitlab.torproject.org/tpo/anti-cen...The plan is to deprecate git.tpo (https://gitlab.torproject.org/tpo/tpa/team/-/issues/40472). Let's migrate away from it.
Needed tasks:
* [ ] decide a commit signing workflow that works for us (https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/8)
* [x] migrate go packages to use gitlab.tpo instead of git.tpo as their module name.
* [x] https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure
* [x] https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/meek
* [x] https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake
* [x] move goptlib to gitlab.
* [x] make sure TB, guardian project and others use the new reposmeskiomeskio@torproject.orgmeskiomeskio@torproject.org2024-03-31https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/85is Wolpertinger being used?2022-07-21T10:22:02ZGabagaba@torproject.orgis Wolpertinger being used?It seems that nobody is using Wolpertinger anymore. If nobody is using it we are going to
- [x] turn off the service and
- [x] archive the project.
Please add any concern or comment to this ticket if not.
https://gitlab.torproject....It seems that nobody is using Wolpertinger anymore. If nobody is using it we are going to
- [x] turn off the service and
- [x] archive the project.
Please add any concern or comment to this ticket if not.
https://gitlab.torproject.org/tpo/anti-censorship/wolpertingermeskiomeskio@torproject.orgmeskiomeskio@torproject.org2022-07-22https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/83Creating a version of Tor Browser with patched Snowflake client that includes...2022-10-04T17:51:03ZshelikhooCreating a version of Tor Browser with patched Snowflake client that includes supported_groups censorship countermeasure@dcf suggested that we could create a version of Tor Browser that includes Snowflake with [patch](https://github.com/pion/dtls/pull/474) applied to help users that could potentially impact by [this](https://gitlab.torproject.org/tpo/anti...@dcf suggested that we could create a version of Tor Browser that includes Snowflake with [patch](https://github.com/pion/dtls/pull/474) applied to help users that could potentially impact by [this](https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40030) type of censorship.
IRC Log:
```
[5:21:03 pm] <dcf1> Okay my discussion point is about DTLS fingerprinting in Russia
[5:21:23 pm] <+shelikhoo> yes
[5:21:35 pm] <+shelikhoo> right now, according to the vantage point we have
[5:21:57 pm] <+shelikhoo> snowflake is working in our vantage point in russia
[5:22:04 pm] <dcf1> The summary is that UDP packets matching the pattern `^\x16\xfe[\xfd\xff].{X}\x00\x1d\x00\x17\x00\x18` are getting blocked, where X is a small number of distinct offsets
[5:22:53 pm] <dcf1> My understanding is that snowflake only works in some configurations of pion/browser and client/server. Sorry, let me check my notes quick.
[5:24:05 pm] <dcf1> The concise way of saying it is: snowflake fails to connect if either side uses a Pion client.
[5:24:13 pm] <dcf1> Pion peer acts as TLS server -> ok
[5:24:19 pm] <dcf1> *DTLS
[5:24:25 pm] <dcf1> Browser peer acts as DTLS client -> ok
[5:24:37 pm] <dcf1> Pion peer acts as DTLS client -> not ok
[5:25:01 pm] <dcf1> Pion peer could be snowflake-client, or could be proxy-go.
[5:25:30 pm] <dcf1> The choice of whether a user's snowflake-client acts as a DTLS client or server may depend on their NAT
[5:25:41 pm] <dcf1> So the blocking rule may affect some NAT types more than others
[5:26:23 pm] <dcf1> Another way of stating the above rule is: snowflake only works if using a browser proxy (not a proxy-go proxy), and only if snowflake-client takes the DTLS server role in the connection
[5:27:11 pm] <dcf1> ValdikSS has a pull request with pion https://github.com/pion/dtls/pull/474 to change up the supported_groups extension that is part of the matching rule
[5:27:31 pm] <dcf1> I'm not so sure about this idea, because it may make the snowflake fingerprint even more distinctive
[5:27:58 pm] <+arma2> shelikhoo: sounds like we might want to split the vantage point test into several tests, where we try various types of snowflake proxies
[5:28:27 pm] <dcf1> One thought I had was to insert a padding or other no-op extension to adjust the offsets. that would create a new fingerprint too, but is probably less work to implement and more agile
[5:29:33 pm] <dcf1> There is perhaps no need for urgent action on this, but I am wondering if there is some class of users for whom snowflake is completely blocked. maybe, maybe not
[5:29:39 pm] <+shelikhoo> dcf1: yes, and we would need a world wide deployment of this for the snowflake proxy
[5:29:52 pm] <dcf1> shelikhoo: no, not necessarily.
