15:59:07 <meskio> #startmeeting tor anti-censorship meeting
15:59:07 <MeetBot> Meeting started Thu Mar 24 15:59:07 2022 UTC.  The chair is meskio. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:59:07 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:59:11 <meskio> hello everybody
15:59:14 <meskio> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
15:59:25 <meskio> feel free to add what you've been working on and put items on the agenda
16:00:12 <meskio> the first item in the agenda is 'dnstt bridges'
16:00:23 <meskio> I didn't remove it just in case we still want to talk about it
16:00:24 <cohosh> hi!
16:00:33 <meskio> there are already issues created to work on it
16:01:00 <ggus> hello
16:01:58 <meskio> hello o/
16:02:25 <itchyonion> hello
16:02:33 <shelikhoo> Hi~
16:02:56 <meskio> dcf1: did you see the conversation last week about adding support to dnstt as PT for bridges?
16:03:18 <dcf1> yes, I skimmed the discussion
16:03:27 <ln5> hi
16:03:44 <meskio> :)
16:04:36 <meskio> anyway, I guess we might not have anything to talk about it, we'll discuss in the related issue
16:04:41 <meskio> should we move to the next topic?
16:04:54 <meskio> "Prepare all pieces of the snowflake pipeline for a second snowflake bridge"
16:05:17 <shelikhoo> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/28651#note_2787394
16:05:30 <shelikhoo> I have made a design I think will work
16:05:47 <shelikhoo> Comments are welcomed
16:06:12 <shelikhoo> if we agree on this design, i will begin implement its broker
16:06:59 <shelikhoo> dcf1 have later agreed on having broker provide the websocket url(I suppose)
16:07:42 <shelikhoo> and the fused design here is client check the domain name of that websocket url to see if that have a correct suffix
16:07:51 <shelikhoo> if so, it will be accepted
16:08:30 <shelikhoo> this removed the need to synchronise allowed websocket address constantly
16:09:05 <shelikhoo> and made it possible to have only one pool of proxy, instead of have a pool for each accepted fingerprint
16:09:46 <meskio> basically it shifts the trust from the broker to the DNS system
16:09:47 <shelikhoo> and does not decrease the security of client, since in either case it will have to accept a list of allowed websocket destination
16:10:13 <shelikhoo> if we only allow HTTPS connection
16:10:29 <shelikhoo> if we only allow HTTPS Websocket connection
16:10:37 <shelikhoo> then it would not rely on DNS that much
16:11:03 <shelikhoo> even if we have a allow list, then it still depend on DNS to point the domain to correct IP
16:11:24 <cohosh> so the steps to add a new bridge are: have someone agree to run the bridge, talk to TPA to set up a *.torproject.net subdomain to it, distribute the new bridge line with the new fingerprint?
16:11:59 <shelikhoo> Yes, and input that info at the broker
16:12:17 <shelikhoo> we can use an alternative TLD
16:12:25 <shelikhoo> if that is needed for security reason
16:12:53 <cohosh> that sounds reasonable to me
16:12:55 <dcf1> I have access to a host that will probably be the second snowflake bridge (the first one to have a different bridge fingerprint)
16:13:11 <dcf1> I have not set it up yet, but my plan is to get it ready for when you want to start pointing traffic to it.
16:13:40 <shelikhoo> dcf1: Yes, that will take a little while
16:13:49 <dcf1> (ln5's bridge is planned to have the same fingerprint we are using already, with domain name snowflake.torproject.net)
16:15:06 <shelikhoo> I think from Tor's design, it is not designed to have different instance of Tor with same fingerprint
16:15:38 <shelikhoo> so maybe the best way move forward is to accept that
16:15:58 <shelikhoo> and design things around this
16:16:51 <shelikhoo> Is there any suggested amendment to the design there
16:17:07 <cohosh> sounds like a good plan to me
16:17:26 <cohosh> i also don't think it closes any doors if later we want to do the more complex proxy matching idea
16:18:05 <meskio> +1
16:19:22 <meskio> anything more on this topic? it looks like we are all happy with shelikhoo design
16:19:53 <cohosh> thanks shelikhoo :D it will be exciting to get this going
16:20:16 <shelikhoo> no problem~
16:20:30 <meskio> (:
16:20:31 <shelikhoo> {Add SOCKS5 forward proxy support} is ready to be reviewed again, now with handwritten SOCKS5-DNS
16:20:59 <shelikhoo> so the next topic is SOCKS5 proxy support for snowflake client
16:21:29 <shelikhoo> I have added handwritten DNS to it to get around Go stdlib's mindset
16:21:49 <shelikhoo> and it can be evaluated again
16:22:16 <meskio> nice
16:22:26 <meskio> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/64
16:22:27 <shelikhoo> if we decide to have it, we will consider to upsteam changes to webrtc library
16:23:01 <cohosh> thanks shelikhoo, looks like i'm assigned to review it so i'll take a look
16:23:08 <shelikhoo> and I will rebase it against main
16:23:09 <shelikhoo> yes
16:23:12 <cohosh> (anyone else who is interested also feel free to jump in though)
16:24:23 <shelikhoo> okay maybe we can move on to the next topic.
16:24:25 <shelikhoo> archive state-of-censorship repo https://gitlab.torproject.org/tpo/anti-censorship/state-of-censorship
16:24:26 <itchyonion> shelikhoo: 👍
16:25:05 <meskio> cohosh: I have few things to review in my queue, so I'm happy to you review it, but if you are overloaded say so and I'll have a look
16:25:44 <meskio> the state-of-censorship repo used to contain a json with information on what country blocks what
16:26:02 <meskio> but now this information is part of moat API, and the json lives in the rdsys-admin repo
16:26:23 <meskio> is not exactly the same json, the state-of-censorship one did contain information about websites being blocked
16:26:40 <meskio> while the moat one is only about ways to connect to tor
16:26:56 <meskio> I added a notice to the readme and archived the state-of-censorship repo
16:27:04 <meskio> but I'm happy to revert it if people disagrees
16:28:10 <cohosh> sounds good :)
16:28:37 <meskio> kind of related to that I have an announcement, the circumvention settings API is already deployed
16:28:51 <meskio> I just deployed it today
16:29:03 <cohosh> nice!
16:29:23 <shelikhoo> great!
16:29:25 <meskio> that is all in the agenda
16:29:34 <meskio> do we want to pick a paper for our reading group?
16:30:22 <meskio> itchyonion: I'm not sure we have described the reading group to you, but basically every couple of weeks we pick up a paper on a topic related to anti-censorship and discus it in our weekly meeting
16:30:36 <meskio> any proposals for papers to read?
16:30:52 <itchyonion> awesome
16:31:34 * meskio looks at https://censorbib.nymity.ch/
16:31:35 <cohosh> i've been meaning to read balboa, personally: https://censorbib.nymity.ch/#Rosen2021a
16:31:59 <meskio> I'm happy to do that one
16:32:16 <shelikhoo> +1
16:32:29 <meskio> two weeks from now? April 7?
16:32:36 <ln5> thta's a great idea
16:33:23 <cohosh> sounds good!
16:33:23 <meskio> great, we have something to read the next couple of weeks
16:33:26 <itchyonion> 👍
16:33:36 <meskio> anything else for today?
16:34:03 <shelikhoo> +1, EOF from Shell
16:34:08 <meskio> nice, we have a fast meeting today :)
16:34:21 <meskio> I'll wait for a minute and close the meeting if noone has anything else
16:35:20 <meskio> #endmeeting