15:58:07 #startmeeting tor anti-censorship meeting 15:58:07 Meeting started Thu May 18 15:58:07 2023 UTC. The chair is onyinyang[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:58:07 Useful Commands: #action #agreed #help #info #idea #link #topic. 15:58:16 here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep 15:58:26 feel free to add what you've been working on and put items on the agenda 15:58:29 hello 15:58:39 hello! :) 16:00:04 o/ 16:00:06 hi~ 16:00:19 hello 16:04:44 ok, let's start the meeting 16:05:12 there are no announcements so the first discussion item is: Reported blocking of Snowflake in China since 2023-05-12 16:05:12 https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40038 16:05:35 I'll let you read the issue for details, but briefly, 16:06:13 there was reported blocking of the cdn.sstatic.net front domain in China for about 3 days last week. 16:06:34 Two different users commented on the nature of the block, which is interesting and something I don't think we have seen before. 16:07:06 Namely, you only got blocked if you accessed cdn.sstatic.net 2 or more times within about 60 seconds. 16:07:19 One user reported a threshold of 2 for blocking; the other reported a threshold of 3. 16:07:36 Follow the links to https://github.com/net4people/bbs/issues/249 and https://forum.torproject.net/t/snowflake-bridge-does-not-work-in-china-since-days-ago/7635 for more discussion. 16:08:20 It seems like it's stopped for now, but could possibly reoccur at any moment. 16:08:37 I made a list of short- and long-term mitigations at https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40038#note_2902981 16:09:24 Yesterday, I was discussing with meskio about writing a script to test domain for domain fronting in an automated way, which can be used to find additional domain for domain fronting 16:09:56 which can be useful in dealing with censorship in iran and in this case china 16:09:57 We were vaguely worried, when we added a second bridge, that the double rendezvous would be a distinguising feature (tpo/core/tor#40578), and now it may actually have been 16:10:46 we could use different domains for each bridge 16:11:01 but could be also a recognizable pattern 16:11:17 if it's 60 seconds, it might not just be the two bridges triggering it, but also if clients are turned away and have to re-poll the broker 16:11:22 or at least be able to switch domains when one of them get blocked 16:11:29 Ideally this is something that would get fixed in tor, but things of this nature are being closed in favor of arti, so IMO we should not count on it ever happening. 16:12:02 yes, not sure if we can get it into tor any time soon, but I'll check with network team about it 16:12:08 shelikhoo: apparently, for one of the users at least, the specific domain did not matter. It was 2 requests within 60 seconds with the same SNI to a Fastly IP address. 16:12:18 what would the-fix-in-tor look like? 16:12:28 So switching to a different domain would not help, if it was still doing double rendezvous with that other domain. 16:13:04 dcf1: yes, if we use different (set)? of fronting domains it would help 16:13:13 arma2: AFAIK it will be your merge request to use a single bridge 16:13:21 use different fronting domain for different bridges 16:13:27 arma2: in this case, it would look something like tor having a feature to choose just one of the available bridge lines at a time 16:13:36 meskio: ah ha. my merge request uses only two bridges. so it will help when we add more than two snowflake servers, but not with only two. 16:13:48 meskio: we could set numentryguards 1 for snowflake users i guess, but i think we want two 16:13:55 or, alternatively, support in Tor Browser to dynamically rewrite the torrc file so there's only 1 bridge line. (I think Orbot does something like this already, so it may be easier for them.) 16:14:42 It occurred to me that we could also hack around this in snowflake-client: since we know tor is going to make multiple effectively redundant SOCKS requests, 16:14:59 do we know if it is a dns resolve of the front domain, or a tcp connect to it? 16:15:00 we wait at startup and buffer them for 2s, then choose one and only one at random 16:15:09 s/it/the blocking trigger/ 16:15:12 arma2: it's a TLS SNI, I think 16:15:22 fun. ok 16:15:41 so the theory is that real browsers will make one tls connection and keep using it. so we are weird to make two in parallel. 