15:59:27 <meskio> #startmeeting tor anti-censorship meeting 15:59:27 <MeetBot> Meeting started Thu Dec 16 15:59:27 2021 UTC. The chair is meskio. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:59:27 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 15:59:33 <meskio> hello everybody! 15:59:38 <shelikhoo> Hi~ 15:59:40 <meskio> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep 15:59:52 <meskio> feel free to add what you've been working on and put items on the agenda 16:01:14 <meskio> there is not much in the agenda 16:01:41 <meskio> I kept the point about the status in russia from last week 16:01:54 <anadahz> o/ 16:02:02 <ggus> o/ 16:02:26 <meskio> Bridgedb now is only distributing working bridges over moat in russia (for now) 16:02:55 <meskio> and the telegram bot had needed to rotate bridges as the ones distributed to fresh accounts well all blocked except one 16:03:12 <meskio> this is all I know from my side, anything else? or something to discuss about it? 16:04:01 <meskio> someone has asked if meek-azure does work now 16:04:03 <ggus> hackerncoder mirror is going to be blocked soon in russia, so we will need new mirrors 16:04:10 <meskio> I have read soemthing about it, but I don't know 16:04:29 <meskio> ggus: is that a mirror of torproject.org? 16:04:37 <anadahz> The blocking still occurs via IP blocking? 16:04:46 <dcf1> The snowflake bridge approx. doubled its number of clients in the 2 days since 11.5a1 was released https://metrics.torproject.org/rs.html#details/5481936581E23D2D178105D44DB6915AB06BFB7F 16:04:50 <ggus> yes, all *.torproject.org 16:04:57 <dcf1> I take that as an indication the DTLS fingerprint change is working, for now 16:05:17 <meskio> dcf1: nice \o/ 16:05:21 <dcf1> We might need to talk about upscaling the bridge at some point, as its load is increasing 16:05:33 <meskio> anadahz: I have no idea, I didn't investigate, maybe shelikhoo knows more 16:06:09 <dcf1> https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/47#note_2766608 16:06:46 <shelikhoo> I didn't investigate this, but according to tor-dev chat, meek-azure is partially working if returned IP is not blocked. 16:07:02 <shelikhoo> Azure change IP address assigned to the blocked site from time to time 16:07:10 <dcf1> https://ntc.party/t/ooni-reports-of-tor-blocking-in-certain-isps-since-2021-12-01/1477/79 "meek-azure works fine. They’ve unblocked ajax.aspnetcdn.com." 16:07:11 <ggus> more updates: the new default bridge 'deusexmachina' was blocked this week. i've asked the operator to rotate the ip address, but i didn't hear from them yet. 16:07:29 <dcf1> Yeah I'm not sure if it was unblocked, or whether Microsoft changed the IP address of the domain. 16:07:36 <shelikhoo> but censorship device's deny list did not update 16:09:20 <anadahz> Is also Tor IPv6 traffic blocked? 16:09:35 <shelikhoo> Anyway, the current way of meek's domain fronting seems to have insufficient colloidal damage 16:09:56 <shelikhoo> for determined adversary that is willing to take some loss 16:10:04 <meskio> anadahz: I read some reports in ntc.party that IPv6 default bridges worked, but I haven't tested it 16:10:31 <shelikhoo> In China, that IPv6 bridge is partially blocked 16:10:44 <ggus> meskio: i could bootstrap ipv4 and ipv6 vanilla tor bridges in russia 16:11:34 <anadahz> shelikhoo: "that bridge" you mention [2a01:4ff:f0:214d::1]:55882 ? 16:12:21 <dcf1> ggus: how is it known that a specific website mirror will be blocked? was it another of those emails from Roskomnadzor? 16:12:25 <ggus> since the censorship in russia, we've answered +400 tickets on frontdesk@tpo from russian users 16:12:50 <meskio> wow 16:12:57 <ggus> dcf1: yes, hackerncoder received a notification and pinged us on #tor-project oday. 16:13:04 <shelikhoo> anadahz: No It's 2a0c:4d80:42:702::1 16:13:20 <ggus> *today 16:13:42 <hackerncoder> My hosting provider got a simelar email as the Tor Project from roscomandzor 16:14:24 <dcf1> there's a list of existing mirrors at https://2019.www.torproject.org/getinvolved/mirrors.html.en 16:14:38 <dcf1> though likely any single one that's promoted will also eventually be blocked 16:15:04 <ggus> dcf1: but, this list is only for wwww.tpo 16:15:34 <dcf1> I see. But some of them also have /dist/, is that what's required? 16:16:34 <hackerncoder> Mine includs many subdomains, support community blog 2019 tb-manual 16:17:41 <ggus> dcf1: yes, all these mirrors have /dist/ 16:18:18 <anadahz> IIUC Roscomandzor send mails to Tor relays email contact and/or hosting ISP abuse email address? 16:18:46 <dcf1> anadahz: not to relay operators as far as I know 16:18:47 <ggus> afaik, i didn't hear anything about that 16:19:35 <meskio> dcf1: do I recall that scaling the snowflake bridge will require changes in the code? should we start prioritizing those changes? 16:19:42 <meskio> I guess is that one: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/28651 16:19:49 <meskio> I see is already in 'next'... 