16:00:17 #startmeeting anti-censorship team meeting 16:00:17 Meeting started Thu May 14 16:00:17 2020 UTC. The chair is phw. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:17 Useful Commands: #action #agreed #help #info #idea #link #topic. 16:00:26 here's our meeting pad for today: https://pad.riseup.net/p/tor-anti-censorship-keep 16:00:39 o/ 16:01:11 hi 16:01:13 hi 16:01:27 yo 16:01:28 ///////hi 16:01:33 ha :) 16:01:34 brief announcement: i set up a monit instance on my personal vps, which is now monitoring our anti-censorship services and machines. all alerts go to anti-censorship-alerts@lists.tp.o 16:01:52 the configuration is here: https://gitlab.torproject.org/torproject/anti-censorship/monit-configuration 16:02:01 thanks phw! great 16:02:01 let me know if you want anything monitored! 16:02:10 https://lists.torproject.org/pipermail/anti-censorship-alerts/2020-May/thread.html 16:02:17 for those wondering what the traffic looks like 16:02:26 Machines as in like bridge servers? 16:03:04 juggy: for now, default bridges, services (bridgedb, gettor, snowflake) 16:03:35 nice 16:04:25 * antonela barking at deamons, love it 16:04:40 lol 16:04:50 next announcements: our colleagues from the iclab censorship measurement platform sent me a batch of measurements of our default bridges 16:05:09 we should spend some time mining the data for insights as part of #29277 16:05:41 i spent an hour or so digging into it and can offer a python parser with some preliminary analysis if anyone's interested in working on this 16:06:17 my only insight is: there's really not much data left once you remove the data you cannot trust 16:06:50 fwiw, the data is a simple csv file. it's easy to work with 16:07:40 is the data public somewhere? is the plan to make it public? and, can you expand on 'cannot trust'? 16:07:41 let's move on to our discussion section 16:08:38 arma2: it isn't yet but it probably can be. i need to ask its author if it's ok to publish it. 16:09:13 one example: the data has many measurements of a machine that no longer was a default bridge when they started their experiment 16:09:27 ah ha 16:09:53 then there seem to be plenty of transient issues, like "no route to host" 16:10:18 and potential issues in the way they ran their experiments...? i see some "invalid argument" measurements 16:10:58 I have some old iclab-related code at https://archive.org/details/proxy-probe-data, in the iclab/ directory for prox-probe.git. This was also used with default bridges. 16:11:03 once you remove all of these, you end up with a rather small set of measurements that didn't exhibit any interesting patterns at first glance; but like i said, i haven't spent enough time on it yet 16:11:17 huh. ok. so it is "woah what's going on", not "that client is a not worthy of trust" 16:11:36 ok. thanks. 16:12:00 well, both. as i understand it, these measurements were done on vps systems all around the world. some of these lie about their location and are indeed not worthy of trust 16:12:16 ...which is obviously not iclab's fault 16:12:45 either way, more work needs to happen 16:13:30 let's move on. next up is arma2's bridgedb/gettor email: https://lists.torproject.org/pipermail/anti-censorship-team/2020-May/000097.html 16:13:45 right. cecylia was talking about a gettor rewrite, and i realized that gettor and bridgedb overlap a lot 16:14:09 see also cecylia's response email. it sounds like she and phw should chat. i don't have more on that topic. unless somebody else does. :) 16:14:28 tl;dr is i'm in favour of this idea 16:14:55 but i'm concerned about pushing more stuff into bridgedb without being able to spend time on code quality 16:15:56 cohosh: my thoughts exactly. the reason i've been implementing new functionality as external services is that it's really darn hard to extend bridgedb and test it properly 16:17:17 i think the way forward is to have reliable and lightweight tools talk to each other. they should have one purpose and one purpose only 16:17:18 modularity is good, i think we want to aim for that 16:17:28 if we can do that while also sharing code that both services need that would be ideal 16:18:18 like if we can handle the first step of email processing, and string translations through the same code base that would remove a bunch of duplicate work we've been doing 16:18:38 all of these are reasonable things to work on but given our small capacity, we have to choose very carefully what we actually do :/ 16:18:46 yup 16:19:33 i'm definitely not trying to create new work. i also am hoping that some smarter work might benefit both tools, and simplify the future 16:19:44 * phw needs to actually read the email and cohosh's response, and will stop rambling now 16:20:19 this *will* create new work. that new work might also be needed tbh 16:20:47 our code bases have a reputation for getting monolithic and spaghetti-ized(?) 