16:16:19 https://www.speedguide.net/faq/tweak-the-maximum-concurrent-connections-in-firefox-231 16:16:19 yeah, i would expect that two simultaneous connections to fastly to be common but maybe browsers are really that good at always reusing the same tls connection 16:16:26 Observing DNS queries *has* been proposed in a research paper, though: https://www.mdpi.com/2076-3417/13/1/622#sec4dot1-applsci-13-00622 16:16:50 I think for browsers, it is not uncommon to have more than one connection 16:17:14 cohosh_away: I think the opposite, browsers will open up to their limit of parallel TCP connections. Maybe it's different with HTTP/2, still though I agress that 2 connections is probably not uncommon. 16:17:20 This is maybe why it's turned off now. 16:17:47 so if 2 connections is not uncommon, are they causing collateral damage? and maybe that's why they stopped? 16:17:51 https://kb.mozillazine.org/Network.http.max-connections-per-server 16:18:06 I tried settings MaxConnsPerHost=1 in snowflake-client, and interestingly it still does a double rendezvous, but to 2 *different* IP addresses rather than the same IP address twice. 16:19:00 shelikhoo: i would expect those browser params to be for http but not https 16:19:15 is this the first inter-connection block pattern we've seen? 16:19:22 (that we know of) 16:19:37 cohosh_away: hm, yes, maybe 16:19:42 it is the first i have heard of 16:20:25 and perhaps the first stateful block pattern? 16:20:51 i guess we don't know how the potential obfs4 blocking was working 16:21:09 If it happens again, one quick mitigation I recommend trying is setting just 1 bridge in Connection Assist for cn. 16:21:19 yes, that can be easily done 16:21:46 we could modify rdsys to provide a different one each time so not everybody goes to the same bridge... 16:22:07 or we can just provide the second bridge 16:22:18 yes, that will work for now as it has less load :) 16:22:19 which have less user than the primary one 16:22:24 yes 16:22:31 yes, if you pick one, pick snowflake-02, which is only at about 50% capacity vs. snowflake-01 at 100% 16:23:34 thanks for bringing this up dcf1 :) should we move on to the next topic now or is there more to discuss? 16:23:41 for next time doing the change it takes me few mintes, I just missed the issue on my long pile of tickets, feel free to poke me directly for it 16:24:04 onyinyang[m]: that's all 16:24:23 ok. The next topic is: Update on Analysis of speed deficiency of Snowflake in China, 2023 Q1 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40251#note_2883879 16:24:58 There is currently an ongoing discussion about this on gitlab, please have a look 16:25:01 (thought on previous topic: i wonder if we want to ask ooni to do a triple-connect test for us or something) 16:25:16 we will discuss it in more detail next week 16:25:22 let's skip to the next topic 16:25:42 appreciate you writing and posting the design proposal shelikhoo 16:25:54 sure shelikhoo 16:26:04 the last discussion topic is: Research about designing an armored bridge line sharing URL format 16:26:04 https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/126 16:26:12 yes, I was writing an reply for your comment dcf1... 16:26:49 arma2: I think we should try to keep ooni's snowflake test as close as we can to what TB is doing 16:26:50 There is a pending design for a new armored bridge line format ready for discussion 16:27:37 let's discuss it mostly in anti-censorship team's meeting until it is more polished, and purpose it to other teams 16:28:14 meskio: right, not the snowflake test, but a separate thing. like their current https connectivity test but another one. 16:28:37 there is a lots of optional transform step we can decide to include or not 16:29:10 and we can decide it now, which kind of transform step should not proceed to the next round of discussion 16:29:12 * arma2 runs off to airplane 16:29:48 bye arma2~ 16:30:01 over 16:30:28 shelikhoo: ok, that seems reasonable. Does anyone have opinions about what should not proceed to the next round of discussion? 16:30:47 safe trip (I assume) arma2 16:30:49 shelikhoo: thank you for the proposal, and to bring a lot of cool ideas on things to do 16:31:17 no problem, meskio ~ ^~^ 16:31:50 I will also actually do some of them soon... 16:31:51 I have some doubts about AONT step, I didn't even know about that construct, how common are those? I mean, will implementors find easily implementations to use in any language? 