#tor-meeting log

15:58:45 <meskio> #startmeeting tor anti-censorship meeting
15:58:45 <MeetBot> Meeting started Thu Aug 11 15:58:45 2022 UTC.  The chair is meskio. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:58:45 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:58:49 <meskio> hi everyone!
15:58:52 <meskio> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
15:58:57 <meskio> feel free to add what you've been working on and put items on the agenda
15:59:16 <meskio> I kept the two points that are from last week, not sure if we need to discuss them
16:00:56 <meskio> let's see, the first one of those is the snowflake fingerprint situation in russia, any news on that?
16:01:25 <shelikhoo> no I am not working on that issue right now
16:01:57 <meskio> ok, should we remove this from the pad?
16:02:57 <shelikhoo> I think we can move it somewhere else and bring it back once there is any news....
16:04:17 <meskio> this somewhere else might be https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40030 ?
16:04:24 <meskio> or should we open an issue on snowflake side for it?
16:05:11 <shelikhoo> It is quite mixed with all kinds of things. We already have issues for some specific topics in it...
16:05:49 <shelikhoo> I suggest we just move it to that ticket just in case we got any news.
16:06:33 <meskio> I agree, let's do that, do you want to do it?
16:06:38 <shelikhoo> yes
16:07:03 <meskio> thanks
16:07:04 <shelikhoo> I will do this after the meeting
16:07:23 <shelikhoo> no need to block the discussion
16:07:24 <ggus> hello
16:07:36 <meskio> hello
16:07:51 <meskio> the next topic from last week is the snowflake one
16:07:57 <meskio> I see is actually two:
16:08:03 <meskio> snowflake.tpo website
16:08:13 <meskio> docker CI build
16:08:32 <meskio> there are issues for both of them, anything to discuss or can we move on?
16:09:30 <shelikhoo> for the docker CI
16:10:18 <shelikhoo> I understand that meskio don't wish trust the gitlab with docker registry token
16:10:35 <shelikhoo> maybe we can let it build the image and maybe binaries
16:10:47 <shelikhoo> and then someone can push manually
16:11:00 <shelikhoo> this prevent the leak of docker registry token
16:11:13 <meskio> yes, I'm not sure I'm confortable giving gitlab access to the docker registry
16:11:25 <shelikhoo> but don't protect against supply chain attack
16:11:31 <meskio> but I'm happy with building everything
16:12:00 <shelikhoo> yes, we can let it build everything, then push to the docker registry manually
16:12:11 <shelikhoo> I will investigate if that is possible
16:12:18 <shelikhoo> the same will goes to webext
16:12:25 <meskio> +1
16:12:42 <shelikhoo> build all the files, but deploy to production will be done manually
16:13:14 <shelikhoo> so that we will have change to intervene if something obviously goes wrong
16:13:16 <shelikhoo> yes
16:13:35 <shelikhoo> I have nothing more on this topic
16:13:39 <meskio> shelikhoo: I did move the issue into docker-snowflake-proxy, but I'm not sure is the right place, feel free to move it back
16:14:54 <meskio> the next topic is the use of azure for snowflake domain fronting
16:15:11 <shelikhoo> yes. we can discuss everything in the docker repo, but the deployment will need to happen on the snowflake
16:15:50 <meskio> great
16:15:52 <shelikhoo> The reason we wants to that is because we suspect the fronted broker is not reachable in TM
16:16:21 <shelikhoo> in the https://snowflake-broker.freehaven.net/metrics
16:16:29 <shelikhoo> we didn't see a lot of TM users
16:16:41 <shelikhoo> at snowflake-ips
16:17:36 <meskio> have we ever had more TM users in past?
16:17:50 <shelikhoo> however, when we try to test it with a open proxy in TM, the sstatic.net is reachable
16:19:43 <meskio> ok, we could try to domain front with azure
16:19:52 <ggus> meskio: i think snowflake is blocked in TM since last year
16:20:45 <meskio> I'll check with TB people to see if connect assist will use the bridgeline we provide for snowflake, we could distribute azure configuration only to TM
16:20:50 <meskio> ggus: thanks, makes sense
16:20:59 <shelikhoo> yes, we could try. But i am unsure the root cause of blocking now
16:21:18 <meskio> ggus: do you know who has access to meek-azure account?