16:21:28 part of the problem is that maintainers change every so often. it's very difficult to make deep architectural changes in code you don't fully understand :/ 16:21:34 at least that's my experience with bridgedb 16:21:39 same with gettor 16:23:25 idk how to move forward with this right now, maybe we need to let it marinate a bit? 16:23:37 we need to let phw read the emails, for starters :) 16:24:03 yes, agreed. i suggest we continue (and later revisit) this discussion on the email thread -- unless anyone has more thoughts? 16:24:54 next uuuup is "run a call for testing snowflake" 16:25:02 yes! 16:25:06 so during the tb release meeting we briefly talked about the need for snowflake testing in tb 16:25:20 i want to run this call for testing and i wonder which feedback from users is relevant/useful for us to collect at this point 16:25:31 this will be qualitative feedback, maybe breakage or "this website doesn't work" or "this is slow" 16:26:07 i added some questions in the pad, specially if we consider sharing some tasks with users to run and wait for feedback 16:26:17 the goal for this is to ramp up snowflake usage and test out our new features 16:26:28 dcf1 made a good comment on #34043 16:26:42 about how we don't know if snowflake will handle a stable release amount of users 16:27:02 right now we have an average of 10-ish 16:27:19 so basically, bringing users to snowflake is enough (no tasks but recurrent users) 16:27:32 many of those users are just us testing things 16:27:38 i bet yes 16:27:56 During the development of turbotunnel I posted a few invitations for testing, but sadly did not get much response other than from anti-censorship developers. 16:27:59 https://lists.torproject.org/pipermail/tor-talk/2020-February/045499.html 16:28:02 https://lists.torproject.org/pipermail/tor-talk/2020-March/045544.html 16:28:04 https://lists.torproject.org/pipermail/tor-talk/2020-April/045563.html 16:28:09 i know dcf1 16:28:11 antonela: yeah but i think it's also useful to come up with specific questions like you mentioned 16:28:26 i can draft something next week and we can review together 16:28:56 that sounds great :) 16:28:58 we can reuse some dcf1 wording as well 16:29:18 my two user-perspective feedback points would be "sometimes it's slow" [when it has a bad snowflake] and "sometimes it doesn't work" [when it has a snowflake it is can't use or is down]. those are pretty rare for me these days, but if i were on a crappy train wifi connection i imagine i'd be saying different sentences. :) 16:29:41 do we want to wait to get ux testing until after we solve more of #19001? 16:29:58 or does that not matter? 16:29:59 in theory there shouldn't be any "this website doesn't work" except maybe from latency / throughput issues 16:30:11 like do we basically have one shot at getting feedback before we go to stable? 16:30:31 if we want to reach stable in 9.5 we dont have too much time 16:30:37 if we want to reach stable in 10, then we do 16:30:38 we don't, we're aiming for 10 16:30:47 we can have more than one so 16:31:33 do you have an idea of how many users we can get out of this testing? 16:31:40 i like that we are thinking about this for TB10 because by then we should be have been working on making bridge selection smarter and that is connected with those use cases 16:31:45 cohosh: dozens? 16:31:50 dcf1 / cohosh: re "will our snowflakes handle a lot of users", this is a great question. are there monitoring things we can/should put into place to help us learn how it's going / whether we're getting into the bad world? 16:32:12 hmm okay maybe we can brainstorm other ways of pushing our usage to the 100s? 16:32:31 yes, we can 16:32:45 cohosh: I think that having it in a regular alpha release can give us >100 users 16:32:54 but not in alpha 16:32:55 right 16:33:17 dcf1: it's already in regular alpha though? or do you mean in regular alpha with the tt improvements will get more usage? 