trac issueshttps://gitlab.torproject.org/tpo/anti-censorship/trac/-/issues2021-06-10T14:27:10Zhttps://gitlab.torproject.org/tpo/anti-censorship/trac/-/issues/22197Audit all of our Go code that uses `crypto/aes`.2021-06-10T14:27:10ZYawning AngelAudit all of our Go code that uses `crypto/aes`.The implementation is not constant time (and neither is the GHASH provided by `crypto/cipher`) without AES-NI/PCLMULQDQ or equivalent. I do not believe that we use either in a situation where it matters, but we should double check to co...The implementation is not constant time (and neither is the GHASH provided by `crypto/cipher`) without AES-NI/PCLMULQDQ or equivalent. I do not believe that we use either in a situation where it matters, but we should double check to confirm this. This affects any uses of the raw primitive, when wrapped in the various block cipher modes, and when used via TLS.
Known uses:
* obfs2
* obfs3
* scramblesuit
* meek without a helperhttps://gitlab.torproject.org/tpo/anti-censorship/trac/-/issues/31874Automatically test the PTs of bridges2023-05-10T17:46:44ZPhilipp Winterphw@torproject.orgAutomatically test the PTs of bridgesWhen a new bridge is set up, our directory authority is testing its OR port and assigns it the `Running` flag if the OR port is reachable. Nothing however is testing a bridge's PT port(s). This resulted in several bridges having an unrea...When a new bridge is set up, our directory authority is testing its OR port and assigns it the `Running` flag if the OR port is reachable. Nothing however is testing a bridge's PT port(s). This resulted in several bridges having an unreachable obfs4 port, e.g., because the operator failed to whitelist the obfs4 port in their firewall. Let's fix this by testing a bridge's pluggable transport and alerting the operator if the PT is unreachable.
Obfs4proxy has client implementations for most of our currently-deployed PTs, so we could start by writing some glue code that takes as input a bridge line and makes obfs4proxy (and tor) connect to the given bridge.
Another question is where we should do the testing from. Our bridge authority and BridgeDB are the obvious candidates. Our bridge authority currently tests bridges' OR ports but we may not want it to also test PTs.
Finally, how should we let bridge operators know if their PTs are unreachable? We may want to send them an email (if they have contact information in their descriptor), and/or make their tor log a warning.Sponsor 30 - Objective 2.3Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/trac/-/issues/23095Can't connect with TBB to my private bridge using OBFS3/4, if I use NOPROTOCO...2020-06-27T13:44:27ZTracCan't connect with TBB to my private bridge using OBFS3/4, if I use NOPROTOCOL it connects. The Bridge says it is properly set.I Think the problem is in my private bridge, it's just unfindable to me.
I doubt my TBB is the cause since this problem also appears using whonix.
========================================================================
I have set a Pri...I Think the problem is in my private bridge, it's just unfindable to me.
I doubt my TBB is the cause since this problem also appears using whonix.
========================================================================
I have set a Private Bridge on one of my servers. When I try to use it with the TBB(tor browser bundle) of one of my laptops it does connect only if I specify no protocol, If I use obfs3 or obfs4 I get erros, and I have already checked it is correctly set (the obfs4 plugin) in my server.
Weird thing is that if I connect with no protocol, and then once it is connected I change the bridge line and insert obfs3 or obfs4 and keep browsing, then it switches to using the protocol without errors, but if I restart the browser then I get the error. Basically it only fails at starting the connection when I use the obfs3/obfs4 protocols in my private bridge line.
HERE ARE THE OUTPUTs of errors and configs.
1- OUTPUT when I specify no protocol (and it connects successfully and I can normally browse the web with my TBB):
```
08/03/2017 16:54:51.400 [NOTICE] Bootstrapped 85%: Finishing handshake with first hop
08/03/2017 16:54:52.100 [NOTICE] Bootstrapped 90%: Establishing a Tor circuit
08/03/2017 16:54:53.000 [NOTICE] new bridge descriptor 'Unnamed' (fresh): $HERE-IS-MY-SERVER-FINGERPRINT~Unnamed at HERE-IS-MY-SERVER-IP-ADDRESS
08/03/2017 16:54:54.200 [NOTICE] Tor has successfully opened a circuit. Looks like client functionality is working.
