15:57:28 #startmeeting tor anti-censorship meeting 15:57:28 here is our meeting pad: https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469 15:57:28 feel free to add what you've been working on and put items on the agenda 15:57:28 the read-write link for meeting pad can be requested via direct message 15:57:28 Meeting started Thu Jan 18 15:57:28 2024 UTC. The chair is shelikhoo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:57:28 Useful Commands: #action #agreed #help #info #idea #link #topic. 15:59:06 hi~hi~ 15:59:10 hi 15:59:16 thanks for the hi 15:59:23 I was double checking the time... 16:00:30 it takes 6 months to get used to the time change and then there's another time change :) 16:01:59 X~X Yes... and I almost have to check calender once in a while to confirm if there is any pending meeting 16:03:06 I think the DTLS anti-fingerprinting library is discussed last time. any updates we would like to discuss? (if not I will remove it for now) 16:03:26 nothing more from me 16:03:43 This is theodorsm's update on the issue: 16:03:45 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40014#note_2983785 16:06:00 I think China don't have DST and I think my life was perfectly fine without it 16:06:23 i think my life would be perfectly fine without clocks tbh 16:06:53 maybe just all use maybe UTC and change the ordnance time instead... 16:07:01 hahahaha 16:07:34 ^ordnance^time schedule 16:08:07 okay, after reading the update of DTLS imitation, let's begin the first topic 16:08:19 SQS rendezvous deployment 16:08:19 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/214 16:08:52 I think this topic is from cohosh 16:09:04 i'm planning to review the most recent changes, but wanted to bring it up to discuss deployment because it's close to getting merged 16:09:10 would cohosh like to have a introduction? 16:09:26 are there any concerns with deploying this at the brocker? 16:09:52 in terms of rollout, i was thinking we could do something similar to the AMP cache rendezvous addition and just advertize it on the forum and the bbs 16:10:13 I have not reviewed it yet, I think the only thing that might need to have a look at is whether the attacker can flood the service to create significant bill 16:10:27 and talk to ggus about testing where it is blocked 16:11:18 shelikhoo: yes, that's a concern for me too. i think i can set a billing limit on the policy perhaps but i'm not super familiar with aws 16:11:45 i have looking into that on my todo list before it's deployed 16:11:50 if I recall correctly, it is hard/impossible to set a limit on bill 16:11:59 it is only possible to set an alert 16:12:08 hmm okay that's good to know 16:12:22 but please do have a look at document 16:12:26 I remember with meek, at the time, there pointedly was no billing limit option, and the best I could find to do is set multiple alerts at $200 intervals and hope I was watching email if an attack happened. 16:12:30 this is just from my memory 16:12:45 we might be able to add a limit at the broker if this becomes an issue 16:13:20 One thing I did then was put a prepaid gift card with limited funds on the account, not sure if that would stop you from getting charged for overages really though 16:13:38 https://news.sophos.com/en-us/2015/03/20/greatfire-org-faces-daily-30000-bill-from-ddos-attack/ 16:13:49 oh the prepaid card is a good idea 16:13:54 just a link for anyone wants to learn more about this kind of attack 16:15:39 anyway that's one thing we should have a look at, but hopefully it will not become an issue any time soon 16:16:13 anything else we should consider before deployment? 16:16:38 nothing more from me 16:17:09 okay we can move on to the next topic 16:17:17 Our docker containers are out of date for snowflake and obfs4 16:17:17 Aside, it would be really nice if rendezvous methods could be separate processes and not have to be built into the main broker executable (i.e. https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/26092) 16:17:24 But that's a separate issue. 16:18:57 dcf1: yeah good point, i had completely forgot about that merge request and it was almost done 16:20:06 yes, maybe in the future the rendezvous methods can just act as a http proxy 16:20:30 to relay arbitrary reasonable message between broker and client/proxy 16:20:57 that is something we could do in the maybe 'planned' signaling library 16:21:04 yes, my dream is that each rendezvous method is separately restartable on the broker: `systemctl restart snowflake-broker-sqs` 16:21:38 but when this 'plan' will come true is beyond my knowledge 16:21:43 The broker itself should just be a local process with no external listeners, even the HTTP interface IMO should be a module 16:22:16 or we can keep the HTTP as an IPC interface standard? 16:22:45 but TLS encryption can handled by another process 16:23:24 otherwise I don't know a better way to communicate all the broker's messages 16:23:26 registration messages should be encrypted and authenticated separately from TLS, but that is yet another issue 16:23:46 we did a lot of work deliberately to decouple the rendezvous message format from HTTP 16:23:59 (it used to be highly tied to HTTP, used HTTP header fields and HTTP response codes) 16:24:44 yes... IPC method don't have to be HTTP 16:24:59 IPC spec don't have to be HTTP 16:25:25 we can have a more detailed discuss when the time have come to work on this 16:25:59 right now it feels too remote for me... the situation may change by the time we actually work on this 16:26:25 "...yet another issue" https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/22945 16:26:53 Yes I agree it's not something to assign to the SQS contributors 16:27:42 agreed, so to summarize, i'll look into expensive DoS precautions and we'll proceed with deploying this feature 16:27:58 yes! nothing to add from me 16:28:04 *precautions against expensive DoS atacks, that is 16:29:21 the next topic is "Our docker containers are out of date for snowflake and obfs4" 16:29:35 yes, ggus alerted us yesterday that the obfs container ships with a version of tor that will be EOL soon 16:29:53 i suspect our snowflake proxy container has also not been updated since the most recent release 16:31:45 i have a lot on my plate with the lox integration and was hoping someone else would pick up the task of updating them 16:32:37 okay, then I can update them 16:32:58 thank yuou! 16:33:28 no problem! 16:33:34 that's it from me 16:34:06 shelikhoo I have started the review of snowflake!219, thanks for your patience 16:34:07 Uhm, which one of [tpo/anti-censorship/pluggable-transports/snowflake, tpo/web/snowflake] did you mean? 16:34:19 tpo/anti-censorship/pluggable-transports/snowflake!219 16:34:40 oh wow zwiebelbot text adventure game 16:34:46 :D 16:36:35 yes, don't worry it is a large change indeed, and the last 'deadline' was last Dec 31. So it no longer have a deadline now 16:36:54 please take your time 16:37:37 I think that's it for the docker image update topic 16:38:08 Anything we would like to discuss in this meeting? 16:38:16 Anything more we would like to discuss in this meeting? 16:38:21 nothing else from me 16:39:37 nothing from me 16:39:50 #endmeeting