16:33:38 I mean in alpha with turbotunnel 16:33:39 i definitely would want people to test the snowflake+turbotunnel that i've been using 16:33:42 dcf1: seems like we at least need to advertise that it's better right? 16:33:46 the one from dcf's packages 16:34:05 maybe yes maybe no, surely some people try it now but then give up on it because it doesn't work 16:34:06 and i agree, making that be the thing you get by default in tor browser alpha would be a good step forward 16:34:17 new people trying it for the first time when it does work, may keep on using it 16:34:31 yeah good point 16:35:27 and then we have the orthogonal thing of working with antonela to get specific UX feedback :) 16:35:53 cool, i'm excited 16:36:05 arma2: that's a good point about monitoring 16:36:28 i'd like to make sure we're checking in on our metrics of "how many clients ask for a proxy but don't get one because we ran out" 16:36:29 snowflake+turbotunnel will be in the new TB alpha, that's #34043 16:36:43 fwiw, we also know several individuals in places like iran. they could give us quality feedback beyond "it (doesn't) work" 16:36:46 cohosh: seems like if the broker has run out of snowflakes and is responding with "oops none", something should notice and tell us. and/or record how much of the time it's being happy. 16:37:10 yeah 16:37:34 there are some nobs we can adjust to deal with more load 16:37:34 phw: yes, we can ping partner orgs directly 16:37:41 If we need a short-term increase in proxy capacity we can under #32129 and allow proxies to poll more frequently. 16:37:43 cohosh: and then somebody should make a list of all the obvious ways it could fail "because scale", and we should think about whether we can watch each of them 16:38:02 dcf1: yup! that or let browser proxies take 2 clients 16:38:06 Yes, I tried it and give up:( 16:38:52 *undo #32129 16:38:54 tomcat: if you're willing to try snowflake again, dcf1's work has made it much more usable :) 16:39:35 cohosh: speaking of UX in particular, my earlier debugging made me file #33746 ("Show users a bandwidth graph or activity spinner during slow loads") 16:40:16 (not a short term thing though) 16:40:23 oki, so to wrap up, let's do this call after tb9.5 stable release? by then alpha series will have snowflake+tt and we can plan to ping orgas directly + lists call 16:41:14 sounds good to me 16:41:35 awesome, i'll follow this up 16:41:40 thanks antonela 16:41:45 next item is gaba's but is also mine 16:41:48 S30 UX work 16:42:06 antonela: it is mostly for you to talk about your work here 16:42:26 i've been listening tunde's interviews, he said hi today in otf-talk :), i'm almost finishing with them and drafting some ideas for personas 16:42:46 my plan is finish that part this month so i should back here soonish with those drafts 16:42:59 so mostly working on Tor personas related to scenarios of censorship 16:43:06 yes 16:43:14 nice 16:43:21 and discuss together if those escenarios are a good scope for this sponsor work 16:43:35 (for framing this sponsor work) 16:44:22 also for s30 16:44:28 i wonder how ooni data is flowing here, is that working? ooni tor probes are arriving? is that data usable for making bridges selection smarter? not yet? will be in the future? 16:44:51 antonela: we're working on this right now 16:45:03 in fact, arturo mentioned he will be looking into our api today 16:45:10 oh nice 16:45:35 so you are talking and working on making it work 16:45:37 awesome :) 16:45:53 yes, a software tool that sits alongside bridgedb will provide ooni probes with bridges to test 16:46:09 we then periodically fetch ooni's test data to teach bridgedb which bridges it shouldn't be handing out 16:46:11 i worked with ooni last month on shipping the tor test in ooni apps but i didnt know if it was working on our side 16:46:19 super 16:46:41 oki, that is all on my side folks, i hope speed up on this work in the next weeks after tb release is done 16:46:57 great news, thanks antonela! 16:47:01 thanks you! 16:47:21 shall we move on to our 'needs help with' sections? 