16:21:24 <shelikhoo> the exact way it snowflake is blocked in TM is currently unknown right now
16:21:54 <meskio> would be nice to have a vantage point in TM
16:21:56 <shelikhoo> I was trying see if we can got a vantage point in TM
16:22:03 <meskio> :)
16:22:04 <ggus> meskio: maybe cohosh? idk
16:22:16 <shelikhoo> and there isn't any easy way to get one
16:22:33 <shelikhoo> apart from a really expensive one
16:22:49 <shelikhoo> all others do not have automatic setup
16:23:04 <shelikhoo> so we need to talk to sales to get one
16:23:24 <shelikhoo> either when searching in english or chinese
16:23:54 <shelikhoo> meskio can try if there is any good option when searching in Spanish
16:24:18 <meskio> I can try that, I will be surprised that there is info about it in spanish
16:24:24 <meskio> I guess we might have more luck in russian
16:24:31 <ggus> the sekret partnership between spain and tm :)
16:24:37 <shelikhoo> but I didn't find a way to buy one at a reasonable price without talking to a human
16:24:45 <shelikhoo> there are way more chinese result than english ones
16:24:57 <meskio> we could ask nina to help with the search in russian
16:25:03 <shelikhoo> so I just assume it wouldn't hurt to try
16:25:15 <meskio> sure, I will
16:25:20 <ggus> i saw some websites hosted in telecom using russian domain registers
16:25:42 <shelikhoo> let's say this one is in russian
16:25:42 <shelikhoo> https://telecom.tm/ru/hosting/
16:25:44 <shelikhoo> but
16:26:00 <shelikhoo> it do not support self-service purchase
16:26:04 <shelikhoo> (seems)
16:26:21 <meskio> we could try some social engineering...
16:26:29 <meskio> (maybe here is not the best place to talk about that)
16:27:03 <shelikhoo> yes... we can discuss about this later in the voice team sync
16:27:20 <shelikhoo> but anyway it is not easy
16:27:34 <meskio> I'll try to find who has access to the meek-azure stuff
16:27:41 <shelikhoo> yes
16:27:48 <meskio> and figure out if we can change it from the circumvention settings api
16:27:57 <meskio> but let's investigate more the TM vantage point
16:28:16 <ggus> and the censorship on AGTS and TM Telecom appears to be slightly different
16:28:50 <meskio> :(
16:29:30 <shelikhoo> yes, I think a lot of eccentric chinese vps providers also sells vps in iran in additional to TM
16:29:47 <ggus> beyond using meek-azure for snowflake, there is also a patch fix for vanilla tor connections that valdikss submitted to core/tor
16:30:27 <shelikhoo> if we decide to pursue that route we might set up more than one vantage point in targeted location
16:30:53 <ggus> https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40029#note_2826894
16:31:13 <ggus> https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/599
16:31:49 <meskio> wow, nice
16:32:54 <ggus> but i think someone needs to resolve nickm's comments, then ship it to tor browser
16:34:04 <meskio> I see is stuck since 3 weeks
16:35:20 <ggus> and obfs4 bridges are also blocked because they are blocking a bunch of ip range too
16:35:27 <meskio> I'll check with nickm how he feels about valdikss answers and try to give it a push
16:35:57 <ggus> meskio: great! ty!
16:36:52 <meskio> ggus: I think we should focus on fixing snowflake in TM and once this is working let's see if we can do something about bridges, step by step
16:37:58 <meskio> anything else on this topic?
16:38:03 <ggus> meskio: for bridges i think we need to find providers that are not blocked in TM. i heard about some IP ranges in contabo (isp in de).