08/03/2017 16:54:54.200 [NOTICE] Bootstrapped 100%: Done
08/03/2017 16:54:55.200 [NOTICE] New control connection opened from 127.0.0.1.
08/03/2017 16:54:55.200 [NOTICE] New control connection opened from 127.0.0.1.
```
2-OUTPUT when I specify protocol obfs3 ( and I restart the browser to make the first connection USING the protocol obfs3):
```
08/03/2017 13:03:45.200 [NOTICE] Bootstrapped 80%: Connecting to the Tor network
08/03/2017 13:03:45.700 [NOTICE] Bootstrapped 85%: Finishing handshake with first hop
08/03/2017 13:03:46.200 [WARN] Proxy Client: unable to connect to HERE-IS-MY-SERVER-IP-ADDRESS:27654 ("general SOCKS server failure")
08/03/2017 13:03:47.100 [WARN] Proxy Client: unable to connect to HERE-IS-MY-SERVER-IP-ADDRESS:27654 ("general SOCKS server failure")
08/03/2017 13:03:47.700 [WARN] Failed to find node for hop 0 of our path. Discarding this circuit.
08/03/2017 13:03:47.900 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
08/03/2017 13:03:47.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
08/03/2017 13:03:47.900 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
08/03/2017 13:03:48.700 [NOTICE] Delaying directory fetches: DisableNetwork is set.
```
3-OUTPUT when I specify protocol obfs4 ( and I restart the browser to make the first connection USING the protocol obfs4):
```
08/03/2017 12:56:29.300 [NOTICE] Bootstrapped 80%: Connecting to the Tor network
08/03/2017 12:56:29.600 [NOTICE] Bootstrapped 85%: Finishing handshake with first hop
08/03/2017 12:56:29.600 [WARN] Proxy Client: unable to connect to HERE-IS-MY-SERVER-IP-ADDRESS:27654 ("general SOCKS server failure")
08/03/2017 12:56:30.600 [WARN] Proxy Client: unable to connect to HERE-IS-MY-SERVER-IP-ADDRESS:27654 ("general SOCKS server failure")
08/03/2017 12:56:31.600 [WARN] Failed to find node for hop 0 of our path. Discarding this circuit.
08/03/2017 12:56:32.600 [WARN] Failed to find node for hop 0 of our path. Discarding this circuit.
08/03/2017 12:56:33.400 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
08/03/2017 12:56:33.400 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
08/03/2017 12:56:33.400 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
08/03/2017 12:56:33.600 [NOTICE] Delaying directory fetches: DisableNetwork is set.
```
4-OUTPUT of my torrc file in my private bridge (my server):
```
SocksPort 0
ORPort 27654
BridgeRelay 1
PublishServerDescriptor 0
Exitpolicy reject *:*
# Use obfs4proxy to provide the obfs4 protocol.
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
```
5-OUTPUT of my /var/log/syslog so you can see that my private bridge server successfully opens circuit and that it SUCCESSFULLY USES the OBFS4 PLUGIN. -if you want to see /var/log/tor/log well it does not exist in my server, instead the /var/log/tor/log gets printed at syslog.:
```
Aug 3 12:27:53 server1 tor[1607]: Configuration was valid
Aug 3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.488 [notice] Tor 0.3.0.9 (git-100816d92ab5664d) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2g and Zlib 1.2.8.
Aug 3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.488 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Aug 3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.488 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Aug 3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.489 [notice] Read configuration file "/etc/tor/torrc".