16:32:26 One can implement it with common crypto libraries, but as far as I can tell it is not common 16:32:41 I think we should aim for something easy to implement, that is traight forward 16:33:02 that is what makes me think that AONT might not be worth it, but are cool propierties... 16:33:53 do we wants some other methods to make sure encoded bridge line have more than one representation? 16:34:37 my first hunch is that this is not so important, but I'm not sure 16:35:11 let's say we can encrypt it AES-SIV 16:36:36 in many apps censorship is implemented with simple string match 16:36:58 they could string match our method or domain name... 16:36:59 if one bridge lone happen to have a particular keyword in it 16:37:05 https://twitter.com/felixonmars/status/1658115169355014147 16:37:12 oh, yes 16:37:32 okay then it is no necessary 16:37:44 we already have something to be recognized 16:37:58 let's don't have AONT step 16:38:03 what about other steps 16:38:27 do we wants forward error correction? it would make things more complex 16:38:29 I think compresion makes sense and obviously checksum 16:38:36 not sure aobut forward error correction 16:38:50 exactly it will make it more complex 16:39:02 and being able to detect that is not a valid bridge might be enough 16:39:40 agree, unless it's easy to implement forward error correction 16:39:43 "more than one representation" this is for the text portion of the armoured bridge? 16:40:52 I thought we are not trying to prevent the bridge line from being censored or detected by authority, so the keyword search mitigation wouldn't be of concern for this design? 16:41:24 yes, the advantage of forward error correction is that when the bridge line is corrupted, the user can still get the bridge. otherwise they might repeat the step to get the bridge(which could still be corrupted if there is an issue with tooling) 16:41:46 itchyonion: yes, I was reminded of the bridge line have a keyword in it already 16:41:54 so AONT is ditched 16:42:23 if we decide to do forward error correction it would be nice if is optional to implement, in a sense of: "you can ignore the X last bytes and still decode the bridge correclty" 16:43:56 meskio: it will be possible to do that with systemic coding(like reed solomon), and we are doing that 16:43:59 is it practical to do both? Forward error correction for TB and an easy one for the other Tor clients that uses the bridge line? 16:44:46 however, the client will still need to parse the bridgeline into chunks and read meta data 16:45:07 of each chunk to recover the original message 16:45:27 and there is already reed solomon libraries 16:45:36 shelikhoo: would it be ok to continue this discussion in #tor-anticensorship:matrix.org so we can get through the interesting links and reading group discussion seeing as there are less than 15 minutes or should we prioritize this discussion and shift the other two items? 16:46:00 yes, let keep discuss this in the ticket 16:46:07 +1 16:46:10 ok. 16:46:10 The last discussion point on bridge churn I just entered does not need discussion, I just wanted to enter some links to references into the record 16:46:39 oh thanks dcf1 ! I will take a look at those :) 16:47:06 In the Interesting Links we have: Unofficial(?) Snowflake extension for Safari in Apple App Store? 16:47:06 https://apps.apple.com/us/app/torproject-snowflake/id1597501940 16:47:06 Previously noted at https://lists.torproject.org/pipermail/anti-censorship-team/2022-February/000222.html 16:47:32 no new updates AFAIK 16:47:39 I think we have gotten in touch with the developer and have asked them to join the meeting at some point--so we hope to hear from them at some point :) 16:47:53 yes 16:48:07 Ok, finally the reading group discussion on Lox. 16:48:24 "Lox: Protecting the Social Graph in Bridge Distribution" on 2023 May 18 16:48:24 https://cypherpunks.ca/~iang/pubs/lox-popets23.pdf 16:48:47 I read it :) Thanks onyinyang[m], it's really good. 16:49:10 yes, is pretty good 16:49:21 Thanks dcf1 and meskio 16:49:51 As a very very brief summary, the paper outlines Lox, a new privacy-preserving, reputation-based bridge distribution system. Lox uses anonymous credentials to preserve a user's reputation while maintaining their anonymity throughout their interactions with the Lox bridge distributor. 