[5:30:56 pm] <dcf1> If we patch snowflake-client, that takes care of one end of the connection. If the blocking rule was "Pion client", and it happened that all of a certain class of users were *always* clients, then altering the Pion fingerprint on the client side alone could be sufficient
[5:31:54 pm] <dcf1> One way forward would be to (temporarily) fork pion/dtls in the Tor Browser alpha. Then we could ask users to try the alpha release. Or even a one-off special build of the browser like we sometimes do.
[5:32:25 pm] <+shelikhoo> arma2: I think right now we don't have a way to specify whether a WebRTC peer is a client or server
[5:32:41 pm] <+shelikhoo> but I can look into this
[5:33:06 pm] <+shelikhoo> dcf1: Yes. we can try to create a version of snowflake-client with the patch applied
[5:33:08 pm] <dcf1> https://gitweb.torproject.org/builders/tor-browser-build.git/commit/?id=7ffd69a21b8a408a2be9cfdbe7401e1a7f974310
[5:33:12 pm] <+shelikhoo> and see how it works
[5:33:20 pm] <dcf1> ^ example of when we temporarily forked pion/dtls before
[5:34:55 pm] <dcf1> https://archive.org/details/@torproject
[5:35:02 pm] <dcf1> https://archive.org/details/snowflake-ru_snowflake_fix-20211208-ae7cc478fd34
[5:35:07 pm] <dcf1> https://archive.org/details/tor-browser-snowflake-ampcache-10.5.3
[5:35:17 pm] <dcf1> ^ examples of one-off Tor Browser builds made for testing
[5:36:37 pm] <dcf1> That is all from me on this topic, I just wanted to refresh awareness of it
[5:36:41 pm] <+shelikhoo> I will create a ticket for creating an specialized version of snowflake with this patch applied
[5:36:52 pm] <+shelikhoo> is there such a ticket already?
[5:37:23 pm] <dcf1> not that I'm aware, there is only https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40030 for the general observation of blocking
[5:37:24 pm] [+zwiebelbot] tor:tpo/anti-censorship/censorship-analysis#40030: IRC Tip about Signature used to block Snowflake in Russia, 2022-May-16 - https://bugs.torproject.org/tpo/anti-censorship/censorship-analysis/40030
[5:38:30 pm] <+shelikhoo> No, I think I can create one. It should give this issue more visibility
```https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/80is moat distributing bridges marked as blocked in russia?2024-03-07T18:10:20Zmeskiomeskio@torproject.orgis moat distributing bridges marked as blocked in russia?Someone has reported that moat/bridgedb is distributing bridges marked as blocked in russia (e.g. https://metrics.torproject.org/rs.html#details/1807BF9A521468998385F179DDBF928D2482A62C).Someone has reported that moat/bridgedb is distributing bridges marked as blocked in russia (e.g. https://metrics.torproject.org/rs.html#details/1807BF9A521468998385F179DDBF928D2482A62C).Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetmeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/79Help operators to test their bridges in China2023-10-11T12:18:22ZGusHelp operators to test their bridges in ChinaI saw some engagement with the new metrics "blocklist" info. I think having that info displayed for other countries like China would be good for the bridge operator community, as many of them don't know that their bridges are blocked.
A...I saw some engagement with the new metrics "blocklist" info. I think having that info displayed for other countries like China would be good for the bridge operator community, as many of them don't know that their bridges are blocked.
As this would require some integration in rdsys/metrics/probetest and more work for the AC team, we could start small. @meskio and @shelikhoo suggested of writing a short howto to be published in the Support portal to help operators to test manually their bridge if it's blocked in China.Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetshelikhooshelikhoohttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/73Write and submit a defcon 2022 talk: censorship, russia, snowflake, bridge di...2022-06-22T18:52:29ZRoger DingledineWrite and submit a defcon 2022 talk: censorship, russia, snowflake, bridge distribution, etcWe have two general directions we might take this talk submission:
My original idea had been to focus on network health and bad relays: in particular, what it means to be a good relay, patterns of bad relays, attacks we've seen in the p...We have two general directions we might take this talk submission:
My original idea had been to focus on network health and bad relays: in particular, what it means to be a good relay, patterns of bad relays, attacks we've seen in the past and how we handled them and what we need to change to handle them better -- generally, how that arms race can go, so we have clearer public discussion of the topics, and a video that can get everybody up to speed over the next few years.
