15:59:29 <cohosh> #startmeeting tor anti-censorship meeting
15:59:29 <MeetBot> Meeting started Thu Jan 20 15:59:29 2022 UTC.  The chair is cohosh. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:59:29 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:59:39 <shelikhoo> hi~
15:59:40 <cohosh> welcome, here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
15:59:46 <anadahz> o/
15:59:59 <cohosh> before we get started, i have a quick questions for people here
16:00:09 <cohosh> i stopped posting the meeting notes to our mailing list
16:00:17 <cohosh> if these were useful to people,  can restart
16:00:42 <cohosh> i didn't really have a reason for it other than lots of meetings after this one and eventually just forgetting to do it
16:00:55 <irl> hi
16:01:42 <cohosh> (if nobody responds i will assume they weren't that useful)
16:02:14 <dcf1> I used the notes to find links to the meeting logs
16:02:23 <dcf1> I found out I can also get them from http://meetbot.debian.net/tor-meeting/
16:03:27 <cohosh> hmm okay, i'm on the fence since we do a pretty good job of documenting links and discussions
16:04:06 <cohosh> like i saved the ones from last week in a pad locally because i felt bad just wiping it xD
16:04:16 <cohosh> i'll probably restart posting them then
16:04:31 <dcf1> haha
16:04:50 <dcf1> There is also the forum now, don't know if that will attract attention from low-effort commenters though
16:05:00 <cohosh> anyway, i just answered my own question >.<
16:05:02 <cohosh> yeah that's true
16:05:12 <cohosh> i like the forum for the (bi-) monthly reports
16:05:28 <dcf1> that's probably better than weekly notes
16:05:44 <cohosh> also there is a sync between the tor-project mailing list and the forum
16:06:16 <cohosh> ok let's move on with the agenda
16:06:51 <cohosh> i left the item about the kazakhstan shutdown up in case there were any developments there
16:07:40 <dcf1> the shutdown ended 2022-01-11 00:00
16:07:56 <dcf1> https://github.com/net4people/bbs/issues/99#issuecomment-1012425056
16:08:36 <cohosh> okay cool, thanks dcf1!
16:09:48 <cohosh> shelikhoo: i also left up the item about the new censorship in china in case there were new developments there
16:10:18 <dcf1> shelikhoo: if you are into the idea, this can be the subject of a good research paper or report
16:10:40 <dcf1> with ooni or censoredplanet or both
16:10:47 <shelikhoo> We have received reply from censored planet. https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40026
16:10:59 <meskio> ups, I was looking something else and forgot about the meeting, hi
16:11:44 <shelikhoo> I don't know it this can be a report since currently I don't have access to a impacted vantage point.
16:12:34 <shelikhoo> I will see if i can find a way to test the censorship from outside
16:12:35 <dcf1> I agree it will require more data, I mean that this topic is a good subject for a report
16:13:32 <dcf1> Have you used RIPE Atlas? Are there Atlas probes in the affected networks?
16:13:38 <shelikhoo> Yes, I don't know for sure, but this is a rare case the censorship is now directly visible
16:14:11 <shelikhoo> I haven't tried RIPE Atlas
16:14:16 <shelikhoo> I will try that later
16:14:43 <dcf1> we can also ask for interactive testers or shell accounts on the forums, possibly
16:15:16 <shelikhoo> Does researchers aware of regional or ISP based censorship in China, the one in addition to GFW?
16:15:30 <dcf1> what are you hoping to do with interactive testing? things like TTL-limited probes, testing specific match signatures?
16:16:15 <dcf1> There are some pieces of research that are about different censorship in different regions of China, but I do not think that injected blockpages are widely known yet
16:16:37 <shelikhoo> Right now, the thing we are currently not know is that the list of censored website.
16:16:38 <dcf1> "Analyzing the Great Firewall of China Over Space and Time" https://censorbib.nymity.ch/#Ensafi2015a
16:16:53 <dcf1> "Triplet Censors: Demystifying Great Firewall's DNS Censorship Behavior" https://censorbib.nymity.ch/#Anonymous2020a
16:17:02 <shelikhoo> Is that same for everywhere, or different for different region
16:17:51 <dcf1> I see. You want to test a larger list of candidate websites, not just haphazard reports from people using the internet casually.