16:47:27 remember that we also have a reading group today 16:48:13 i have #34212 and was wondering if dcf1 can provide some tips 16:48:47 cohosh has #27330 and #34222 16:48:57 I will leave a comment on #34212 16:49:02 agix has #31528 16:49:05 thanks dcf1 16:49:05 #27330 fell through the cracks from last week 16:49:26 agix: i'll take #31528. sorry that my reviews take so long :/ 16:49:35 phw: no problem :) 16:49:45 and thanks for working on this! 16:50:02 i can do #27330 16:50:14 thanks 16:50:15 oh, wasn't that the ticket that hiro wanted to do? 16:50:26 yeah idk what happened exactly 16:50:44 but i'd like a review 16:50:55 phw: let me know if you need any more changes on #33835 16:50:59 i don't think hiro has time for gettor stuff 16:51:16 anyway, it's been a week without review, so i'll go ahead and review it 16:52:25 agix: i haven't had a chance to take a look at it yet. i'll let you know! i think the overall approach is fine and i just wanted to play around with it to convince myself that it's sound 16:52:42 phw: cool 16:53:13 #34222 is for our git admins, so i think we're done with reviews 16:53:26 any last words before we start our reading group? 16:54:44 ok, let's start our reading group 16:55:02 today's topic is the salmon paper: https://censorbib.nymity.ch/#Douglas2016a 16:55:10 agix: i believe you have a summary? 16:55:16 yep 16:55:24 16:55:32 Salmon is a system concept designed for censorship circumvention that relies on a network of volunteers in uncensored countries to run proxy servers. 16:55:44 It claims to significantly reduces the amount of users that can be cut off from access by a censor, compared to other systems like rBridge, while making the system easily accessible to the general public and at the same time make it difficult for the censor-agents to infiltrate the system. 16:55:54 The algorithm entails identifying some users as especially trustworthy or suspicious, based on their actions. 16:56:00 The salmon algorithm is based on 3 components: 16:56:15 1. Suspicion: probability that a user is a censor-agent. Every time a bridge that has been assigned to n amount of users is blocked, the suspicion that one of the users is a spy rises. 16:56:33 2 .Trust: Users who knew a server address for months without the server getting blocked, seem less likely to be censor-agents. 16:56:33 Higher trusted users will be served with higher-quality servers and will keep them better isolated from new users, which are more likely to be censor-agents. Possible censor-agents are only revealed if a bridge has been blocked in a certain country. 16:56:48 3. Recommendation: Users on a certain trust level are able to recommend friends to Salmon. 16:57:06 A censor can follow 2 possible strategies. 16:57:20 Either block immediately every server address they get a hold of, therefore not being able to harm higher level users. 16:57:28 Or wait and allow users to circumvent censorship system while the censor-agents try to discover higher level server addresses. 16:57:38 One of the downsides of Salmon is that it only allows access by recommendation or by proving ownership of a well-established Facebook account. 16:57:51 16:57:57 for those who like talk videos, https://petsymposium.org/2016/spw-mirror/pets-2016/program/ has a youtube link of fred presenting it. 16:58:13 I thought to start todays discussion I will share my idea on how the Salmon concept could be used as a new bridge distribution mechanism (and I think juggy worked on some ideas as well) 16:59:01 A user requesting a bridge for the first time would, additionally to the bridge address, could receive a pseudonymous token (cohosh already mentioned to me that we actually should aim for a pseudonymous-token-system) that would be assigned to the given bridge address. 16:59:26 Every token will be unique and the relation between token and the assigned bridge will be saved in BridgeDB’s database. The usage of this token is not mandatory but it allows the user to take part in the Salmon system. 16:59:46 Users that request bridges without taking part in the trust system will always be treated as level 0 users, meaning their provided bridge will not have the advantages of higher level bridges. 17:00:01 Users could request a higher level bridge by providing BridgeDB with their token and if eligible will be provided with a higher level bridge and the BridgeDB database will be updated accordingly. 