15:57:28 <shelikhoo> #startmeeting tor anti-censorship meeting 15:57:28 <shelikhoo> here is our meeting pad: https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469 15:57:28 <shelikhoo> feel free to add what you've been working on and put items on the agenda 15:57:28 <shelikhoo> the read-write link for meeting pad can be requested via direct message 15:57:28 <MeetBot> Meeting started Thu Jan 18 15:57:28 2024 UTC. The chair is shelikhoo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:57:28 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 15:59:06 <shelikhoo> hi~hi~ 15:59:10 <cohosh> hi 15:59:16 <shelikhoo> thanks for the hi 15:59:23 <shelikhoo> I was double checking the time... 16:00:30 <cohosh> it takes 6 months to get used to the time change and then there's another time change :) 16:01:59 <shelikhoo> X~X Yes... and I almost have to check calender once in a while to confirm if there is any pending meeting 16:03:06 <shelikhoo> I think the DTLS anti-fingerprinting library is discussed last time. any updates we would like to discuss? (if not I will remove it for now) 16:03:26 <cohosh> nothing more from me 16:03:43 <dcf1> This is theodorsm's update on the issue: 16:03:45 <dcf1> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40014#note_2983785 16:06:00 <shelikhoo> I think China don't have DST and I think my life was perfectly fine without it 16:06:23 <cohosh> i think my life would be perfectly fine without clocks tbh 16:06:53 <shelikhoo> maybe just all use maybe UTC and change the ordnance time instead... 16:07:01 <shelikhoo> hahahaha 16:07:34 <shelikhoo> ^ordnance^time schedule 16:08:07 <shelikhoo> okay, after reading the update of DTLS imitation, let's begin the first topic 16:08:19 <shelikhoo> SQS rendezvous deployment 16:08:19 <shelikhoo> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/214 16:08:52 <shelikhoo> I think this topic is from cohosh 16:09:04 <cohosh> i'm planning to review the most recent changes, but wanted to bring it up to discuss deployment because it's close to getting merged 16:09:10 <shelikhoo> would cohosh like to have a introduction? 16:09:26 <cohosh> are there any concerns with deploying this at the brocker? 16:09:52 <cohosh> in terms of rollout, i was thinking we could do something similar to the AMP cache rendezvous addition and just advertize it on the forum and the bbs 16:10:13 <shelikhoo> I have not reviewed it yet, I think the only thing that might need to have a look at is whether the attacker can flood the service to create significant bill 16:10:27 <cohosh> and talk to ggus about testing where it is blocked 16:11:18 <cohosh> shelikhoo: yes, that's a concern for me too. i think i can set a billing limit on the policy perhaps but i'm not super familiar with aws 16:11:45 <cohosh> i have looking into that on my todo list before it's deployed 16:11:50 <shelikhoo> if I recall correctly, it is hard/impossible to set a limit on bill 16:11:59 <shelikhoo> it is only possible to set an alert 16:12:08 <cohosh> hmm okay that's good to know 16:12:22 <shelikhoo> but please do have a look at document 16:12:26 <dcf1> I remember with meek, at the time, there pointedly was no billing limit option, and the best I could find to do is set multiple alerts at $200 intervals and hope I was watching email if an attack happened. 16:12:30 <shelikhoo> this is just from my memory 16:12:45 <cohosh> we might be able to add a limit at the broker if this becomes an issue 16:13:20 <dcf1> One thing I did then was put a prepaid gift card with limited funds on the account, not sure if that would stop you from getting charged for overages really though 16:13:38 <shelikhoo> https://news.sophos.com/en-us/2015/03/20/greatfire-org-faces-daily-30000-bill-from-ddos-attack/ 16:13:49 <cohosh> oh the prepaid card is a good idea 16:13:54 <shelikhoo> just a link for anyone wants to learn more about this kind of attack 16:15:39 <shelikhoo> anyway that's one thing we should have a look at, but hopefully it will not become an issue any time soon 16:16:13 <cohosh> anything else we should consider before deployment? 