#tor-meeting log

15:59:37 <shelikhoo> #startmeeting tor anti-censorship meeting
15:59:37 <shelikhoo> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
15:59:37 <shelikhoo> feel free to add what you've been working on and put items on the agenda
15:59:37 <MeetBot> Meeting started Thu Jun 16 15:59:37 2022 UTC.  The chair is shelikhoo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:59:37 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:59:54 <shelikhoo> hi~
16:04:11 <dcf1> shelikhoo: do you need any assistance or information for the distributed snowflake bridge merge?
16:05:50 <shelikhoo> dcf1: I don't think i will need any. there is a last minute amendment to add a $ sign at end of allowed domain name pattern, I am not sure if it needs an additional review before merge
16:05:56 <shelikhoo> otherwise it is all good
16:05:59 <shelikhoo> and ready to merge
16:06:59 <shelikhoo> in fact I originally intent to merge it just after cohosh approve my amendment after approval
16:07:01 <dcf1> if you don't hear any objections, I would go ahead and merge
16:07:08 <shelikhoo> yes
16:07:26 <shelikhoo> I think I could merge it
16:07:29 <arma2> (reminds me of how folks found websites like 'doctorproject.org' filtered in china :)
16:07:37 <arma2> (also hi, i am around if you need anything from me)
16:07:58 <dcf1> shelikhoo: and deploying the new code to the broker, do you feel confident about that?
16:08:50 <shelikhoo> It should be fine, but I would prefer a full crew day to do that
16:09:10 <dcf1> yes, sounds good
16:09:18 <shelikhoo> I can write the amended config file first
16:09:24 <shelikhoo> before run the deployment
16:09:38 <shelikhoo> since this time, the config need to change
16:09:53 <dcf1> If I understand correctly, the next step is to then deploy multi-bridge capable proxies?
16:10:17 <shelikhoo> yes, we need to contact users to update their snowflake proxy
16:10:19 <dcf1> And once the proxies exist, then anyone can start using the snowflake-02 bridge instead of snowflake-01 by editing their torrc?
16:10:52 <shelikhoo> yes, once the proxies exist, and we reject outdated proxies
16:11:03 <shelikhoo> everyone can connect to snowflake 2
16:11:22 <shelikhoo> by update snowflake-client and edit torrc
16:11:55 <shelikhoo> we have metrics to monitor how many proxies have updated
16:12:04 <dcf1> snowflake-01 is still within its capacity, but it is good to get the second bridge starting to go. thanks for your work on this.
16:12:24 <shelikhoo> so that we don't shoot ourself in the foot in rejecting old proxies
16:12:52 <shelikhoo> yes! thanks! you are welcome, and thank for your contribution to this task as well!
16:12:52 <dcf1> snowflake-01 has started to peak at over 1 Gbps during periods of highest usage, but that's still okay since ln5 upgraded it to a 10 Gbps link.
16:13:50 <arma2> neat
16:15:02 <shelikhoo> I intent to deploy both distributed snowflake and snowflake proxy ip change rate measurement in one go
16:15:06 <shelikhoo> it is more risky
16:15:21 <shelikhoo> but the downtime will be decreased
16:16:09 <dcf1> that sounds okay
16:17:39 <arma2> does that mean we solved the ticket where the broker couldn't figure out which version the proxy is running? (i am hunting for the ticket but haven't found it yet)
16:17:52 <shelikhoo> yes. let's see how it goes. I will create a ticket to describe this deployment, since this is a major functional update
16:18:35 <shelikhoo> that is the end of announcement for Distributed Snowflake, IP Change Rate Measurement is ready for merge src Shell
16:19:04 <shelikhoo> arma2: no, we still don't have a way to find out that yet
16:19:55 <dcf1> Okay my discussion point is about DTLS fingerprinting in Russia
16:20:05 <shelikhoo> however, for this time, we will have a metrics for whether the proxy have updated to a version with distributed snowflake support or not
16:20:15 <shelikhoo> yes
16:20:27 <shelikhoo> right now, according to the vantage point we have
16:20:49 <shelikhoo> snowflake is working in our vantage point in russia
16:20:55 <dcf1> The summary is that UDP packets matching the pattern `^\x16\xfe[\xfd\xff].{X}\x00\x1d\x00\x17\x00\x18` are getting blocked, where X is a small number of distinct offsets
16:21:45 <dcf1> My understanding is that snowflake only works in some configurations of pion/browser and client/server. Sorry, let me check my notes quick.