16:50:21 I like you putting costs/benefits to the censor on a quantifiable basis in Section 2.4.1, "forces the censor to make a tradeoff between gaining trust and keeping bridges unblocked" 16:50:57 Lox takes the idea of user levels from Salmon, and uses a kind of cryptographic credential from Hyphae 16:51:24 And it also makes explicit the idea of "inheritance" (Section 2.4.2 that was implicit in Salmon 16:51:36 Yes! 16:52:07 Let me check my intuition: users are supposed to get bridges in the official way via the bridge distributor 16:52:24 but there is nothing technically to stop them sharing that bridge information out-of-band with others they know 16:52:45 the thing that prevents them from doing so is the risk to their own reputation, if the bridge gets discovered and blocked? 16:53:42 that is correct. 16:54:22 And additionally the opportunity to migrate to new bridges once bridges are blocked is meant as an incentive to use Lox 16:54:45 there's some aspects that are assumed to exist and to be plugged into the Lox system, which is what you're doing now with integration 16:55:06 like for example you need a signal when a bridge has been blocked, and to realize that somehow 16:55:40 my impression of the model in the paper is that bridge operators are trusted(?) to report their level of use, and when it goes to zero that indicates a block? 16:55:43 yes. There are many missing pieces that make the full system tricky in practice, blocking being a major sticking point. 16:55:44 that luckily exists with rdsys 16:55:54 https://gitlab.torproject.org/cohosh/rdsys-backend-api 16:56:15 I realize there are many many ways that could be done, but my question is more general: 16:56:30 or rather telling whether bridges are gone does 16:56:33 not blocked 16:56:54 is there anything like "hoarding" bridges, creating an account and keeping it idle to get good bridges, then perhaps resell them? 16:57:23 I am thinking about how markets exist around aged e.g. reddit and twitter account, since age is a marker of non-maliciousness 16:57:35 hmmmm that's an interesting question 16:57:51 I suppose that could happen 16:58:02 Maybe it's not actually a concern, i.e., if people are selling their bridge addresses, who cares, as long as they are doing so responsibly and not getting them blocked? 16:58:18 (I have already discussed anti-replay window and new-bridge-should-be-considered-most-valuable concern in in-person meet up) 16:58:45 but AFAIK an old lox account only gives you more invites, that will inherite what you do 16:58:45 I think for censor, they can also keep unlimited amount of account and wait for them to mature 16:58:52 so for a censor is not so great 16:59:06 until 3 bridges are assigned to it 16:59:45 oh I guess the meeting time is actually over 16:59:47 yes, but in that case there is the tradeoff involved, the censor has to keep the bridge unblocked in order to mature the account 16:59:56 I can end the meeting and we can keep discussing here? 17:00:04 I'm just thinking of actors with motivations other than censorship. It's a little off the wall, I admit. 17:00:07 or in #tor-anticensorship:matrix.org 17:00:34 onyinyang[m]: i think it's ok to keep the meeting going 17:00:45 reselling the account is actually the same as reselling the bridge line 17:00:49 ok :) let's keep going for a few more minutes and reassess 17:01:09 since once the account is matured, it does not give you any additional bridges 17:01:20 until one of them is blocked 17:01:56 I just had a couple more questions. 17:02:00 " you need a signal when a bridge has been blocked, and to realize that somehow" -> just to follow up on this, i think it's one of the hardest parts 17:02:09 we had some discussion during the meeting about it 17:02:22 and the idea we landed on was to do a limited trial focused on one region 17:02:38 What happens if there is a catastrophic loss of the database of spent IDs? (Section 4.2.1) Does that mean rebooting the system with new well-know distributor keys? 17:02:41 and deploy a bridge tester there to get some kind of ground truth 17:03:09 cohosh_away: I see, thanks. In different deployment models it might be different 17:03:32 what do you mean by different deployment models? 17:03:36 like I'm thinking this could be really useful for VPNs, who besides having a lot more ndoes than Tor does bridges, also own+trust their own nodes 17:03:39 dcf1: I think its an interesting point. It could be abused, even in a really off the wall scenario, by censors to sell "good" connections to select people for exorbitant amounts as a "VPN" or something. . . 