16:16:38 <shelikhoo> nothing more from me 16:17:09 <shelikhoo> okay we can move on to the next topic 16:17:17 <shelikhoo> Our docker containers are out of date for snowflake and obfs4 16:17:17 <dcf1> Aside, it would be really nice if rendezvous methods could be separate processes and not have to be built into the main broker executable (i.e. https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/26092) 16:17:24 <dcf1> But that's a separate issue. 16:18:57 <cohosh> dcf1: yeah good point, i had completely forgot about that merge request and it was almost done 16:20:06 <shelikhoo> yes, maybe in the future the rendezvous methods can just act as a http proxy 16:20:30 <shelikhoo> to relay arbitrary reasonable message between broker and client/proxy 16:20:57 <shelikhoo> that is something we could do in the maybe 'planned' signaling library 16:21:04 <dcf1> yes, my dream is that each rendezvous method is separately restartable on the broker: `systemctl restart snowflake-broker-sqs` 16:21:38 <shelikhoo> but when this 'plan' will come true is beyond my knowledge 16:21:43 <dcf1> The broker itself should just be a local process with no external listeners, even the HTTP interface IMO should be a module 16:22:16 <shelikhoo> or we can keep the HTTP as an IPC interface standard? 16:22:45 <shelikhoo> but TLS encryption can handled by another process 16:23:24 <shelikhoo> otherwise I don't know a better way to communicate all the broker's messages 16:23:26 <dcf1> registration messages should be encrypted and authenticated separately from TLS, but that is yet another issue 16:23:46 <dcf1> we did a lot of work deliberately to decouple the rendezvous message format from HTTP 16:23:59 <dcf1> (it used to be highly tied to HTTP, used HTTP header fields and HTTP response codes) 16:24:44 <shelikhoo> yes... IPC method don't have to be HTTP 16:24:59 <shelikhoo> IPC spec don't have to be HTTP 16:25:25 <shelikhoo> we can have a more detailed discuss when the time have come to work on this 16:25:59 <shelikhoo> right now it feels too remote for me... the situation may change by the time we actually work on this 16:26:25 <dcf1> "...yet another issue" https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/22945 16:26:53 <dcf1> Yes I agree it's not something to assign to the SQS contributors 16:27:42 <cohosh> agreed, so to summarize, i'll look into expensive DoS precautions and we'll proceed with deploying this feature 16:27:58 <shelikhoo> yes! nothing to add from me 16:28:04 <cohosh> *precautions against expensive DoS atacks, that is 16:29:21 <shelikhoo> the next topic is "Our docker containers are out of date for snowflake and obfs4" 16:29:35 <cohosh> yes, ggus alerted us yesterday that the obfs container ships with a version of tor that will be EOL soon 16:29:53 <cohosh> i suspect our snowflake proxy container has also not been updated since the most recent release 16:31:45 <cohosh> i have a lot on my plate with the lox integration and was hoping someone else would pick up the task of updating them 16:32:37 <shelikhoo> okay, then I can update them 16:32:58 <cohosh> thank yuou! 16:33:28 <shelikhoo> no problem! 16:33:34 <cohosh> that's it from me 16:34:06 <dcf1> shelikhoo I have started the review of snowflake!219, thanks for your patience 16:34:07 <tor> Uhm, which one of [tpo/anti-censorship/pluggable-transports/snowflake, tpo/web/snowflake] did you mean? 16:34:19 <dcf1> tpo/anti-censorship/pluggable-transports/snowflake!219 16:34:40 <dcf1> oh wow zwiebelbot text adventure game 16:34:46 <cohosh> :D 16:36:35 <shelikhoo> yes, don't worry it is a large change indeed, and the last 'deadline' was last Dec 31. So it no longer have a deadline now 16:36:54 <shelikhoo> please take your time 16:37:37 <shelikhoo> I think that's it for the docker image update topic 16:38:08 <shelikhoo> Anything we would like to discuss in this meeting? 16:38:16 <shelikhoo> Anything more we would like to discuss in this meeting? 16:38:21 <cohosh> nothing else from me 16:39:37 <dcf1> nothing from me 16:39:50 <shelikhoo> #endmeeting