16:22:56 <dcf1> The concise way of saying it is: snowflake fails to connect if either side uses a Pion client.
16:23:05 <dcf1> Pion peer acts as TLS server -> ok
16:23:11 <dcf1> *DTLS
16:23:17 <dcf1> Browser peer acts as DTLS client -> ok
16:23:29 <dcf1> Pion peer acts as DTLS client -> not ok
16:23:53 <dcf1> Pion peer could be snowflake-client, or could be proxy-go.
16:24:21 <dcf1> The choice of whether a user's snowflake-client acts as a DTLS client or server may depend on their NAT
16:24:32 <dcf1> So the blocking rule may affect some NAT types more than others
16:25:15 <dcf1> Another way of stating the above rule is: snowflake only works if using a browser proxy (not a proxy-go proxy), and only if snowflake-client takes the DTLS server role in the connection
16:26:02 <dcf1> ValdikSS has a pull request with pion https://github.com/pion/dtls/pull/474 to change up the supported_groups extension that is part of the matching rule
16:26:23 <dcf1> I'm not so sure about this idea, because it may make the snowflake fingerprint even more distinctive
16:26:50 <arma2> shelikhoo: sounds like we might want to split the vantage point test into several tests, where we try various types of snowflake proxies
16:27:19 <dcf1> One thought I had was to insert a padding or other no-op extension to adjust the offsets. that would create a new fingerprint too, but is probably less work to implement and more agile
16:28:25 <dcf1> There is perhaps no need for urgent action on this, but I am wondering if there is some class of users for whom snowflake is completely blocked. maybe, maybe not
16:28:31 <shelikhoo> dcf1: yes, and we would need a world wide deployment of this for the snowflake proxy
16:28:44 <dcf1> shelikhoo: no, not necessarily.
16:29:47 <dcf1> If we patch snowflake-client, that takes care of one end of the connection. If the blocking rule was "Pion client", and it happened that all of a certain class of users were *always* clients, then altering the Pion fingerprint on the client side alone could be sufficient
16:30:46 <dcf1> One way forward would be to (temporarily) fork pion/dtls in the Tor Browser alpha. Then we could ask users to try the alpha release. Or even a one-off special build of the browser like we sometimes do.
16:31:17 <shelikhoo> arma2: I think right now we don't have a way to specify whether a WebRTC peer is a client or server
16:31:32 <shelikhoo> but I can look into this
16:31:57 <shelikhoo> dcf1: Yes. we can try to create a version of snowflake-client with the patch applied
16:32:00 <dcf1> https://gitweb.torproject.org/builders/tor-browser-build.git/commit/?id=7ffd69a21b8a408a2be9cfdbe7401e1a7f974310
16:32:04 <shelikhoo> and see how it works
16:32:12 <dcf1> ^ example of when we temporarily forked pion/dtls before
16:33:47 <dcf1> https://archive.org/details/@torproject
16:33:53 <dcf1> https://archive.org/details/snowflake-ru_snowflake_fix-20211208-ae7cc478fd34
16:33:58 <dcf1> https://archive.org/details/tor-browser-snowflake-ampcache-10.5.3
16:34:09 <dcf1> ^ examples of one-off Tor Browser builds made for testing
16:35:29 <dcf1> That is all from me on this topic, I just wanted to refresh awareness of it
16:35:32 <shelikhoo> I will create a ticket for creating an specialized version of snowflake with this patch applied
16:35:44 <shelikhoo> is there such a ticket already?
16:36:15 <dcf1> not that I'm aware, there is only https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40030 for the general observation of blocking
16:37:22 <shelikhoo> No, I think I can create one. It should give this issue more visibility
16:39:28 <shelikhoo> anything more on this topic?
16:39:45 <dcf1> that's all from me
16:39:45 <shelikhoo> we will have a reading group next week:
16:39:59 <shelikhoo> Even Censors Have a Backup: Examining China's Double HTTPS Censorship Middleboxes
16:40:27 <shelikhoo> anything more we want to discuss in this meeting?
16:42:29 <shelikhoo> okay, I think this the end of this meeting. thanks everyone!
16:42:29 <shelikhoo> #endmeeting