#tor-meeting log

15:58:33 <itchyonion> #startmeeting tor anti-censorship meeting
15:58:33 <MeetBot> Meeting started Thu Nov 17 15:58:33 2022 UTC.  The chair is itchyonion. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:58:33 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:58:37 <shelikhoo> hi~
15:58:44 <itchyonion> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
15:58:44 <itchyonion> feel free to add what you've been working on and put items on the agenda
15:58:45 <itchyonion> hello
15:58:52 <meskio> hello
15:59:27 <itchyonion> Looks like everyone's already updated their work items
15:59:50 <itchyonion> First topic in discussion:  security policy https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPolicy
16:00:03 <meskio> I added that one
16:00:32 <meskio> there is some work being done to have a security policy for the whole organization
16:00:50 <meskio> like not the network team has this wiki page
16:01:07 <meskio> and the TROVE numbers to register incidents
16:01:20 <meskio> the idea is to extend it so it works for other teams as well
16:01:31 <cohosh> hi
16:01:33 <meskio> I think it will be pretty useful for anti-censorship
16:01:46 <meskio> we have recently handled several security incidents with obfs4
16:02:26 <shelikhoo> I think we should add one of our key and contact info to the contact page
16:02:28 <meskio> we'll need to review the policy from the network team, and see if we have proposals of changes to do to addapt it to our own needs
16:02:38 <meskio> like how does deofuscation bugs fit there?
16:03:27 <meskio> shelikhoo: yes, the plan is to change that, and have one single contact for all security incidents
16:03:43 <meskio> and that contact to be a list (or an alias) where we have people from all the teams that need to be there
16:03:52 <meskio> so, someone from ACT will be there
16:04:00 <meskio> but this is still in early stages
16:04:45 <meskio> so, if you want to have a look to the policy I'm happy to hear other comments, and I'll try to draft up changes for our needs and pass them around to review
16:05:26 <shelikhoo> there are more than one kind of software identification(deofuscation) vulnerability, like what if the CDN can see the bridgelines in plaintext, or when a network gateway can identify the anti-censorship tool
16:06:03 <shelikhoo> do we wants to have a lot of deofuscation categories
16:06:19 <shelikhoo> or a big one, plus a lot of smaller ones
16:06:23 <meskio> yes, I guess this is one of the hard questions
16:06:28 <shelikhoo> with different severity
16:06:41 <meskio> in the current policy they have different severity levels, will be nice to have an idea how they map to us
16:07:04 <meskio> but we don't need to have a full list of all the cases, obviously it will be a moving document that we can keep updating
16:08:20 <shelikhoo> Yes... I have no other comments...
16:08:23 <itchyonion> yea. the section title reads "What should I do if I find a security flaw in something Tor makes".  I wonder if something like a malicious relay count?
16:09:02 <meskio> itchyonion: maybe, I guess this is something the network health team will have to think about
16:09:49 <meskio> I just wanted everybody to know that this is happening and obvously I happy to hear feedback on it, nothing more from my side
16:10:50 <itchyonion> yes. So the actions from the discussion is: please read and review the doc, propose changes to include our needs if necessary?
16:11:04 <meskio> +1
16:11:24 <itchyonion> ok. Anything more on this topic?
16:11:28 <meskio> I can create an issue on our team repo for it
16:11:30 <meskio> EOF
16:11:55 <itchyonion> Next one:      domain fronting deprecation in azure https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/33#note_2853813
16:12:08 <shelikhoo> It finally arrives...
16:12:22 <meskio> yes, we have heard for years that azure will block domain fronting
16:12:37 <meskio> we got an email saying that there is a date for it: Nov 8 2023
16:12:46 <meskio> so we have a bit less than a year to do something about it
16:13:04 <meskio> we use azure domain fronting for meek
16:13:11 <meskio> but not for moat or snowflake
16:13:23 <meskio> (except for turkmenistan)
16:13:46 <meskio> I have some hopes that with all the improvements we are having on snowflake
16:13:56 <meskio> and with conjure and webtunnel on the working
16:14:07 <meskio> we will be able to deprecate meek by that time
16:14:29 <ggus> idk how useful is snowflake+meek in TM is at the moment: https://metrics.torproject.org/userstats-bridge-combined.html?start=2022-10-31&end=2022-11-17&country=tm
16:14:59 <cohosh> iirc in tm, there was a popular isp that was still not working with the domain front
16:15:09 <cohosh> and we think it's because of the STUN blocking
16:15:23 <cohosh> *with the azure domain front even
16:15:44 <meskio> ggus: doesn't look like it has much use :(
16:15:57 <cohosh> oof yeah that looks like 0
16:16:13 <meskio> so, our TM-azure fix didn't fix much
16:17:22 <shelikhoo> yes...
16:17:44 <itchyonion> so, do we have some immediate action items from this?
