#tor-meeting log

15:59:25 <meskio> #startmeeting tor anti-censorship meeting
15:59:25 <MeetBot> Meeting started Thu Apr 21 15:59:25 2022 UTC.  The chair is meskio. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:59:25 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:59:28 <meskio> hello
15:59:30 <shelikhoo> Hi~
15:59:34 <itchyonion> hello
15:59:37 <meskio> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
15:59:45 <meskio> feel free to add what you've been working on and put items on the agenda
15:59:49 <arma2> dcf1: oh, i realized i had another question: i'm told that our telegram-distributed obfs4 bridges are wildly successful,
15:59:59 <arma2> and do we have any relay-search style graphs of what 'successful' means there?
16:00:10 <arma2> like, are most of the .ru users using those telegram obfs4 bridges? or?
16:00:28 <arma2> i tried looking up previous ones but irl had rotated them and relay-search had dropped their page
16:00:52 <arma2> (might be a question better for meskio)
16:01:21 <dcf1> I don't think relay search gives a per-country breakdown for each bridge, but the information is there in the bridge-extra-info descriptors
16:01:34 <arma2> right. i just figured, if they're telegram-distributed, most of their users are from .ru,
16:01:35 <meskio> we have some graphs in grafana about the bot requests
16:01:44 <irl> i have a script that was pulling out that per-country info
16:01:44 <arma2> and if they're wildly popular, then i should be able to find a relay-search graph with big numbers on it
16:01:52 <meskio> we can look in relay-search, as all the telegram bridges right now have the same name patter
16:01:57 <meskio> s/patter/pattern/
16:02:07 <meskio> ahh, irl scripts are better :)
16:02:24 <arma2> great. what do we mean by wildly popular? 100 users? 1000?
16:02:29 <irl> it was just a for loop over bridge extra info descriptors
16:02:32 <dcf1> https://gitlab.torproject.org/tpo/network-health/metrics/website/-/issues/40047#note_2796619 scripts have an example of extracting info for a single fingerprint, and
16:02:44 <shelikhoo> I think there isn't a lot of blocking of dynamic s96 bridges in russia right not...
16:02:53 <dcf1> https://gitlab.torproject.org/tpo/community/support/-/issues/40050#note_2796770 has an example of pulling info for a single fingerprint and a single country
16:02:53 <shelikhoo> I  think there isn't a lot of blocking of dynamic s96 bridges in russia right now
16:02:55 <irl> tens of thousands of "unique russian ip address days"
16:02:59 <meskio> arma2: until we do deploy telegram as part of rdsys bridges used by telegram are not assigned to the distribution mechanism 'telegram', so they don't appear in the graphs as so
16:03:26 <irl> i think it was roughly 700-1000 daily unique russian ip addresses
16:04:04 <irl> shelikhoo: you're currently only testing the moat bridges, the telegram bridges haven't been updated in a while now
16:05:09 <shelikhoo> I assume the telegram bridges will come from the shared repo?
16:05:31 <arma2> ok i will follow up after the meeting for more details. no need for me to derail :)
16:06:15 <shelikhoo> other bridges are static and updated manually
16:06:49 <shelikhoo> to get a bridge tested, send bridge line to the repo
16:07:44 <meskio> should we move on to the next topic?
16:07:52 <meskio> Is the reading group reading supposed to be "Web censorship measurements of HTTP/3 over QUIC"
16:08:05 <meskio> I miss last weeks conversations and I guess the context on it
16:08:15 <dcf1> I'm just curious if we're supposed to read the BBS and NTC threads, or the IMC paper about HTTP/3 blocking
16:08:23 <dcf1> (which precedes the blocking of HTTP/3 in Russia)
16:09:42 <dcf1> The paper is linked in the BBS thread (it's an IMC short paper)
16:10:08 <meskio> I will assume is the paper, isn't it?
16:10:08 <dcf1> One of the authors of the paper, I saw, has done some Russia-specific tests since then: https://github.com/kelmenhorst/quic-censorship/issues/4
16:11:16 <dcf1> the IMC paper is what I would have guessed
16:12:40 <meskio> let's do the paper, I guess the BBS thread is good source as context
16:13:00 <dcf1> ok
16:13:14 <shelikhoo> Yes~
16:13:26 <meskio> great, let's move on
16:13:31 <meskio> Snowflake Multi-Server Broker Testing
16:13:49 <meskio> shelikhoo: is it yours?
16:14:10 <shelikhoo> Yes. I have deployed Multi-Server Broker and it is ready for testing
16:14:41 <shelikhoo> there are 3 bridge known to it
16:15:06 <shelikhoo> and we can just compile and run the client with one of the fingerprint
16:15:13 <shelikhoo> to try this
16:15:15 <meskio> I see the ticket has instructions on how to test it, I'll give it a try tomorrow
16:15:20 <shelikhoo> yes!
16:15:29 <dcf1> shelikhoo: does it work if I configure 2 bridges in torrc at the same time?
