15:59:27 #startmeeting tor anti-censorship meeting 15:59:27 Meeting started Thu Dec 16 15:59:27 2021 UTC. The chair is meskio. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:59:27 Useful Commands: #action #agreed #help #info #idea #link #topic. 15:59:33 hello everybody! 15:59:38 Hi~ 15:59:40 here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep 15:59:52 feel free to add what you've been working on and put items on the agenda 16:01:14 there is not much in the agenda 16:01:41 I kept the point about the status in russia from last week 16:01:54 o/ 16:02:02 o/ 16:02:26 Bridgedb now is only distributing working bridges over moat in russia (for now) 16:02:55 and the telegram bot had needed to rotate bridges as the ones distributed to fresh accounts well all blocked except one 16:03:12 this is all I know from my side, anything else? or something to discuss about it? 16:04:01 someone has asked if meek-azure does work now 16:04:03 hackerncoder mirror is going to be blocked soon in russia, so we will need new mirrors 16:04:10 I have read soemthing about it, but I don't know 16:04:29 ggus: is that a mirror of torproject.org? 16:04:37 The blocking still occurs via IP blocking? 16:04:46 The snowflake bridge approx. doubled its number of clients in the 2 days since 11.5a1 was released https://metrics.torproject.org/rs.html#details/5481936581E23D2D178105D44DB6915AB06BFB7F 16:04:50 yes, all *.torproject.org 16:04:57 I take that as an indication the DTLS fingerprint change is working, for now 16:05:17 dcf1: nice \o/ 16:05:21 We might need to talk about upscaling the bridge at some point, as its load is increasing 16:05:33 anadahz: I have no idea, I didn't investigate, maybe shelikhoo knows more 16:06:09 https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/47#note_2766608 16:06:46 I didn't investigate this, but according to tor-dev chat, meek-azure is partially working if returned IP is not blocked. 16:07:02 Azure change IP address assigned to the blocked site from time to time 16:07:10 https://ntc.party/t/ooni-reports-of-tor-blocking-in-certain-isps-since-2021-12-01/1477/79 "meek-azure works fine. They’ve unblocked ajax.aspnetcdn.com." 16:07:11 more updates: the new default bridge 'deusexmachina' was blocked this week. i've asked the operator to rotate the ip address, but i didn't hear from them yet. 16:07:29 Yeah I'm not sure if it was unblocked, or whether Microsoft changed the IP address of the domain. 16:07:36 but censorship device's deny list did not update 16:09:20 Is also Tor IPv6 traffic blocked? 16:09:35 Anyway, the current way of meek's domain fronting seems to have insufficient colloidal damage 16:09:56 for determined adversary that is willing to take some loss 16:10:04 anadahz: I read some reports in ntc.party that IPv6 default bridges worked, but I haven't tested it 16:10:31 In China, that IPv6 bridge is partially blocked 16:10:44 meskio: i could bootstrap ipv4 and ipv6 vanilla tor bridges in russia 16:11:34 shelikhoo: "that bridge" you mention [2a01:4ff:f0:214d::1]:55882 ? 16:12:21 ggus: how is it known that a specific website mirror will be blocked? was it another of those emails from Roskomnadzor? 16:12:25 since the censorship in russia, we've answered +400 tickets on frontdesk@tpo from russian users 16:12:50 wow 16:12:57 dcf1: yes, hackerncoder received a notification and pinged us on #tor-project oday. 16:13:04 anadahz: No It's 2a0c:4d80:42:702::1 16:13:20 *today 16:13:42 My hosting provider got a simelar email as the Tor Project from roscomandzor 16:14:24 there's a list of existing mirrors at https://2019.www.torproject.org/getinvolved/mirrors.html.en 16:14:38 though likely any single one that's promoted will also eventually be blocked 16:15:04 dcf1: but, this list is only for wwww.tpo 16:15:34 I see. But some of them also have /dist/, is that what's required? 16:16:34 Mine includs many subdomains, support community blog 2019 tb-manual 16:17:41 dcf1: yes, all these mirrors have /dist/ 16:18:18 IIUC Roscomandzor send mails to Tor relays email contact and/or hosting ISP abuse email address? 16:18:46 anadahz: not to relay operators as far as I know 16:18:47 afaik, i didn't hear anything about that 16:19:35 dcf1: do I recall that scaling the snowflake bridge will require changes in the code? should we start prioritizing those changes? 16:19:42 I guess is that one: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/28651 16:19:49 I see is already in 'next'... 