Aug 3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.494 [notice] Your ContactInfo config option is not set. Please consider setting it, so we can contact you if your server is misconfigured or somet$
Aug 3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.494 [notice] Based on detected system memory, MaxMemInQueues is set to 768 MB. You can override this by setting MaxMemInQueues by hand.
Aug 3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.495 [notice] I think we have 64 CPUS, but only 1 of them are available. Telling Tor to only use 1. You can override this with the NumCPUs option
Aug 3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.496 [notice] Opening OR listener on 0.0.0.0:27654
Aug 3 12:27:53 server1 Tor[1610]: Can't get entropy from getrandom().
Aug 3 12:27:53 server1 Tor[1610]: Tor 0.3.0.9 (git-100816d92ab5664d) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2g and Zlib 1.2.8.
Aug 3 12:27:53 server1 Tor[1610]: Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Aug 3 12:27:53 server1 Tor[1610]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Aug 3 12:27:53 server1 Tor[1610]: Read configuration file "/etc/tor/torrc".
Aug 3 12:27:53 server1 Tor[1610]: Your ContactInfo config option is not set. Please consider setting it, so we can contact you if your server is misconfigured or something else goes wrong.
Aug 3 12:27:53 server1 Tor[1610]: Based on detected system memory, MaxMemInQueues is set to 768 MB. You can override this by setting MaxMemInQueues by hand.
Aug 3 12:27:53 server1 Tor[1610]: I think we have 64 CPUS, but only 1 of them are available. Telling Tor to only use 1. You can override this with the NumCPUs option
Aug 3 12:27:53 server1 Tor[1610]: Opening OR listener on 0.0.0.0:27654
Aug 3 12:27:53 server1 Tor[1610]: We use pluggable transports but the Extended ORPort is disabled. Tor and your pluggable transports proxy communicate with each other via the Extended ORPort so it$
Aug 3 12:27:53 server1 Tor[1610]: Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Aug 3 12:27:53 server1 Tor[1610]: Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Aug 3 12:27:53 server1 Tor[1610]: Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Aug 3 12:27:54 server1 Tor[1610]: Your Tor server's identity key fingerprint is 'Unnamed HERE-IS-MY-SERVER-FINGERPRINT'
Aug 3 12:27:54 server1 Tor[1610]: Your Tor bridge's hashed identity key fingerprint is 'Unnamed HERE-IS-MY-SERVER-bridgedhashed-FINGERPRINT'
Aug 3 12:27:54 server1 Tor[1610]: Bootstrapped 0%: Starting
Aug 3 12:27:56 server1 Tor[1610]: Starting with guard context "default"
Aug 3 12:27:56 server1 Tor[1610]: Bootstrapped 80%: Connecting to the Tor network
Aug 3 12:27:56 server1 systemd[1]: Started Anonymizing overlay network for TCP.
Aug 3 12:27:56 server1 Tor[1610]: Signaled readiness to systemd
Aug 3 12:27:56 server1 Tor[1610]: Opening Control listener on /var/run/tor/control
Aug 3 12:27:56 server1 Tor[1610]: Bootstrapped 85%: Finishing handshake with first hop
Aug 3 12:27:57 server1 Tor[1610]: Bootstrapped 90%: Establishing a Tor circuit
Aug 3 12:27:57 server1 Tor[1610]: Registered server transport 'obfs4' at '[::]:39979'
Aug 3 12:27:58 server1 Tor[1610]: Tor has successfully opened a circuit. Looks like client functionality is working.
Aug 3 12:27:58 server1 Tor[1610]: Bootstrapped 100%: Done
Aug 3 12:27:58 server1 Tor[1610]: Now checking whether ORPort HERE-IS-MY-SERVER-IP-ADDRESS:27654 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Aug 3 12:27:58 server1 Tor[1610]: Self-testing indicates your ORPort is reachable from the outside. Excellent.
Aug 3 12:28:03 server1 Tor[1610]: Performing bandwidth self-test...done.
```
OUTPUT of my tor version in my private bridge server:
```
tor:
Installed: 0.3.0.9-1~xenial+1
```
My private bridge server OS is Unbutu 16.04 Xenial.