16:15:35 <meskio> thanks for setting it up, is nice to see this advancing :)
16:15:42 <dcf1> I know it will do duplicate rendezvous, but does it work?
16:16:11 <shelikhoo> it should work in theory, please let me know if doesn't
16:16:32 <dcf1> ok, good
16:16:49 <dcf1> good work
16:17:31 <shelikhoo> meskio: I am afraid I am behind the Q2 OKR already.... hahahaha ( T_T )
16:18:02 <shelikhoo> yes, it still don't have user friendly message for new errors, but it should not be hard to add it
16:18:10 <meskio> uff, is hard to keep up with them
16:18:33 <shelikhoo> dcf1: Yes! Thanks!
16:18:45 <shelikhoo> If there is anything unexpected just let me know!
16:19:37 <itchyonion> I will also help test
16:20:30 <shelikhoo> The url used cloudflare worker to hide actual server IP address(or client address for attackers that know server IP), this will also be used for our vantage point - probe log collector connections
16:21:01 <shelikhoo> so that even if attacker know the server ip, they can't use it to get vantage ip
16:21:14 <shelikhoo> by looking who is connecting to that ip
16:21:54 <shelikhoo> I am also testing this in the same time
16:22:38 <meskio> I'm a bit confused the broker uses cloudflare?
16:23:03 <shelikhoo> cloudflare worker forward connection to the actual broker
16:23:22 <meskio> I see
16:23:23 <shelikhoo> for testing using cloudflare to forward connections
16:23:33 <shelikhoo> with worker
16:23:47 <meskio> you meant it as a circumvention mechanism? like domain fronting and so?
16:24:21 <meskio> ahh, is just to hide the IP where you are hosting it
16:25:03 <shelikhoo> the actual usage is to hide the vantage client that are connecting to log collector
16:25:29 <shelikhoo> since censor have no idea which worker is our's
16:25:42 <shelikhoo> but right now it is hiding server ip
16:26:01 <meskio> I see
16:26:31 <meskio> should we move to the next topic?
16:26:48 <meskio> Report of CDN Block in Turkmenistan
16:27:21 <shelikhoo> Yes, i have received a report that Turkmenistan are blocking IP associated with Cloudflare
16:27:37 <shelikhoo> and currently trying to confirm this
16:28:15 <arma2> i sent you some contacts we have at cloudflare / fastly
16:28:20 <shelikhoo> if fastly are blocked in a similar way, this might explain snowflake failure in the region
16:28:21 <arma2> let me know if i should do more there, e.g. send an introduction
16:29:07 <shelikhoo> thanks arma2, I will write to them to know if they are willing to share info about this.
16:29:15 <dcf1> RU (TSPU) was/is also blocking a couple of Cloudflare IP addresses in the past week: https://ntc.party/t/cloudflare-cdn/2245
16:29:49 <dcf1> The best guess as to the cause is accidental overblocking when trying to block a specific site: https://ntc.party/t/cloudflare-cdn/2245/24
16:31:13 <shelikhoo> from the screenshot, the blocking is quite extensive, so it is likely about blocking CDN as a whole...
16:31:14 <arma2> that guess is consistent with what we saw with blocking azure by ip address
16:31:38 <arma2> russia choosing to block cloudflare longterm would be... a huge step.
16:31:48 <dcf1> no, you are misunderstanding me
16:32:04 <arma2> (and i assume cloudflare would take steps to 'fix' it, socially or otherwise)
16:32:19 <dcf1> it does not look like a deliberate block of all of cloudflare, rather more like someone was lazy and blocked the 2 IP addresses a domain name happened to resolve to at the time
16:32:37 <dcf1> it is unlike what shelikhoo is describing in TM, I think
16:32:40 <shelikhoo> dcf1; i was talking about Turkmenistan situation, not russia
16:32:59 <dcf1> shelikhoo: aha, sorry for the confusion
16:33:05 <arma2> ok great. yes, i agree that russia probably did not mean to block cloudflare, and they wouldn't keep it up if they accidentally did.
16:33:15 <arma2> but it is intriguing that maybe .tm did.
16:33:24 <shelikhoo> I just said the thing in TM is could be more harsh...
16:33:47 <shelikhoo> in the meanwhile we should consider invest in a vantage point in TM if possible
16:34:00 <shelikhoo> and understand whether AMP works there
16:34:38 <meskio> shelikhoo: I agree, we should search for a vantage point in TM, we should check with gaba, but I doubt the money will be the issue for it
16:35:10 <anadahz> According to OONI data this is not something so new as it seems snowflake is being blocked since at least March 2022: https://explorer.ooni.org/chart/mat?probe_cc=TM&test_name=torsf&since=2022-03-01&until=2022-04-22&axis_x=measurement_start_day
16:35:26 <dcf1> regarding idle scan, that is basically what Censored Planet "Augur" is, an enhanced form of idle scan. it's possible Censored Planet data may have the necessary measurements.
