15:58:45 <meskio> #startmeeting tor anti-censorship meeting 15:58:45 <MeetBot> Meeting started Thu Aug 11 15:58:45 2022 UTC. The chair is meskio. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:58:45 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 15:58:49 <meskio> hi everyone! 15:58:52 <meskio> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep 15:58:57 <meskio> feel free to add what you've been working on and put items on the agenda 15:59:16 <meskio> I kept the two points that are from last week, not sure if we need to discuss them 16:00:56 <meskio> let's see, the first one of those is the snowflake fingerprint situation in russia, any news on that? 16:01:25 <shelikhoo> no I am not working on that issue right now 16:01:57 <meskio> ok, should we remove this from the pad? 16:02:57 <shelikhoo> I think we can move it somewhere else and bring it back once there is any news.... 16:04:17 <meskio> this somewhere else might be https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40030 ? 16:04:24 <meskio> or should we open an issue on snowflake side for it? 16:05:11 <shelikhoo> It is quite mixed with all kinds of things. We already have issues for some specific topics in it... 16:05:49 <shelikhoo> I suggest we just move it to that ticket just in case we got any news. 16:06:33 <meskio> I agree, let's do that, do you want to do it? 16:06:38 <shelikhoo> yes 16:07:03 <meskio> thanks 16:07:04 <shelikhoo> I will do this after the meeting 16:07:23 <shelikhoo> no need to block the discussion 16:07:24 <ggus> hello 16:07:36 <meskio> hello 16:07:51 <meskio> the next topic from last week is the snowflake one 16:07:57 <meskio> I see is actually two: 16:08:03 <meskio> snowflake.tpo website 16:08:13 <meskio> docker CI build 16:08:32 <meskio> there are issues for both of them, anything to discuss or can we move on? 16:09:30 <shelikhoo> for the docker CI 16:10:18 <shelikhoo> I understand that meskio don't wish trust the gitlab with docker registry token 16:10:35 <shelikhoo> maybe we can let it build the image and maybe binaries 16:10:47 <shelikhoo> and then someone can push manually 16:11:00 <shelikhoo> this prevent the leak of docker registry token 16:11:13 <meskio> yes, I'm not sure I'm confortable giving gitlab access to the docker registry 16:11:25 <shelikhoo> but don't protect against supply chain attack 16:11:31 <meskio> but I'm happy with building everything 16:12:00 <shelikhoo> yes, we can let it build everything, then push to the docker registry manually 16:12:11 <shelikhoo> I will investigate if that is possible 16:12:18 <shelikhoo> the same will goes to webext 16:12:25 <meskio> +1 16:12:42 <shelikhoo> build all the files, but deploy to production will be done manually 16:13:14 <shelikhoo> so that we will have change to intervene if something obviously goes wrong 16:13:16 <shelikhoo> yes 16:13:35 <shelikhoo> I have nothing more on this topic 16:13:39 <meskio> shelikhoo: I did move the issue into docker-snowflake-proxy, but I'm not sure is the right place, feel free to move it back 16:14:54 <meskio> the next topic is the use of azure for snowflake domain fronting 16:15:11 <shelikhoo> yes. we can discuss everything in the docker repo, but the deployment will need to happen on the snowflake 16:15:50 <meskio> great 16:15:52 <shelikhoo> The reason we wants to that is because we suspect the fronted broker is not reachable in TM 16:16:21 <shelikhoo> in the https://snowflake-broker.freehaven.net/metrics 16:16:29 <shelikhoo> we didn't see a lot of TM users 16:16:41 <shelikhoo> at snowflake-ips 16:17:36 <meskio> have we ever had more TM users in past? 16:17:50 <shelikhoo> however, when we try to test it with a open proxy in TM, the sstatic.net is reachable 16:19:43 <meskio> ok, we could try to domain front with azure 16:19:52 <ggus> meskio: i think snowflake is blocked in TM since last year 16:20:45 <meskio> I'll check with TB people to see if connect assist will use the bridgeline we provide for snowflake, we could distribute azure configuration only to TM 16:20:50 <meskio> ggus: thanks, makes sense 16:20:59 <shelikhoo> yes, we could try. But i am unsure the root cause of blocking now 16:21:18 <meskio> ggus: do you know who has access to meek-azure account? 