17:00:13 Users who would like to recommend a friend could provide BridgeDB with their token to generate an invitation code which can only be used once. The friend can use this could to generate their token and take part in the trust system. BridgeDB’s database will be again updated to create the relation between the friends. 17:00:24 Users need to be advised on, not to use recommendation codes from people they do not know since they might stem from an adversarial source, causing them to be grouped with spies. They should further be advised not to share the bridge addresses among friends. Instead they should be encouraged to take part in the system since they will all benefit from it. 17:00:45 One aspect that needs to be considered for a salmon-like distribution system, is the reporting of blocked bridges. 17:00:46 phw already pointed this out in the anti-censorship-team mailing list (in Vol 13, Issue 8) and suggested some software components (Wolpertinger & Bridgestrap) to fix this issue. 17:00:53 Thats all from me for now :) 17:01:38 nice agix :) 17:01:53 So those who request a bridge and choose to receive a token (and subsequently submit it) automatically start off at a higher trust level? 17:02:34 No they should start at level 0, unless they have been recommended 17:02:55 thanks for the summary, agix 17:03:57 to take a step back, i like the notion of "this bridge is full, we no longer hand it out" 17:04:35 in practice, it won't be as simple, though. users disappear and a bridge will eventually have capacity again 17:04:36 agix: hm, in the original salmon paper, i thought only people at the highest trust level could do a recommendation. is your proposal that anybody can? that seems .. tricky to analyze. 17:04:53 Wait, so how do you build up trust? 17:05:08 arma2: users can invite people and the invited people inherit the inviter's trust level 17:05:12 phw: How should that be verified? Unique IPs? 17:05:20 arma2: No, like in the paper, it should only be possible at a certain level 17:05:25 cypherpunks: you go from trust level x to level x+1 by waiting 2^x days and not having your bridge get blocked 17:05:42 I believe the rationale for that is that you can't stop users from sharing bridge addresses they know, even without interacting with the Salmon system 17:05:57 What prevents the adversaty from just setting up 100 users and blocking whatever they get? 17:06:24 cypherpunks: that's the main point of the paper. 17:06:37 There's a bit of a risk here: if they have a level X profile, and they get a level X bridge, they can with reasonable confidence observe that whoever connects to that IP is a level X user 17:06:39 right? 17:06:45 They wont be able to block higher trust servers 17:07:39 They don't need to block them 17:07:44 agix: ok, sounds good. so users can do the recommendation thing but only if they're at level 6 or whatever. which introduces a bit of a ux question too ("how does the user know") but that seems solvable. 17:07:57 Section 2.3: ""Salmon incorporates a recommendation system: a user at maximum trust level L may recommend friends to Salmon; these friends join at level L−1." 17:08:01 cypherpunks: Ya the bridge trust level is the minimum trust level of all its users I think 17:08:13 I don't think you need to be at level 6 to recommend others. 17:08:17 for other context, i wrote up a bunch of thoughts on salmon earlier today, and sent them to the list: https://lists.torproject.org/pipermail/anti-censorship-team/2020-May/000100.html 17:08:18 cpyherpunks: right, but ideally the censor only sees his own agents, since all the recommended users get grouped together 17:08:34 They can just use the bridges as a starting point: Bridge X is known. User X, Y, and Z connect to bridge X, and also to bridges A and B 17:08:37 and so on, and so forth 17:08:47 dcf1: what is this word 'maximum' doing in that sentence then? 17:08:52 for a network-level adversary 17:08:57 cypherpunks: I hate to ask, but did you read the paper? 17:09:05 "The levels reach up to 17:09:06 a maximum of L, a parameter to be decided upon." 17:09:10 Section 3.10 is about the "zig-zag attack" 17:10:24 I know, it just doesn't seem to explain it adequately 17:10:40 i think the paper recommended a maximum level of 6, which would need over 2 months to reach 17:11:14 It can just observe proxy servers by looking at traffic patterns 17:11:16 agix: yep. and the special users can bring in people at L6 once a day 17:11:33 arma2: you may be right. I interpreted the "L" in that sentence to be a different binding than the "L" system parameter. 