17:03:49 so bridge self-reporting of blockage would be sufficient for them. 17:04:07 ah yeah, i was curious about self-reporting 17:04:21 and whether it's possible to mailiciously report blockages 17:05:23 Second, I know it's early stages, but Lox could be really big if the rquired legwork is done to get it to the attention of VPNs or other possibly interested parties 17:05:52 I'm thinking of refraction networking and how that team put in a ton of effort building relationships with ISPs, etc., and it has paid off 17:06:07 in the form of Conjure integration in Psiphon 17:06:24 what I'm saying is, don't be afraid to dream big, if that kind of thing interests you 17:06:24 dcf1: in the case of catastrophic loss of spent IDs, by well-known do you mean rotated and publicly committed to? 17:07:14 onyinyang[m]: Um, I'm not sure. I'm talking about the "Φ is revealed so the LA can add it to its database of speng IDs" 17:07:43 That database needs to persist forever, otherwise some kind of replay is possible, I presume? Sorry I don't have all the details paged in just now. 17:08:03 i have discussed the idea about anti-replay window for the spent id 17:08:29 so any token don't valid forever, and have to be refreshed in a given time period 17:08:49 so we don't keep a log of all consumed spend id 17:08:51 If someone does a DROP TABLE on it, does that mean rebooting the system? Or is some less drastic recovery possible? 17:09:05 I guess shelikhoo has proposed an alternative. 17:09:13 dcf1: yes, the database has to persist forever is the right idea, but we can also rotate the keys at some point so that doesn't need to happen 17:09:20 shelikhoo: yeah i really like your idea there 17:09:45 my version don't prevent drop the table incident, just don't need to data we need to keep forever 17:10:03 dcf1: also thanks for the vote of confidence re: dreaming big :) 17:10:12 my version don't prevent drop the table incident, just don't need to keep data forever 17:11:00 My last note may not make sense, I was wondering if there's a way to bind Lox credentials with bridge access, like 17:11:27 this is also why a lot of proxy proxy protocol need correct system time, this is used to avoid the need to keep used nonce forever for anti-replay 17:11:38 probe-resistant proxies incorporate some kind of shared secret (e.g. shadowsocks, obfs4) so that the IP address and port are not sufficient information to use the proxy, 17:11:51 shadowsocks don't have this, and basically replay is unpreventable 17:12:15 is there a way that the proxy itself, separately from the LA, could somehow use the credeitnals to ensure that access was granted through an official channel? 17:12:23 hmmmmmmm 17:12:32 another interesting question 17:12:35 dcf1: ooo cool 17:12:44 shelikhoo: shadowsocks does have a little bit, in the form of the password. it's not cryptographically very sound, but that's what the password is supposed to try to be doing. 17:12:58 and that token can also be copied 17:13:18 thinking about it for just the time since you posed the question, that would be very cool dcf1 17:13:35 dcf1: I was replying to the issue about spent id, not auth 17:13:37 hmm okay, I'm glad it was a meaningful question :) 17:13:48 shelikhoo: ok 17:14:11 i think it is not possible to restrict an client from sharing the bridge access, unless 17:14:26 we include the client ip address in the credential 17:14:43 so as soon as the client change ip address, a new credential is needed 17:14:59 shelikhoo: well, maybe it's possible that there is no way to share access to a single bridge you know, without also effectively sharing access to your entire account, and putting all the bridges you know at risk. 17:15:31 Or something like that, I am not fluent enough with this crypto. 17:15:46 hmm, what threat specifically would this prevent? 17:15:58 yes, anyway this would need to change the proxy to include an authentication system 17:16:02 because someone could still just publish ip addresses to be blocked 17:16:17 and you don't need a secret to block an ip, just to confirm it's a tor bridge 17:16:40 which maybe makes the case for it because you don't want collateral damage with fake bridge addresses 17:17:05 Yes I admit my thoughts on this are not too clear 17:17:34 i guess it could enforce assumptions on who has access to the bridge 17:17:39 for tor's use case it is not necessary to authenticate client to a specific user to prevent sharing 17:18:08 since there is no billing 17:18:22 i'd be more interested in it for this use-case: 17:18:46 My thoughts were more in the direction of some password or credential authenticated PT to go along with the bridge. This would probably have to be a brand new PT though so it's not a small problem afaict. 