16:38:22 <ggus> but the IP address that i got from contabo didn't work
16:38:50 <ggus> i agree with fixing snowflake in tm and then figuring out what to try next :)
16:39:03 <meskio> I see, we could use some allowlist just for TM with IPs that work, but we need to find what are those
16:39:37 <ggus> yeah, and this is the hard task because they are blocking the whole internet, except wikipedia, skype and gmail
16:40:10 <meskio> we should ask those to run bridges ;P
16:40:41 <ggus> :P
16:42:59 <shelikhoo> it is only slightly easier than ask oppressor to respect human rights
16:43:20 <ggus> haha
16:43:34 <meskio> should we move on to talk about HTTPT?
16:43:38 <shelikhoo> yes
16:43:50 <meskio> shelikhoo do you want to introduce it?
16:43:54 <shelikhoo> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/httpt/-/issues/1#note_2826601
16:44:43 <shelikhoo> HTTPT is a transport we have decided to include in Tor Browser but haven't decide exactly how to
16:45:08 <shelikhoo> On server, It is designed to be used together with a forwarder
16:45:45 <shelikhoo> for people without the knowledge of secret url, then the forwarder like nginx act like an ordinary web server
16:45:56 <shelikhoo> display a website
16:46:16 <shelikhoo> but when client request to connect to an specific path
16:46:34 <shelikhoo> the forwarder will send that connection to HTTPT
16:46:54 <shelikhoo> creating an bidirectional connection between HTTPT client and server
16:47:14 <shelikhoo> this prevents active probe by having an website as cover
16:48:12 <shelikhoo> but also make it harder to passively classify the connection by making sure the client server connections are standard complaint HTTP connections
16:48:32 <shelikhoo> and can be seen as HTTPS traffic
16:49:15 <shelikhoo> in this issue, i outline the deployment pattern we could purpose
16:49:42 <shelikhoo> On server, there is a HTTPT pluggable transport managed by C-Tor program
16:50:02 <shelikhoo> which is listened on a local port
16:50:15 <shelikhoo> and forwarder like nginx forward connection to this local port
16:50:56 <shelikhoo> and the bridge operator ordinarily run their own Tor and HTTPT
16:51:40 <shelikhoo> is there any questions so far?
16:51:46 <meskio> I think this proposal sounds pretty good, I think is fair to assume bridge operators will run both tor and the web server for HTTPT
16:52:31 <shelikhoo> yes, we could in theory run a public HTTPT server, but it will create the same scale issue we encountered on snowflake
16:52:55 <meskio> let's decentralize and let bridge operators pay for the traffic...
16:52:58 <meskio> :)
16:53:02 <shelikhoo> yes...
16:53:16 <meskio> snowflake is special as we can not run tor as browser plugin
16:53:53 <meskio> (maybe we could, but wow, that would be fun compiling C-tor into wasm...)
16:54:28 <shelikhoo> yes, that's true, and tor don't support distributed servers on its own
16:54:48 <shelikhoo> we need to specifically work around some tor's design to get it working
16:55:17 <shelikhoo> we cannot run tor in browser as it is not possible to create arbitrary tcp connections in browser
16:55:52 <shelikhoo> it can only send HTTP or other browser approved traffic
16:56:04 <meskio> yes, true, that is the real reason :)
16:56:11 <shelikhoo> I can begin the implementation of HTTPT right now, do we wants to do that?
16:56:27 <shelikhoo> I can begin the implementation of HTTPT PT right now, do we wants to do that?
16:56:36 <meskio> your plan sounds good
16:56:49 <meskio> I'm eager to see what you produce with it :)
16:57:09 <itchyonion> yea the whole HTTPT thing sounds really interesting
16:58:11 <shelikhoo> yeah. I take it as a yes meskio
16:58:40 <meskio> +1
16:58:46 <meskio> anything else for today?
16:58:55 <shelikhoo> nothing from me
16:59:16 <itchyonion> me neither
16:59:24 <meskio> great, let's close the meeting then
16:59:28 <meskio> #endmeeting