17:11:45 "this HTTPS server sees heavy traffic from these people, but hardly anyone else" 17:13:02 dcf1: in Sec 5.3 they speak of censors who need to wait 4 months to recommend their first person, or 5 months to recommend two 17:13:45 Whatever happened to the Snowflake Chrome extension? There's no option to use such bridges in TBB 17:13:54 arma2: yes but I thought that was a censor that deliberately delays its recommendations. 17:14:02 dcf1: but more generally, the fascinating thing about salmon is that it has *all* these knobs, for decisions that could have been made differently, and it's wildly unclear to me how robust it is when the knobs are turned slightly differently. 17:14:52 like, you wouldn't think that the recommendation thing is so critical, until you see their graph showing what happens if it's missing 17:15:23 s/the recommendation thing/grouping users with their recommendee/ (there that makes more sense) 17:15:29 having lots of knobs doesn't bother me too much; I think other systems like Salmon would have them too; but the Salmon authors discovered and documented them because they fielded a deployment 17:16:20 I mean, yes it's a concern that it appears to be sensitive to parameters, but I suspect similar proposals would be as well. 17:16:38 agreed. which makes me inclined to believe that the parameters they picked are somehow more likely to be right than other choices that seem plausible too 17:17:10 btw https://github.com/SalmonProject still has code 17:17:22 Project home page seems offline but there's an archive at https://web.archive.org/web/20170224182543/https://salmon.cs.illinois.edu/en/home.html 17:17:31 speaking of other systems, one think salmon accounts for is allowing users to join without being recommended to the system 17:17:43 wheras rbridge/hyphae both require you to be recommended 17:18:00 i like that salmon users can all join at level 0 and it's robust in this case 17:18:11 arma2's point about the sybil defences is worth thining abou tthough 17:18:14 cohosh: but it needs sybil-resistance for its new users. speaking of which, how practical is it, engineering-wise, for us to do the facebook account checking? 17:18:19 obviously the facebook acount is not an option fo rus 17:18:22 i think that's a critical feature. censored users don't all know each other 17:18:28 It's possible that I greatly misunderstood the interaction of recommendations and trust levels. 17:18:31 cohosh: obviously? that's not yet obvious to me :) 17:18:32 arma2: perhaps their parameters are even a bit to conservative, since they argue that the server addresses can be easily changed once blocked, but i am not sure if that applies to our bridges as well 17:18:37 One questions I have is the part where they talk about letting users use "low-bandwidth covert channels like Skype and email" to access FB to register for Salmon - how does that work? 17:18:52 arma2: requiring people to make facebook accounts to get bridges? :| 17:19:03 I think the facebook account checking is basically equivalent to the bridgedb requirement of a gmail or riseup email address. They don't use any friendship graph information from Facebook, right? 17:19:05 cohosh: requiring them to make facebook accounts to get *salmon* bridges 17:19:17 dcf1: that was my understanding, yes 17:19:17 hmm fair 17:19:25 i also don't love that feature though 17:19:30 a lot of people have trouble with it 17:19:31 if they require a 2015 facebook account, i think it's a stronger sybil defense than our "you need to have a gmail address" check 17:19:44 requiring a facebook account isn't great but neither is requiring a gmail or riseup account 17:19:49 getting a gmail account requires a phone number, riseup is difficult because of the recommendation thing 17:20:22 This is what I was thinking of re trust levels and recommendations: "when assigning a new server to a user u, we first look for one that has already been given to a member of its connected com- ponent ... Because this sharing of servers among friends is so natural, this logic takes precedence over the trust levels: a user may be placed on a higher-level server if it includes a recommendation friend." 