Sorry I didn't know how to put the code in the boxes since "[code]" doesn't work..
When I connect from my TBB to my private bridge I used the normal syntax:
<protocol(if any)> <myPrivateBridgeAddress>:<port,in my case is 27654> <fingerprint of the bridge>
Please help me, I have even changed OS from debian to ubuntu thinking this would solve the problem. As a matter of fact now I have the same problem as before...
**Trac**:
**Username**: help-OBFS4-BRIDGEhttps://gitlab.torproject.org/tpo/anti-censorship/trac/-/issues/34041Discord sent me an email listing my real ip as login location2021-07-09T14:29:16ZTracDiscord sent me an email listing my real ip as login locationI logged in to discord using tor and then got an email from discord saying someone had logged in to discord and giving my REAL IP address.
**Trac**:
**Username**: Camillia124I logged in to discord using tor and then got an email from discord saying someone had logged in to discord and giving my REAL IP address.
**Trac**:
**Username**: Camillia124https://gitlab.torproject.org/tpo/anti-censorship/trac/-/issues/32781Investigate alternative method to share bridges and Tor Browser bundles based...2021-07-09T14:20:08ZHiroInvestigate alternative method to share bridges and Tor Browser bundles based on social network protocolsTor is currently using bridgedb to distribute bridges to censored users.
Bridgedb uses email distribution which is not very effective when facing a high efficient censor like the GFW.
Some papers [1] have suggested methods based on soci...Tor is currently using bridgedb to distribute bridges to censored users.
Bridgedb uses email distribution which is not very effective when facing a high efficient censor like the GFW.
Some papers [1] have suggested methods based on social networks. These work under the assumption that we can only limit the censor ability to block servers.
Similarly gettor is using various storage service to provide alternative links to download tor browser bundle when torproject.org website is blocked.
I suggest decentralization protocols like retroshare [2] could be an alternative solution to share bridges and tor browser bundles to trusted parties. Furthermore retroshare supports already a variety of services [3] that could be used to communicate with users that need help circumventing censorship.
[1] https://www.degruyter.com/downloadpdf/j/popets.2016.2016.issue-4/popets-2016-0026/popets-2016-0026.pdf
[2] https://retroshare.cc/
[3] https://retroshare.readthedocs.io/en/latest/#featureshttps://gitlab.torproject.org/tpo/anti-censorship/trac/-/issues/28172Javascript "ON" warnings given on .onion sites!!!2021-06-11T15:49:32ZTracJavascript "ON" warnings given on .onion sites!!!(TOR BROWSER FOR ANDROID)
I've been warned to turn off javascript while visiting some .ONION sites. How can one turn off javascript when given no access to any control switch? Manual control of java is necessary on some sites.
**Trac...(TOR BROWSER FOR ANDROID)
I've been warned to turn off javascript while visiting some .ONION sites. How can one turn off javascript when given no access to any control switch? Manual control of java is necessary on some sites.
**Trac**:
**Username**: not_you-its_me@protonmail.chhttps://gitlab.torproject.org/tpo/anti-censorship/trac/-/issues/31834Make obfs4 Docker image more usable2020-07-13T21:40:47ZPhilipp Winterphw@torproject.orgMake obfs4 Docker image more usableHere is some feedback we got from an operator (see [this blog post](https://www.securimancy.com/dockerizing-tor-bridge/) for the full story):
* ~~Make it easier to get the bridge's fingerprint and/or bridge line. At the moment, users ha...Here is some feedback we got from an operator (see [this blog post](https://www.securimancy.com/dockerizing-tor-bridge/) for the full story):
* ~~Make it easier to get the bridge's fingerprint and/or bridge line. At the moment, users have to spawn a shell in the container, which is tedious.~~
* ~~Maybe provide a docker-compose file.~~
* ~~Improve our [official setup instructions](https://community.torproject.org/relay/setup/bridge/docker/). [These instructions](https://dip.torproject.org/torproject/anti-censorship/docker-obfs4-bridge) were more helpful to an operator.~~
* ~~Add a note that operators can run `docker logs <container>` to check if it's up and running.~~
* ~~Mention concerns regarding permanence: Ideally, a container should run as long as possible.~~
* ~~Allow running a bridge on a port <1024 (as per mrphs's request in comment:2).~~Sponsor 30 - Objective 2.4Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/trac/-/issues/31267O1.1 - Add support in OONI Probe for testing circumvention tools.2020-07-10T16:00:21ZGabagaba@torproject.orgO1.1 - Add support in OONI Probe for testing circumvention tools.This ticket will be used to track OONI's work on this objective.