16:18:40 <shelikhoo> Yes, I will wait for the reply from Censored Planet first, while looking at  RIPE Atlas
16:19:24 <dcf1> I think that Satellite and Hyperquack can run with a custom list of domains
16:20:02 <dcf1> good work shelikhoo
16:20:13 <shelikhoo> It is yet to know how common it is too get a website censored, for example, whether our fronting domain is censored
16:20:22 <shelikhoo> Thanks
16:21:21 <cohosh> nice :)
16:21:37 <shelikhoo> I could try to request assistance from V2Ray users, but they are not technological so it is much more difficult to conduct experiment smoothly.
16:22:29 <shelikhoo> Over
16:22:42 <cohosh> dcf1: i think the next item is yours?
16:23:31 <dcf1> I want to try and do a snowflake bridge upgrade for load balancing next week, if possible
16:23:54 <dcf1> I did the installation again and wrote clean instructions, though on a host with only 2 CPUs
16:23:56 <cohosh> \o/
16:23:59 <shelikhoo> the onion key issue is solved? or still present?
16:24:23 <dcf1> which is because our host where the snowflake bridge is currently is having some kind of technical issues
16:24:59 <dcf1> I priced comparable VPSes (8 CPU) and they run about $100-200 per month
16:25:17 <dcf1> which is not a cost I want to take on long term without a plan, but for a week or so it's okay
16:25:40 <cohosh> do the technical issues affect the current bridge?
16:26:09 <dcf1> cohosh: no, not as far as I know. As I understand it, the Amsterdam data center (where the production bridge is) is full
16:26:17 <cohosh> ahh okay
16:26:19 <dcf1> The staging bridge we set up last week was in a Miami data center
16:26:59 <dcf1> When I went to reinstall the staging bridge from scratch, it didn't work after a reboot (no route to host) and they told me there was a problem with the hypervisor but did not yet have a fix
16:27:27 <dcf1> So I would not want to reinstall the current production bridge, but an upgrade in place should be fine
16:28:02 <dcf1> shelikhoo: no, there is no clear solution to the onion key problem, but there are several possible effective hacks
16:28:05 <cohosh> makes sense, fwiw tor project sometimes has funds to give to relay orgs/other people to run bridges
16:28:12 <cohosh> (as long as TPI is not maintaining them)
16:29:06 <dcf1> We can bump LastRotatedOnionKey in the state file, and then it's okay for a few weeks
16:29:33 <shelikhoo> for long run, we might wants to consider making it easier for other peoples to run relay as well
16:29:59 <dcf1> So I can set up a staging bridge again, then we'll need to make a DNS change, and be ready to switch it back in case something goes wrong
16:30:21 <cohosh> dcf1: do you want some of us around when the switch happens?
16:30:52 <dcf1> shelikhoo: yes, unfortunately it seems this kind of load balancing is pretty unprecedented and there's no systematic setup for it yet
16:31:16 <dcf1> first, I don't know how to go about changing the DNS record
16:32:00 <cohosh> oh right, that's the sysadmin team
16:32:12 <irl> i'd first change the TTL on the record to 60 seconds in advance of doing any changes, so that when you are doing stuff you're able to see changes happen quickly
16:32:14 <cohosh> you can make an issue here: https://gitlab.torproject.org/tpo/tpa/team/
16:32:18 <irl> even before you change the address
16:32:34 <cohosh> for free haven you'll need arma2
16:32:38 <dcf1> thanks cohosh
16:32:44 <dcf1> good idea irl
16:33:00 <dcf1> freehaven and bamsoftware are CNAME for torproject.net, so I think we only need to change torproject.net
16:33:08 <cohosh> ah yes, you're right
16:34:11 <anadahz> dcf1: Also you may use iptables to route the "remaining" traffic of clients with cached DNS to the new server.
16:34:18 <dcf1> I don't know if we eactly need people to be "on call" at the time, but I can try to do it during hours when people are online and I can post updates in #tor-dev
16:35:42 <dcf1> anadahz: it's actually the proxies, not the clients, with cached dns that would be a problem, and they should not be a problem because if they connect to a bridge while it is undergoing an upgrade, they just won't serve any clients
16:36:48 <dcf1> but I'm thinking of leaving both bridge running concurrently for about 24 hours after making the DNS change, before starting to make any changes to the production bridge
16:36:54 <dcf1> anyway
16:37:57 <cohosh> sounds like a good plan
16:38:37 <shelikhoo> BTW, ACME won't work unless we also copied the key
16:38:44 <shelikhoo> TLS key
16:39:09 <shelikhoo> since the first the staging server don't have A record
16:39:49 <shelikhoo> and it would be too late to get the certificate after A record is pointed it already
16:40:02 <dcf1> it will have an A record by the time it starts receiving connections, though, I think?