17:20:33 juggy: i think they were just saying that even if facebook is blocked in your country, you still probably have a facebook account, because it doesn't take a very high-bandwidth circumvention tool for you to reach facebook. so you probably already did, because that's where all your friends are. 17:20:50 But I suppose the invited user is not *actually* at a higher trust level, just effectively at one for the purpose of bridge sharing. 17:21:24 dcf1: remember, you lose a trust level if your bridge gets blocked. So if an L6 recommends you, you're L5, but then your bridge gets blocked, now you're L4 17:21:37 arma2: yeah I think you're right. 17:21:40 that's how you can get below L or L-1 even if you were recommended 17:21:59 (ok, saying "L6" and "L" is super confusing, i'll stop doing that :) 17:22:36 cohosh: for salmon allowing new non-recommended users, it is critical to have a strong sybil protection for signups 17:22:57 otherwise the adversary just keeps signing up new users, and they get each bridge, and then block them, and new users have a horrible experience and then their account gets canceled. 17:23:04 are there better solutions than "have an account for this service that's terrible for privacy" there? 17:23:35 cohosh: sure. all of the rate limiting things. "give us $10", etc. it's the same problem as for, say, nymble. there are no great answers though. 17:23:47 (riseup isn't terrible for privacy but reduces it back to the "you have to be recommended" problem) 17:24:07 And also the bit where you need to have a specific political opinion 17:24:21 cohosh: this is one case where academia wins. all they need in their paper is to say "we'll use facebook accounts", and now their paper has solved that part. 17:24:26 cypherpunks: fair :) 17:24:30 One approach is to segregate them based on domain 17:24:46 So, you set some fraction of the bridges apart as gmail bridges, some as riseup bridges, some as cock.li bridges, etc 17:25:20 What's the blocker for using flashproxy on a larger scale? 17:25:39 cypherpunks: we're getting off-topic here 17:26:30 dcf1: let me know if you have more "wait, how does that work" trust level questions. i spent a while in 2016 arguing with them about it so i think i have a pretty good handle on what they were envisioning. :) 17:26:39 On the topic of bridge liveness detection and false positives, 17:27:00 I can't remember, did the authors suggest having bridges self-report liveness? 17:27:15 As an alternative to users measuring liveness or a central server measuring liveness. 17:27:21 i think the user tries to reach the bridge, can't, and goes to the directory server to say "help me bridge is gone" 17:27:48 If all your users report a bridge as unreachable, but the bridge itself is sending heartbeat pings hourly to a central server, then you can avoid immediately demoting all the users of that bridge. 17:27:49 and then the directory server either already knows it moved or went down globally, in which case it serves back a replacement, 17:28:13 Or rather, 17:28:17 or the directory server is surprised to hear that it's down, and ... they didn't have a section where they confirm from inside the country. 17:28:29 a heartbeat is an interesting idea. but it doesn't defend against malicious bridges 17:28:37 you want to know whether to blame the users for getting their bridge blocked, or whether the bridge just disappeared and it's not a user's fault 17:28:46 right 17:29:05 Right, it's not for malicious bridges, but for reducing the probability of a false positive, because false positives are so costly. 17:30:00 if we have geographically distributed users, this might help us 17:30:13 some users can't reach it, but others can might indicate blocking events 17:30:14 in the paper, they say "The check is done by the directory 17:30:15 server." 