@@ -97,4 +97,64 @@ We will monitor and evaluate the impact of new censorship or filtering events. M
The culminating activity in this Objective involves reactive software patching and tweaking that is
made possible by our ability to detect changes in censorship, the information we’ve gathered about how blocking and filtering is taking place, and our work with in-country users to test solutions in real-life circumstances and networks.
This activity does not include developing brand-new tools, implementing new protocols, or implementing new pluggable transports. Instead, the development work included here centers a rapid patching, testing, validation, and release cycle in order to get around blocking and detection as it happens. This work is in coordination with the testing and feedback cycle made possible in O2.3.
\ No newline at end of file
This activity does not include developing brand-new tools, implementing new protocols, or implementing new pluggable transports. Instead, the development work included here centers a rapid patching, testing, validation, and release cycle in order to get around blocking and detection as it happens. This work is in coordination with the testing and feedback cycle made possible in O2.3.
## Objective 3: Pluggable transports and bridges are reliable, resilient, diverse, and scalable
Pluggable transports are tools that disguise internet activity as another kind of traffic, making it difficult to detect and block. Given the severity and style of the censorship employed by ISPs in Iran, pluggable transports are critical for Iranians to connect to the Tor network, and therefore the open internet. To achieve this Objective, we must improve the strength and scalability of existing pluggable transports like Snowflake. Additionally, we must advance the ability of Tor tools to use other pluggable transports and invest in the deployment of new, research-based mechanisms to advance in the censorship arms race.
**O3.1, Improve Snowflake’s defenses and infrastructure:**
Use of the Snowflake pluggable transport has exploded over the last year, with much of the use driven by censorship in Russia in early 2022 and then in Iran in September 2022.11 During this time we’ve made many upgrades to its infrastructure in order to meet demand, but there is more to improve. In this activity, we will first research, develop, and implement defenses for enumeration attacks against Snowflake.
These defenses are necessary to protect against a censor trying to grab the IP addresses of all Snowflake proxies and blocking them, thus crippling the system's effectiveness for circumvention.
**O3.2 Implement staging servers and CI infrastructure for Snowflake:**
Additionally, we will increase Snowflake’s sustainability by setting up staging servers and CI infrastructure, which will make it easier to address bugs, develop features, and react quickly to censorship against
Snowflake going forward.
**O3.3 Improve standalone Snowflake packages so that they are easier to install with less
technical expertise:**
The pluggable transport Snowflake relies on creating a “flurry” of proxies that help to mask user traffic. Snowflake proxies are almost exclusively operated by volunteers, mostly through an extension that can be installed on a volunteer’s Firefox, Chrome, or Edge browser client. Having a large pool of ephemeral proxies makes it difficult for censors to find all of these proxies and block them en masse. Snowflake has been an incredibly effective and resilient mechanism in keeping Iranians connected to the open internet since September 2022. In
order to ensure that Snowflake can scale to handle more and more users over time, we need to increase the pool of proxies from diverse sources.
In this activity, we will improve standalone Snowflake packages so that they are easier to install with less technical expertise. Standalone Snowflake proxies—as opposed to Snowflake proxies run through a browser extension—can be installed on servers, and offer a higher bandwidth and greater reliability for users behind restrictive NATs and firewalls. Right now, standalone Snowflake proxies can only be installed with the command line. We will make these packages available for easy download and install for specific operating systems (e.g., Debian).
O3.4 Advocate for third-party projects to add the ability to run Snowflake proxies into their products: Right now, the Tor Project develops browser extensions for Firefox, Chrome, and Edge, as well as the standalone Snowflake proxy tool. Guardian Project allows Orbot users to become a Snowflake proxy. Third-party tools like the browser Brave and I2P offer built-in ways for their users to become Snowflake proxies. Other tools like Mozilla and Mullvad Browser are examples of projects with whom we have established collaborative relationships and we see clear alignment and possibility of successfully advocating for the addition of this feature. In this activity, we will advocate and work with more third-party projects to add this functionality to their tools.
Building relationships and demonstrating the real-world value of Snowflake proxies will be key to successful advocacy and adoption. We will tailor our approach to each third party, and be persistent and adaptable throughout the process. Below, we have outlined our approach for advocating with third-parties.
- Identify key third-parties to engage and outline existing connections
- Conduct research to identify potential third-party projects that align with the goals of incorporating Snowflake proxies. Consider factors such as user base, values, and technical compatibility. Identify individuals who are part of those projects who can champion the Snowflake proxy integration.
- Create and send documentation that outlines the challenges, impact, and value of adopting this tool
- We will clearly articulate the challenges faced by users in restrictive environments and the positive impact of Snowflake proxies
- Iterate on idea asynchronously to address technical questions
- We will establish ongoing, asynchronous communication channels to provide continuous communication to address questions and concerns as they arise.
- We will be flexible and refine the integration process as we go along, according to their requirements. Maintaining adaptability to changes in the third party's development schedule is important for accommodating unforeseen circumstances.
- Additionally, encouraging open feedback will allow us to iterate on our presentation based on input.
- Amplify any third-party comms
- When third-parties announce Snowflake integration, we will support that effort by amplifying these announcements on our channels
In the next three activities, we will maintain and enhance the pluggable transport and circumvention API support for Tor-enabled mobile apps with a focus on improving accessibility, effectiveness, and performance of these tools for users in Iran.
**O3.5 Maintain and update the IPtProxy Library:**
The IPtProxy library is a key component of the pluggable transport system for mobile apps that provides integrated access to leading solutions such as obfs4, meek, and Snowflake. This involves ensuring that the IPtProxy library is up-to-date, secure, and reliable. This work is crucial to ensure that pluggable transports remain functional and effective in circumventing censorship and other forms of online restrictions.
- The specific efforts required to maintain and update the IPtProxy include:
- Monitor upstream pluggable transport libraries for new releases, bug fixes and feature improvements, and integrate these releases into the IPtProxy library
- Update IPtProxy releases to stay compatible and updated with Android and iOS releases and features
- Update the IPtProxy cross platform mobile API to support any changes in function calls and arguments to support the new releases of the included PTs
- Test and monitor memory use, include both storage and runtime, to understand the performance impact on different devices and OSes to assist with integration
- Test IPtProxy release against current default bridges, brokers and circumvention configuration infrastructure provided by Tor Project
- Work with app developers who are dependent upon IPtProxy in their apps to stay updated to the latest releases and configuration options
**O3.6 Integrate new emerging pluggable transports into IPtProxy and Tor-enabled mobile apps:**
This activity includes integrating potential ports of WebTunnel (HTTPT), Conjure, and other anti-censorship technology transports into IPtProxy and Tor mobile apps. These emerging transports have shown promising results in bypassing censorship and improving circumvention capabilities, and integrating them into the mobile apps will enhance the overall effectiveness of mobile anti-censorship capabilities.
**O3.7 Deploy new mobile-focused infrastructure for Tor bridges and pluggable transports:**
Building on work currently under development to support users in China, we will deploy a new type of bridge distribution service built on a difficult-to-block commercial cloud platform. This will be used to distribute additional obfuscating proxy v4 (obfs4) bridges for mobile users in Iran. Next to Snowflake, obfs4 is the second most used pluggable transport by Iranian users.