16:40:18 <dcf1> getting a certificate only take a few seconds when the first TLS connection happens
16:40:47 <shelikhoo> Yes, but some client might have a shorter dns cache, and ACME server might have longer one
16:40:47 <dcf1> but you raise a good point, something could go wrong with the process. I'll make a note to make a copy of the TLS key and certificate.
16:40:52 <shelikhoo> Yes
16:41:00 <shelikhoo> just to be safe
16:42:40 <cohosh> okay the next item is about our reading group
16:42:58 <cohosh> before the holiday we discussed doing a reading in january, and then things got really busy
16:43:23 <cohosh> are we too busy still or do we want to get that going again?
16:43:29 <arma2> (hello i am around, but distracted by being ready for ola's trial. it sounds from the backlog like we almost needed an arma but actually we don't?)
16:43:41 <cohosh> arma2: yeah you're good :)
16:44:14 <arma2> woo thanks
16:44:23 <cohosh> (hope the trial goes well)
16:44:25 <dcf1> let's schedule reading group discussion for 3 February
16:44:38 <dcf1> Groundhog Day Reverse Eve
16:44:43 <cohosh> cool, two weeks form now sounds good
16:44:45 <cohosh> lol what
16:45:00 <cohosh> fancy
16:45:25 <dcf1> wishing you well arma2
16:46:04 <cohosh> anything else for today?
16:46:29 <meskio> not from me
16:46:29 <arlolra> is it useful to implement Chacha20Poly1305 in pion/dtls
16:46:51 <meskio> will be nice to have the link of the paper
16:46:58 * meskio searches for it
16:47:00 <dcf1> https://dl.acm.org/doi/10.1145/3460120.3484550
16:47:06 <meskio> thanks :)
16:47:16 <dcf1> arlolra: oh wait
16:47:27 <dcf1> I mean meskio: oh wait
16:47:28 <arlolra> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40014#note_2764731
16:47:29 <dcf1> damn it
16:47:35 <shelikhoo> https://censorbib.nymity.ch/pdf/Ensafi2015a.pdf ?
16:47:54 <dcf1> I could have sworn this one was open access on dl.acm.org but now I see that it is not
16:48:10 <cohosh> :/
16:48:28 <cohosh> arlolra: oh btw thanks for doing the alpn negotiation
16:48:29 <dcf1> maybe they did the sly ACM trick of making it available for download for 1 month or something
16:48:32 <dcf1> what a farce
16:48:40 <meskio> the pdf link did work for me: https://dl.acm.org/doi/pdf/10.1145/3460120.3484550
16:48:43 <cohosh> s/negotiation/extension
16:49:05 <dcf1> oh am I overreacting
16:49:30 <dcf1> Anyway there is also an IACR eprint, https://eprint.iacr.org/2021/686
16:49:31 <cohosh> it didn't work for me
16:49:35 <cohosh> unless i'm missing something
16:49:51 <arlolra> cohosh: np. there's a second part to that, something needs to make use of it
16:50:04 <cohosh> yeah, that'd be a patch in pion/webrtc
16:50:07 <meskio> mmm, it doesn't work over tor...
16:50:18 <cohosh> (i think, or one of the other repos)
16:50:29 <dcf1> meskio: hmm, maybe that's the difference
16:50:31 <anadahz> dcf1: thanks for the link
16:50:39 <shelikhoo> meskio: I sent the wrong link....
16:50:49 <shelikhoo> sorry...
16:50:54 <meskio> no prob
16:50:58 <cohosh> arlolra: for the ciphersuite, it would be useful, but i don't think there's a rush there
16:51:09 <dcf1> arlolra: is that a ciphersuite that's present in browser fingerprints?
16:51:32 <anadahz> the 2nd link dcf1 sent is accessible via Tor.
16:51:55 <arlolra> dcf1: see the link I posted above to 40014
16:52:34 <arlolra> cohosh: ok, if you can think of a better use of my time, let me know
16:52:43 <dcf1> Oh, they have a whole web page https://meteorfrom.space/
16:53:04 <cohosh> oh arlolra can you review snowflake-webext!25?
16:53:11 <cohosh> my javascript isn't great
16:53:56 <cohosh> but other than that chipping away at the dtls fingerprinting issues sounds awesome :D
16:54:01 <arlolra> sure
16:54:10 <cohosh> thank you!
16:54:58 * cohosh waits a few mins to see if there is anything else for today
16:56:37 <cohosh> #endmeeting