16:35:46 <dcf1> https://censorbib.nymity.ch/#Pearce2017a
16:37:39 <anadahz> Many operators do not allow sending spoofed packets.
16:37:40 <shelikhoo> Yes... I will contact Cloudflare & fastly first since they will have more direct data
16:37:53 <dcf1> Hmm, although from https://data.censoredplanet.org/raw that may not be doing active Augur measurements lately
16:40:02 <shelikhoo> Anyway, the wishlist will be assistance from cf, fastly; vantage point in TM; and some idle scan if possible
16:40:25 <shelikhoo> sending spoofed packet would require special network access
16:40:53 <meskio> sounds great
16:40:59 <shelikhoo> yes
16:41:13 <dcf1> Augur is remote measurement. You don't spoof from a vantage point in the country. You spoof from outside, on a network that allows it. It doesn't matter whether the target allows spoofing.
16:41:30 <shelikhoo> Yes, the source need to allow spoofing
16:42:25 <meskio> anything else on this topic?
16:43:21 <meskio> the next topic is about adding a license to rdsys, it doesn't have one
16:43:57 <meskio> do we have a standard license in other tpo projects? I see bridgedb and tor ar 3-BSD, arti is unclear if is MIT
16:44:07 <arma2> most things are 3-bsd
16:44:09 <meskio> I don't have strong opinions on it
16:44:21 <arma2> doing what bridgedb did can't go too far wrong
16:44:42 <meskio> sounds good, I'll do that in the comming days
16:44:43 <arma2> mostly i wanted us to have *something*, since the defcon proposal quite reasonably asks "is it free software" and i was like "oh wait it isn't"
16:44:52 <meskio> :D
16:45:38 <meskio> last point in the agenda: dnstt, next steps
16:45:44 <meskio> anadahz?
16:46:16 <anadahz> Not sure if you have the chance to check: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/trac/-/issues/40001
16:47:01 <anadahz> Some weeks ago it was suggested that this is the first part to get things done.
16:47:51 <anadahz> threeletteracronym[m]: has already implemented in Orbot and can release once we have some public bridges.
16:48:24 <anadahz> Anything more I can do from my side?
16:48:28 <meskio> to me the next step is to add support to the PT spec in dnstt, AFAIK it doesn't understand commands over the SOCKS connection, isn't it?
16:48:45 <dcf1> that's correct, the program is not a pluggable transport
16:49:26 <meskio> dcf1: is that something you are willing to accept as a contribution in the current code?
16:49:30 <dcf1> you should feel free to fork it to make a PT-capable version
16:49:38 <dcf1> I don't think I want PT support in the main code
16:49:40 <anadahz> dcf1: What is needed for this to happen, is there a TODO/issue about it?
16:50:47 <meskio> ok, so I guess we should fork it in gitlab.tpo, and we'll need someone that has the time to implement it
16:51:26 <meskio> anadahz: there is point about it in the TODO list of the issue you linked
16:51:40 <meskio> but I don't know about any other issues about it
16:52:05 <dcf1> there are skeletons of PT applications at https://gitweb.torproject.org/pluggable-transports/goptlib.git/tree/examples to use as examples
16:52:41 <dcf1> anadahz: is the orbot team wanting multiple public bridges? why does there have to be more than one bridge?
16:53:07 <anadahz> dcf1: for redundancy/backup
16:53:15 <dcf1> ok
16:54:33 <anadahz> ggus  mentioned last time that we could to relay operators once we have something alpha.
16:57:01 <meskio> so if someone contributes the code to make it a PT I'm happy to review it, otherwise we'll try to add it to the anti-censorship team roadmap, but we are pretty full for the next few months
16:57:23 <anadahz> great
16:57:57 <meskio> thanks for poking back about and sorry if is moving slowly
16:58:11 <meskio> is almost one hour of meeting
16:58:12 <shelikhoo> Speaking of PT... I think PT only support per connection argument of 256 chars, is that correct?
16:58:35 <dcf1> shelikhoo: that's correct. I think it is different in PT 2.0 and 3.0.
16:59:27 <itchyonion> gotta jump to another meeting
16:59:42 <meskio> bye itchyonion
16:59:42 <shelikhoo> Yes. So it would be difficult to get an entire V2Ray configure file into it.... this is just a random thought, don't worry too much about this...
16:59:49 <shelikhoo> bye itchyonion
16:59:55 <itchyonion> bye guys
17:00:23 <meskio> shelikhoo: maybe you could pass a path to the file or split it into different pieces
17:01:07 <shelikhoo> yes, but that won't work well with tor browser. I don't think tor browser expects something like that
17:01:16 <dcf1> there is an ancient ticket: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/trac/-/issues/10671
17:02:49 <meskio> anything else for today?
17:02:57 <shelikhoo> thanks dcf1~
17:04:01 <meskio> #endmeeting