16:17:50 <meskio> unless someone has a better proposal I will reopen this conversation 6 months before azure starts blocking it, and we'll see if we need to find an alternative for meek or we can deprecate it
16:18:03 <meskio> (I had set a deadline in the issue for that)
16:18:27 <itchyonion> sounds good
16:18:28 <shelikhoo> I think we can try to find out who is still using meek, and why other method is still not working for them
16:18:54 <meskio> AFAIK meek is being used as last resort in many places
16:19:03 <meskio> is slow, but sometimes the only thing that works
16:19:27 <meskio> but conjure might fit that niche
16:19:41 <ggus> yep, it was useful in TM, for example
16:20:33 <meskio> mmm, conjure might not fit the TM niche, now that I think about it :(
16:21:13 <shelikhoo> TM's censor block ip blocks, if I recall correctly
16:21:38 <shelikhoo> so for conjure, that means the isp it run on it soon be inaccessible
16:22:16 <meskio> yes
16:22:49 <meskio> we can always decide to move meek to fastly, but we are putting all our apples in the same basket...
16:22:59 <meskio> (do that work in english?)
16:23:13 <itchyonion> i think it's eggs?
16:23:19 <meskio> :D
16:23:24 <itchyonion> lol
16:23:25 <ggus> i remember some obfs4 bridges running at universities that were working in TM
16:23:37 <shelikhoo> yes, in that way we are depending on fastly too much
16:24:22 <meskio> hopefully in snowflake we'll be using more and more other things besides domain fronting...
16:25:11 <itchyonion> Anything more on this topic?
16:25:27 <meskio> not from me, we'll talk more in some months
16:25:35 <shelikhoo> AMP is also something google can shutdown....
16:25:41 <shelikhoo> so..,
16:25:53 <meskio> yes :(
16:25:57 <shelikhoo> maybe we wants to look for something new...
16:26:01 <shelikhoo> EOF from me
16:26:22 <itchyonion> ok. Next topic in Interesting links:     https://news.ycombinator.com/item?id=33573477
16:26:22 <itchyonion> "It's been many years, and I am still angry and disappointed by Cloudflare's decision to block domain fronting and drop Lantern as a customer..."
16:26:50 <meskio> this is the hacker news post about the domain fronting being blocked in azure
16:27:09 <itchyonion> oh i see
16:27:13 <dcf1> it's just some interesting context on events that happened in 2015: https://news.ycombinator.com/item?id=9234367
16:27:43 <itchyonion> ok. Let's move on to the next one: WA-tunnel https://github.com/aleixrodriala/wa-tunnel
16:27:52 <meskio> yes, is a pity we can not do domain fronting in cloudflare :(
16:28:06 <meskio> about the wa-tunnel, I found it around, people moving data over whatsapp
16:28:22 <meskio> the idea is not for censorship circumvention, but to don't pay for mobile data
16:28:31 <meskio> (some countries have free traffic for whatsapp)
16:29:05 <meskio> I find it curious, maybe another alternative to domain fronting ;P
16:29:07 <meskio> ?
16:29:29 <ggus> meskio: we can check on OONI how whatsapp is blocked in some target regions
16:29:47 <shelikhoo> it is blocked in china BTW
16:30:19 <meskio> yes, I think it is blocked in many places, I was mostly joking, but I like how people get creative with those things
16:30:20 <ggus> https://explorer.ooni.org/chart/mat?test_name=whatsapp&since=2022-10-18&until=2022-11-18&axis_x=measurement_start_day&axis_y=probe_cc
16:31:09 <meskio> iran and china seem to block it
16:31:45 <meskio> but not kazakhastan :)
16:31:59 <meskio> ahh, wait I'm mixing it with TM
16:32:00 <ggus> tajikistan, yemen... probably places where people are using tor to use whatsapp and not the opposite :P
16:32:21 <meskio> TM is also blcoked
16:35:01 <meskio> nothing more from me on this topic
16:35:13 <shelikhoo> I don't think it would worth the cost of us actually shipping in tor browser, since the user will need to have a secondary mobile phone number...
16:35:45 <shelikhoo> and it is using nodejs
16:35:55 <dcf1> there have been many similar proposal and prototypes for tunneling over messaging systems, e.g. Facebook messenger, other zero-rated or even not zero-rated services
16:36:08 <shelikhoo> and don't work in china, iran...
16:36:14 <dcf1> it's pretty easy to make something like that work with a turbo tunnel design
16:36:55 <dcf1> because the reliability protocol does all the hard parts; you just need to define a way to encode packets into text messages (or whatever the service supports)
16:37:50 <dcf1> even easier than something like dnstt or meek, actually, because you don't have to poll: the other side can just send you a message whenever
16:38:16 <itchyonion> i think people used to do this with ssh tunnelling in China, but then GFW blocked it
16:38:46 <shelikhoo> this does remind us that we could use something like this with mqtt or other iot protocol
16:39:44 <shelikhoo> which would be easier for us to implement without external dependency
16:40:00 <shelikhoo> and blocking it would brick a lot of "smart" device
16:42:02 <shelikhoo> EOF for me
16:42:04 <itchyonion> hmm do these IOT protocol usually send a lot of data overseas? I think that's how they identify and block suspicious SSH traffic
16:42:46 <shelikhoo> we can use it as a control channel to supplement domain fronting
16:43:13 <itchyonion> i see
16:43:30 <itchyonion> I think that's the last topic we have. Just a reminder:  We will discuss "Measuring DoT/DoH Blocking Using OONI Probe: a Preliminary Study" on Dec 1
16:43:51 <itchyonion> if nothing else, I will end the meeting
16:44:04 <itchyonion> #endmeeting