17:19:05 I'm not sure if this is the direction in which you were thinking dcf1 17:19:10 it can be added to webtunnel 17:19:18 the bridge collects metrics on its own use so that we could use those usage metrics to determine a) whether that bridge is in use by lox users or if it's idle, and b) whether it has been blocked (judged by a single user dropping out suddenly) 17:19:22 that's what I mean, I know existing bridge protocols do not work that way, I'm just wondering if there are any advantages to bridges that are Lox-aware and integrated 17:19:35 but I doubt this would be necessary 17:20:06 since blocking only require the network address part 17:20:20 Like, here's a strawman idea 17:20:20 like we have existing usage metrics, but these bridges probably arent' getting enough usage for them to be reliable determinators of blocking events 17:20:51 suppose the bridge auth uses one-time tokens, there are millions of valid tokens but each one can only be used once 17:21:16 the LA knows the valid token for each bridge, but to get one you have to talk to the LA and prove your credential 17:21:38 the bridge would enforce the one-timeness of the access tokens 17:22:13 in a situation such as this, it would be impossible to just email the bridge access information to someone else, without giving them all your crendentials needed to access the LA 17:23:03 there may be more efficient ways to do this that don't require a round-trip to the LA for every access to the bridge, but making the bridge protocol aware of Lox credentials or some kind of derived information 17:24:11 But let's not get off track, the questions I'm asking may not be well-formed 17:25:09 We considered changes to the bridge operators as being an additional way to improve the current situation, something similar-ish to what you're describing but with the bridge operators providing tokens to users to prove that they are actually using the bridges (it was also not very well formed) 17:25:36 is there anything specific objective wish be achieved with this? 17:25:56 is there any specific objective wish be achieved with this? 17:25:59 no, shelikhoo 17:26:00 we didn't go this route because we didn't want to have to require bridge operators to update/run an entirely new bridge in order to have some kind of working system 17:26:24 I understand this is very attractive for commercial VPN providers 17:26:35 but it doesn't mean that the system couldn't be improved with something like this. 17:26:42 as this prevent trivial sharing 17:27:08 onyinyang[m]: yeah that's the use-case i find interesting (some interaction with credentials to determine bridge usage and/or blocking events) 17:27:15 although in reality I doubt the user will be afraid to just share the lox account 17:27:26 We wanted to see if we could tie reputation to actual bridge use, which would be more likely to correspond with a genuine user than a censor, we thought. 17:27:27 since it is something you can just get another 17:27:51 it sounds like that's something that could be achieved in a similar way to dcf1's idea 17:27:54 oh, yes... determine if the user is actually using the bridge 17:28:42 cohosh_away: yes, I think so 17:28:57 then it could be an optional hint send to the bridge, which the bridge may submit to LA to indicate the bridge is being used 17:29:00 i gotta head out~ thanks onyinyang[m] for the awesome paper, and i'm excited for this integration with tor :D 17:29:09 ok well, we are now 30 minutes over meeting time 😅 17:29:44 although by design, the bridge might not be able to associate this back to the lox account 17:29:53 so we should probably end the meeting, but happy to discuss this in more detail anytime! Feel free to send me a message about it if you're interested in discussing further :) 17:29:59 see you cohosh_away... 17:30:59 yes, I think we can discuss this in an issue or another channel 17:31:03 shelikhoo: right, and I'm not sure we'd want the association to the Lox account tbh. _A_ Lox account is one thing, but _The_ Lox account definitely has anonymity problems :) 17:31:11 Anyway, let's end it here 17:31:19 #endmeeting tor anti-censorship meeting