16:21:24 <shelikhoo> the exact way it snowflake is blocked in TM is currently unknown right now 16:21:54 <meskio> would be nice to have a vantage point in TM 16:21:56 <shelikhoo> I was trying see if we can got a vantage point in TM 16:22:03 <meskio> :) 16:22:04 <ggus> meskio: maybe cohosh? idk 16:22:16 <shelikhoo> and there isn't any easy way to get one 16:22:33 <shelikhoo> apart from a really expensive one 16:22:49 <shelikhoo> all others do not have automatic setup 16:23:04 <shelikhoo> so we need to talk to sales to get one 16:23:24 <shelikhoo> either when searching in english or chinese 16:23:54 <shelikhoo> meskio can try if there is any good option when searching in Spanish 16:24:18 <meskio> I can try that, I will be surprised that there is info about it in spanish 16:24:24 <meskio> I guess we might have more luck in russian 16:24:31 <ggus> the sekret partnership between spain and tm :) 16:24:37 <shelikhoo> but I didn't find a way to buy one at a reasonable price without talking to a human 16:24:45 <shelikhoo> there are way more chinese result than english ones 16:24:57 <meskio> we could ask nina to help with the search in russian 16:25:03 <shelikhoo> so I just assume it wouldn't hurt to try 16:25:15 <meskio> sure, I will 16:25:20 <ggus> i saw some websites hosted in telecom using russian domain registers 16:25:42 <shelikhoo> let's say this one is in russian 16:25:42 <shelikhoo> https://telecom.tm/ru/hosting/ 16:25:44 <shelikhoo> but 16:26:00 <shelikhoo> it do not support self-service purchase 16:26:04 <shelikhoo> (seems) 16:26:21 <meskio> we could try some social engineering... 16:26:29 <meskio> (maybe here is not the best place to talk about that) 16:27:03 <shelikhoo> yes... we can discuss about this later in the voice team sync 16:27:20 <shelikhoo> but anyway it is not easy 16:27:34 <meskio> I'll try to find who has access to the meek-azure stuff 16:27:41 <shelikhoo> yes 16:27:48 <meskio> and figure out if we can change it from the circumvention settings api 16:27:57 <meskio> but let's investigate more the TM vantage point 16:28:16 <ggus> and the censorship on AGTS and TM Telecom appears to be slightly different 16:28:50 <meskio> :( 16:29:30 <shelikhoo> yes, I think a lot of eccentric chinese vps providers also sells vps in iran in additional to TM 16:29:47 <ggus> beyond using meek-azure for snowflake, there is also a patch fix for vanilla tor connections that valdikss submitted to core/tor 16:30:27 <shelikhoo> if we decide to pursue that route we might set up more than one vantage point in targeted location 16:30:53 <ggus> https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40029#note_2826894 16:31:13 <ggus> https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/599 16:31:49 <meskio> wow, nice 16:32:54 <ggus> but i think someone needs to resolve nickm's comments, then ship it to tor browser 16:34:04 <meskio> I see is stuck since 3 weeks 16:35:20 <ggus> and obfs4 bridges are also blocked because they are blocking a bunch of ip range too 16:35:27 <meskio> I'll check with nickm how he feels about valdikss answers and try to give it a push 16:35:57 <ggus> meskio: great! ty! 16:36:52 <meskio> ggus: I think we should focus on fixing snowflake in TM and once this is working let's see if we can do something about bridges, step by step 16:37:58 <meskio> anything else on this topic? 16:38:03 <ggus> meskio: for bridges i think we need to find providers that are not blocked in TM. i heard about some IP ranges in contabo (isp in de). 