* A1 - Integrate Tor into Measurement Kit.
* A2 - Integrate TCP connect based bridge reachability testing into Measurement Kit.
* A3 - Integrate obfs4proxy based bridg...This ticket will be used to track OONI's work on this objective.
* A1 - Integrate Tor into Measurement Kit.
* A2 - Integrate TCP connect based bridge reachability testing into Measurement Kit.
* A3 - Integrate obfs4proxy based bridge testing into Measurement Kit.
* A4 - Integrate Psiphon testing into Measurement Kit.
* A5 - Add backend support for provisioning circumvention tool test configurations to probes.Sponsor 30 - Objective 1https://gitlab.torproject.org/tpo/anti-censorship/trac/-/issues/25636Please check out does the snowflake work?2020-06-27T13:44:27ZcypherpunksPlease check out does the snowflake work?I can not connect to snowflakes.Connection stops at the first stage.I can not connect to snowflakes.Connection stops at the first stage.https://gitlab.torproject.org/tpo/anti-censorship/trac/-/issues/32004Protect Against Blocking and Spying in Iran2021-07-09T14:32:09ZTracProtect Against Blocking and Spying in IranHi
I saw number of time tor blocked in iran even bridges like meek and obfv4 also the direct mode blocking too, even after using bridge they can spying users.
i test in OONIPROBE and saw blocking.
**Trac**:
**Username**: Anonymous75Hi
I saw number of time tor blocked in iran even bridges like meek and obfv4 also the direct mode blocking too, even after using bridge they can spying users.
i test in OONIPROBE and saw blocking.
**Trac**:
**Username**: Anonymous75https://gitlab.torproject.org/tpo/anti-censorship/trac/-/issues/31259Snowflake Broker Returns 504 Error When Using Go Proxy Server2020-06-27T13:44:26ZcypherpunksSnowflake Broker Returns 504 Error When Using Go Proxy ServerTitle. Here's the output log:
2019/07/29 01:42:33 starting
INFO: configuration.go:174: Created Configuration at &{[{[stun:stun.l.google.com:19302] }] All Balanced }
2019/07/29 01:42:44 broker returns: 504
2019/07/29 01:42:54 broker re...Title. Here's the output log:
2019/07/29 01:42:33 starting
INFO: configuration.go:174: Created Configuration at &{[{[stun:stun.l.google.com:19302] }] All Balanced }
2019/07/29 01:42:44 broker returns: 504
2019/07/29 01:42:54 broker returns: 504
2019/07/29 01:43:05 broker returns: 504
This continues and the server does not run.https://gitlab.torproject.org/tpo/anti-censorship/trac/-/issues/33706Tor does not work with meek-azure or snowflake bridges2020-06-27T13:44:23ZTracTor does not work with meek-azure or snowflake bridgesTor does not work with meek-azure or snowflake bridges.
Even after 5mins nothing.
It will not connect to tor with these 2 types of bridges.
TorBrowser 9.5a8
**Trac**:
**Username**: z1zTor does not work with meek-azure or snowflake bridges.
Even after 5mins nothing.
It will not connect to tor with these 2 types of bridges.
TorBrowser 9.5a8
**Trac**:
**Username**: z1z