Isa and the comms team are lobbying for a different topic though, which is a follow-up to the 2019 censorship talk, focusing on what's going on with Russia / Ukraine, the previous data points from Kazakhstan, the huge ramp-up in bridges and snowflakes and snowflake users, alternate bridge distribution approaches like via telegram, what is working well and what needs more work, and generally how the Tor geek audience can help.
I have to say that second one has some strong arguments in favor: the two biggest arguments are (a) it is a *timely* topic, i.e. now really is much better than later, and (b) I am already gathering a lot of this info, and organizing it into presentations, for the s28 talks, so pulling it together the rest of the way isn't so big a lift.
Cc'ing @gk and @meskio and @shelikhoo so they can know this is a topic (and that we are deciding between topics).Roger DingledineRoger Dingledinehttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/62Prepare for s28 PI meeting: May 10 20222022-09-01T23:42:21ZCecylia BocovichPrepare for s28 PI meeting: May 10 2022We've got to make slides, wrap up any ongoing work that we want to report, and coordinate with the rest of our group about what our story/goals are.
We should gather the information we need some days before May 11 (say, by May 5 latest)...We've got to make slides, wrap up any ongoing work that we want to report, and coordinate with the rest of our group about what our story/goals are.
We should gather the information we need some days before May 11 (say, by May 5 latest), so there is enough time to organize it into a coherent presentation and enough time to notice missing things (e.g. graphs and diagrams) and collect them too.Sponsor 28: ONLY PHASE 3 Reliable Anonymous Communication Evading Censors and Repressors (RACECAR)2022-05-11https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/31Bump the version of snowflake used in the plugin2022-11-07T17:23:58ZCecylia BocovichBump the version of snowflake used in the pluginWe're using an old version of Snowflake for this event. We should probably bump it and make sure it works for the test event.We're using an old version of Snowflake for this event. We should probably bump it and make sure it works for the test event.itchyonionitchyonionhttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/9Implement conjure as a pluggable transport2021-09-02T14:28:37ZGabagaba@torproject.orgImplement conjure as a pluggable transportGet [the refraction networking client](https://github.com/refraction-networking/gotapdance)'s code into a pluggable transport for Tor.
- [ ] get familiar with the Go code https://github.com/refraction-networking/gotapdance
- [x] create...Get [the refraction networking client](https://github.com/refraction-networking/gotapdance)'s code into a pluggable transport for Tor.
- [ ] get familiar with the Go code https://github.com/refraction-networking/gotapdance
- [x] create conjure repo in https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports for this new PT
- https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure
Any new issue to convert it into a PT will live in the new repository:
- Decide how we're going to do signaling -- maybe by reusing our Fastly domain fronting thing, if we don't like the signaling component Conjure uses now.
- Integrate into Tor Browser (including reproducible build)
- Verify that obfs4+conjure actually works
- Deploy bridge somewhere to receive traffic from already setup infrastructure
- Make sure we can still get our extorport-style metrics: if the conjure infra de-obfs4's the traffic, do we lose the features of the extorport, like passing along the country of the original user? If yes fix it somehow.Sponsor 30 - Objective 2.3Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/2Task 1.1 Get some manual vantage points in key regions2021-03-09T16:55:14ZGabagaba@torproject.orgTask 1.1 Get some manual vantage points in key regionsGet some manual vantage points in key regions, and automate scans of vanilla Tor, default Tor Browser bridges, vanilla and obfs4 bridges (both from bridgedb and unpublished), and meek.Get some manual vantage points in key regions, and automate scans of vanilla Tor, default Tor Browser bridges, vanilla and obfs4 bridges (both from bridgedb and unpublished), and meek.Sponsor 28: Reliable Anonymous Communication Evading Censors and Repressors (RACECAR)