16:38:22 <ggus> but the IP address that i got from contabo didn't work 16:38:50 <ggus> i agree with fixing snowflake in tm and then figuring out what to try next :) 16:39:03 <meskio> I see, we could use some allowlist just for TM with IPs that work, but we need to find what are those 16:39:37 <ggus> yeah, and this is the hard task because they are blocking the whole internet, except wikipedia, skype and gmail 16:40:10 <meskio> we should ask those to run bridges ;P 16:40:41 <ggus> :P 16:42:59 <shelikhoo> it is only slightly easier than ask oppressor to respect human rights 16:43:20 <ggus> haha 16:43:34 <meskio> should we move on to talk about HTTPT? 16:43:38 <shelikhoo> yes 16:43:50 <meskio> shelikhoo do you want to introduce it? 16:43:54 <shelikhoo> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/httpt/-/issues/1#note_2826601 16:44:43 <shelikhoo> HTTPT is a transport we have decided to include in Tor Browser but haven't decide exactly how to 16:45:08 <shelikhoo> On server, It is designed to be used together with a forwarder 16:45:45 <shelikhoo> for people without the knowledge of secret url, then the forwarder like nginx act like an ordinary web server 16:45:56 <shelikhoo> display a website 16:46:16 <shelikhoo> but when client request to connect to an specific path 16:46:34 <shelikhoo> the forwarder will send that connection to HTTPT 16:46:54 <shelikhoo> creating an bidirectional connection between HTTPT client and server 16:47:14 <shelikhoo> this prevents active probe by having an website as cover 16:48:12 <shelikhoo> but also make it harder to passively classify the connection by making sure the client server connections are standard complaint HTTP connections 16:48:32 <shelikhoo> and can be seen as HTTPS traffic 16:49:15 <shelikhoo> in this issue, i outline the deployment pattern we could purpose 16:49:42 <shelikhoo> On server, there is a HTTPT pluggable transport managed by C-Tor program 16:50:02 <shelikhoo> which is listened on a local port 16:50:15 <shelikhoo> and forwarder like nginx forward connection to this local port 16:50:56 <shelikhoo> and the bridge operator ordinarily run their own Tor and HTTPT 16:51:40 <shelikhoo> is there any questions so far? 16:51:46 <meskio> I think this proposal sounds pretty good, I think is fair to assume bridge operators will run both tor and the web server for HTTPT 16:52:31 <shelikhoo> yes, we could in theory run a public HTTPT server, but it will create the same scale issue we encountered on snowflake 16:52:55 <meskio> let's decentralize and let bridge operators pay for the traffic... 16:52:58 <meskio> :) 16:53:02 <shelikhoo> yes... 16:53:16 <meskio> snowflake is special as we can not run tor as browser plugin 16:53:53 <meskio> (maybe we could, but wow, that would be fun compiling C-tor into wasm...) 16:54:28 <shelikhoo> yes, that's true, and tor don't support distributed servers on its own 16:54:48 <shelikhoo> we need to specifically work around some tor's design to get it working 16:55:17 <shelikhoo> we cannot run tor in browser as it is not possible to create arbitrary tcp connections in browser 16:55:52 <shelikhoo> it can only send HTTP or other browser approved traffic 16:56:04 <meskio> yes, true, that is the real reason :) 16:56:11 <shelikhoo> I can begin the implementation of HTTPT right now, do we wants to do that? 16:56:27 <shelikhoo> I can begin the implementation of HTTPT PT right now, do we wants to do that? 16:56:36 <meskio> your plan sounds good 16:56:49 <meskio> I'm eager to see what you produce with it :) 16:57:09 <itchyonion> yea the whole HTTPT thing sounds really interesting 16:58:11 <shelikhoo> yeah. I take it as a yes meskio 16:58:40 <meskio> +1 16:58:46 <meskio> anything else for today? 16:58:55 <shelikhoo> nothing from me 16:59:16 <itchyonion> me neither 16:59:24 <meskio> great, let's close the meeting then 16:59:28 <meskio> #endmeeting