16:20:20 <shelikhoo> The easiest way to do this is setup another broker, and bridge 16:20:39 <shelikhoo> so there will be a separate proxy pool 16:20:42 <dcf1> meskio: I mean, eventually, but two easier steps before redesigning any code are: 1. deploy on bigger hardware 2. profile and optimize the snowflake-bridge code. 16:21:03 <meskio> I see 16:21:27 <ggus> another thing wrt russia: valdikss shared this article about a pro-gov organization asking Apple and Google Play to block Tor apps - https://m.gazeta.ru/social/news/2021/12/14/n_17011309.shtml 16:21:35 <meskio> I hope it can wait until january so we don't need to rush over the vacations to do it 16:22:04 <dcf1> meskio: I don't think there's any rush. 16:22:14 <meskio> :) 16:23:03 <shelikhoo> I think Apple have already deplatformed all Proxy Apps from China's App Store 16:23:08 <dcf1> we already upgraded the hardware once 6 months ago https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40051 16:24:28 <dcf1> I also have a feeling that a few hours spent profiling the snowflake server PT would reduce its CPU usage a lot 16:24:32 <anadahz> shelikhoo: Indeed, that was some time ago. 16:25:03 <dcf1> currently using about 2 CPUs for snowflake-server, about 1 CPU for tor + proxy-go instances. 16:25:39 <shelikhoo> It is usually impossible for users to create an apple account in a country they does not live in without the help of a VPN 16:26:07 <shelikhoo> unless they have a payment method in that country 16:26:18 <meskio> dcf1: I see 16:26:37 <dcf1> Maybe the app stores can purge all the fake tor browsers from the app stores while they're at it 16:26:47 <ggus> hehe 16:26:52 <meskio> that will be nice :D 16:27:28 <ggus> wow, we have 3k snowflake users in Russia 16:27:56 <meskio> nice 16:28:22 <ggus> winter is coming :P 16:28:37 <gaba> :) 16:28:46 <ggus> https://metrics.torproject.org/userstats-bridge-combined.html?start=2021-09-17&end=2021-12-16&country=ru 16:29:06 <arlolra> is anyone working on implementing the alpn extension for pion dtls? 16:30:02 <shelikhoo> https://github.com/pion/dtls/issues/408 16:30:10 <shelikhoo> Context ^ 16:30:26 <dcf1> for that matter, I'm not sure if we upgraded the standalone bridges that we operate 16:31:01 <anadahz> FWIW OnionBrowser seems to be still available on Apple Store: https://applecensorship.com/app-store-monitor/test/519296448?l= 16:31:36 <dcf1> I guess we did not upgrade our proxy-go yet, judging by the modification date of the binary. I will do that. 16:32:38 <ggus> dcf1: after that, should we ask volunteers to upgrade their snowflake standalone proxy? 16:33:16 <dcf1> maybe. I'm not sure how important it is. 16:33:59 <shelikhoo> This could improve connection time for impacted users lives in Russia 16:34:12 <shelikhoo> Since the client will retry connection 16:34:28 <shelikhoo> after waiting a while 16:34:53 <shelikhoo> so if the proxy does not update its version, the connection may be blocked 16:35:11 <shelikhoo> the client will need to try another proxy 16:35:15 <meskio> we should rebuild the docker image of the standalone proxy if we want to ask people to upgrade 16:35:22 <dcf1> yes, I understand. what I'm saying is I don't have a way to wauntify how important that effect actually is in practice 16:35:42 <dcf1> to know whether it's worth the trouble 16:35:54 <dcf1> rebuilding the docker image is a good idea in any case 16:36:06 <meskio> I'll do that tomorrow 16:36:24 * meskio remembers that needs to give a push to the debian package too 16:36:43 <ggus> and then ask egypcio to update the freebsd port 16:37:40 <shelikhoo> debian is quite slow when it comes to updating packages.... 16:38:46 <meskio> the package is in debian sid, it will not even get to testing as I need to fix things tehre 16:38:54 <meskio> so no hurry 16:39:01 <shelikhoo> Yes.... 16:39:29 <anadahz> (also Tor Browser is available on Google Play in Russia: https://play.google.com/store/apps/details?id=org.torproject.torbrowser&gl=RU) 16:39:36 <ggus> btw, we will have a user support person that speaks russian very soon. 16:39:52 <meskio> nice 16:39:56 <ggus> thanks everyone how helped us on this! 16:40:59 <meskio> anything more about russia? 16:41:34 <meskio> I see a point about fingerprint fixes in the agenda, I guess is what we just discussed, anything else to add there? 16:41:49 <dcf1> that's what we just discussed 16:42:03 <meskio> good 16:42:03 <dcf1> I don't think arlolra got an answer, so I suppose that means no one is working on it now 16:42:19 <meskio> yes, I guess that is the answer 16:42:33 <meskio> maybe cohosh knows more, but she is AFK today 16:43:12 <meskio> I added a point about the next meeting, not sure how you have done the holiday season last years 16:43:29 <meskio> from Dec 22 to Jan 5 TPI employees are in holiday 16:43:39 <meskio> so I guess our next meeting will be Jan 6 16:43:53 * meskio might take that day off, but I hope others will be around 16:44:39 <meskio> I guess nothing to discuss there 16:44:47 <meskio> anything else for today? 16:45:12 <ggus> just to add that we have now 2k bridges - https://metrics.torproject.org/networksize.html?start=2017-09-17&end=2021-12-16 16:45:24 <meskio> amazing 16:45:34 <shelikhoo> great! 16:45:59 <ggus> 2018 was the bridge authority migration 16:46:09 <anadahz> impressive! 16:47:33 <meskio> I'll give it one more minute to see if someone has something else to talk and if not I'll close the meeting 16:48:35 <meskio> #endmeeting