16:20:20 The easiest way to do this is setup another broker, and bridge 16:20:39 so there will be a separate proxy pool 16:20:42 meskio: I mean, eventually, but two easier steps before redesigning any code are: 1. deploy on bigger hardware 2. profile and optimize the snowflake-bridge code. 16:21:03 I see 16:21:27 another thing wrt russia: valdikss shared this article about a pro-gov organization asking Apple and Google Play to block Tor apps - https://m.gazeta.ru/social/news/2021/12/14/n_17011309.shtml 16:21:35 I hope it can wait until january so we don't need to rush over the vacations to do it 16:22:04 meskio: I don't think there's any rush. 16:22:14 :) 16:23:03 I think Apple have already deplatformed all Proxy Apps from China's App Store 16:23:08 we already upgraded the hardware once 6 months ago https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40051 16:24:28 I also have a feeling that a few hours spent profiling the snowflake server PT would reduce its CPU usage a lot 16:24:32 shelikhoo: Indeed, that was some time ago. 16:25:03 currently using about 2 CPUs for snowflake-server, about 1 CPU for tor + proxy-go instances. 16:25:39 It is usually impossible for users to create an apple account in a country they does not live in without the help of a VPN 16:26:07 unless they have a payment method in that country 16:26:18 dcf1: I see 16:26:37 Maybe the app stores can purge all the fake tor browsers from the app stores while they're at it 16:26:47 hehe 16:26:52 that will be nice :D 16:27:28 wow, we have 3k snowflake users in Russia 16:27:56 nice 16:28:22 winter is coming :P 16:28:37 :) 16:28:46 https://metrics.torproject.org/userstats-bridge-combined.html?start=2021-09-17&end=2021-12-16&country=ru 16:29:06 is anyone working on implementing the alpn extension for pion dtls? 16:30:02 https://github.com/pion/dtls/issues/408 16:30:10 Context ^ 16:30:26 for that matter, I'm not sure if we upgraded the standalone bridges that we operate 16:31:01 FWIW OnionBrowser seems to be still available on Apple Store: https://applecensorship.com/app-store-monitor/test/519296448?l= 16:31:36 I guess we did not upgrade our proxy-go yet, judging by the modification date of the binary. I will do that. 16:32:38 dcf1: after that, should we ask volunteers to upgrade their snowflake standalone proxy? 16:33:16 maybe. I'm not sure how important it is. 16:33:59 This could improve connection time for impacted users lives in Russia 16:34:12 Since the client will retry connection 16:34:28 after waiting a while 16:34:53 so if the proxy does not update its version, the connection may be blocked 16:35:11 the client will need to try another proxy 16:35:15 we should rebuild the docker image of the standalone proxy if we want to ask people to upgrade 16:35:22 yes, I understand. what I'm saying is I don't have a way to wauntify how important that effect actually is in practice 16:35:42 to know whether it's worth the trouble 16:35:54 rebuilding the docker image is a good idea in any case 16:36:06 I'll do that tomorrow 16:36:24 * meskio remembers that needs to give a push to the debian package too 16:36:43 and then ask egypcio to update the freebsd port 16:37:40 debian is quite slow when it comes to updating packages.... 16:38:46 the package is in debian sid, it will not even get to testing as I need to fix things tehre 16:38:54 so no hurry 16:39:01 Yes.... 16:39:29 (also Tor Browser is available on Google Play in Russia: https://play.google.com/store/apps/details?id=org.torproject.torbrowser&gl=RU) 16:39:36 btw, we will have a user support person that speaks russian very soon. 16:39:52 nice 16:39:56 thanks everyone how helped us on this! 16:40:59 anything more about russia? 16:41:34 I see a point about fingerprint fixes in the agenda, I guess is what we just discussed, anything else to add there? 16:41:49 that's what we just discussed 16:42:03 good 16:42:03 I don't think arlolra got an answer, so I suppose that means no one is working on it now 16:42:19 yes, I guess that is the answer 16:42:33 maybe cohosh knows more, but she is AFK today 16:43:12 I added a point about the next meeting, not sure how you have done the holiday season last years 16:43:29 from Dec 22 to Jan 5 TPI employees are in holiday 16:43:39 so I guess our next meeting will be Jan 6 16:43:53 * meskio might take that day off, but I hope others will be around 16:44:39 I guess nothing to discuss there 16:44:47 anything else for today? 16:45:12 just to add that we have now 2k bridges - https://metrics.torproject.org/networksize.html?start=2017-09-17&end=2021-12-16 16:45:24 amazing 16:45:34 great! 16:45:59 2018 was the bridge authority migration 16:46:09 impressive! 16:47:33 I'll give it one more minute to see if someone has something else to talk and if not I'll close the meeting 16:48:35 #endmeeting