17:30:27 but i agree there seem like ways to make that part better 17:30:56 also as agix and phw pointed out, the ooni feedback loop 17:31:06 they also spoke, in my email thread with them, about having the in-country user "try to reach google, and then the bridge, and then google again", and only report the bridge as down if the google connections both worked 17:31:43 (that design also seems like it can be improved. i'm just trying to get across what the authors had in mind.) 17:33:09 cohosh: you're a bigger fan of rbridge, no? why is that? 17:33:37 setting aside the issue of recommendations vs sybl defences, i like how rbridge doesn't store user data at the server 17:34:42 rbridge and hyphae both have designs where the users store all the information they need (e.g., which bridges they know about, their reputation points) as tokens and hand them to the server when they want to get more bridges or recommend other users 17:34:52 the salmon paper argues that you need to group the recommender with the recommendee, or the attacker can attack way better. and that grouping seems hard to do while keeping the unlinkability. 17:35:25 this is nice from a server maintenance standpoint, and also from a legal liability "store as little as possible about your users" standpoint 17:35:33 ..or are the recommenders linkable to their recommendees in the rbridge/hyphae design? 17:36:12 arma2: no, and that was a feature that seemed nice in terms of limiting censors. i'd like to think about whether we really need the social graph bit 17:36:33 phw: You mentioned in your email that Salmon would be a distributor that exists alongside the rest, how come the underlying Salmon concepts wouldn't work with, say, Moat? 17:36:43 right. it seems there is a very clear "effectiveness" vs "privacy" tradeoff here. and it would be cool to find some cool math trick that gets us both. 17:37:05 or if there's a way to hand out bridges to recommendees that are similar to the set known by the recommender in a private crypto-magic way 17:37:17 juggy: when you say moat, do you mean "use domain fronting to reach bridgedb", or do you mean "solve a captcha and now you have a moat bridge"? 17:38:15 juggy: it's certainly possible to merge the two somehow. there are many open questions, especially when it comes to salmon's UX 17:38:22 arma2: the latter 17:38:26 should it all be in tor browser? should it be a (domain-fronted) website? 17:40:00 phw: for context, the 2016 authors had in mind to write automated email clients that logged into your gmail and sent and received email. so, moat plus doing it in tor browser could be way simpler (and more robust and more intuitive too) 17:40:54 i like the idea of using moat as the interface with the server, it's our most popular bridge distribution method already right? 17:41:18 cohosh: according to the metrics it is 17:41:19 cohosh: yes it is: https://metrics.torproject.org/bridgedb-distributor.html 17:41:21 i think "ask for an https bridge via a tor address" is our most popular, if you count the bots ;) 17:42:10 :P 17:42:47 oh, and speaking of the idea of having ooni test bridges, if people here haven't looked at the early writings on 'how to test bridge reachability', see https://blog.torproject.org/research-problem-five-ways-test-bridge-reachability 17:43:25 * cohosh needs to eat something before jumping into yet another meeting 17:43:35 and here's the part that makes it fun: once we can learn whether bridges are reachable or not, and we can learn how much load they're carrying, 17:43:52 we could dynamically adapt to which distribution channel is being most successful: moat, https, gmail, salmon, etc 17:44:37 phw: ok. anything more for us on this topic? :) 17:45:31 do you guys think that Salmon might be a useful bridge distribution mechanism in the future? 17:45:35 to give you all some context: we have funding to build a social distributor but the details are all still in the air 17:45:52 agix: i think salmon is the most compelling design i have seen so far. 17:46:07 but there are still some big unspecified parts to it 17:46:33 plus there are some parts like the anti-sybil defenses that might make people itch 17:47:32 arma2: but how is it different from the current anti-sybil defenses we have to apply? 17:47:51 china is beating the heck out of them 17:47:58 try getting a bridge from bridgedb and using it in china 17:48:45 arma2: i see, so its an issue that not only applies to salmon, but our distribution in general 17:48:46 so we need to step things up on that front if we want the rest of the design to have a chance of working 17:48:52 it's been almost an hour. we should wrap up. how about we continue this discussion on the mailing list? 17:49:12 arma2: cool, got it :) 17:49:44 #endmeeting