#tor-meeting log

15:57:28 <shelikhoo> #startmeeting tor anti-censorship meeting
15:57:28 <shelikhoo> here is our meeting pad: https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469
15:57:28 <shelikhoo> feel free to add what you've been working on and put items on the agenda
15:57:28 <shelikhoo> the read-write link for meeting pad can be requested via direct message
15:57:28 <MeetBot> Meeting started Thu Jan 18 15:57:28 2024 UTC.  The chair is shelikhoo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:57:28 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:59:06 <shelikhoo> hi~hi~
15:59:10 <cohosh> hi
15:59:16 <shelikhoo> thanks for the hi
15:59:23 <shelikhoo> I was double checking the time...
16:00:30 <cohosh> it takes 6 months to get used to the time change and then there's another time change :)
16:01:59 <shelikhoo> X~X Yes... and I almost have to check calender once in a while to confirm if there is any pending meeting
16:03:06 <shelikhoo> I think the DTLS anti-fingerprinting library is discussed last time. any updates we would like to discuss? (if not I will remove it for now)
16:03:26 <cohosh> nothing more from me
16:03:43 <dcf1> This is theodorsm's update on the issue:
16:03:45 <dcf1> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40014#note_2983785
16:06:00 <shelikhoo> I think China don't have DST and I think my life was perfectly fine without it
16:06:23 <cohosh> i think my life would be perfectly fine without clocks tbh
16:06:53 <shelikhoo> maybe just all use maybe UTC and change the ordnance time instead...
16:07:01 <shelikhoo> hahahaha
16:07:34 <shelikhoo> ^ordnance^time schedule
16:08:07 <shelikhoo> okay, after reading the update of DTLS imitation, let's begin the first topic
16:08:19 <shelikhoo> SQS rendezvous deployment
16:08:19 <shelikhoo> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/214
16:08:52 <shelikhoo> I think this topic is from cohosh
16:09:04 <cohosh> i'm planning to review the most recent changes, but wanted to bring it up to discuss deployment because it's close to getting merged
16:09:10 <shelikhoo> would cohosh like to have a introduction?
16:09:26 <cohosh> are there any concerns with deploying this at the brocker?
16:09:52 <cohosh> in terms of rollout, i was thinking we could do something similar to the AMP cache rendezvous addition and just advertize it on the forum and the bbs
16:10:13 <shelikhoo> I have not reviewed it yet, I think the only thing that might need to have a look at is whether the attacker can flood the service to create significant bill
16:10:27 <cohosh> and talk to ggus about testing where it is blocked
16:11:18 <cohosh> shelikhoo: yes, that's a concern for me too. i think i can set a billing limit on the policy perhaps but i'm not super familiar with aws
16:11:45 <cohosh> i have looking into that on my todo list before it's deployed
16:11:50 <shelikhoo> if I recall correctly, it is hard/impossible to set a limit on bill
16:11:59 <shelikhoo> it is only possible to set an alert
16:12:08 <cohosh> hmm okay that's good to know
16:12:22 <shelikhoo> but please do have a look at document
16:12:26 <dcf1> I remember with meek, at the time, there pointedly was no billing limit option, and the best I could find to do is set multiple alerts at $200 intervals and hope I was watching email if an attack happened.
16:12:30 <shelikhoo> this is just from my memory
16:12:45 <cohosh> we might be able to add a limit at the broker if this becomes an issue
16:13:20 <dcf1> One thing I did then was put a prepaid gift card with limited funds on the account, not sure if that would stop you from getting charged for overages really though
16:13:38 <shelikhoo> https://news.sophos.com/en-us/2015/03/20/greatfire-org-faces-daily-30000-bill-from-ddos-attack/
16:13:49 <cohosh> oh the prepaid card is a good idea
16:13:54 <shelikhoo> just a link for anyone wants to learn more about this kind of attack
16:15:39 <shelikhoo> anyway that's one thing we should have a look at, but hopefully it will not become an issue any time soon
16:16:13 <cohosh> anything else we should consider before deployment?
16:16:38 <shelikhoo> nothing more from me
16:17:09 <shelikhoo> okay we can move on to the next topic
16:17:17 <shelikhoo> Our docker containers are out of date for snowflake and obfs4
16:17:17 <dcf1> Aside, it would be really nice if rendezvous methods could be separate processes and not have to be built into the main broker executable (i.e. https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/26092)
16:17:24 <dcf1> But that's a separate issue.
16:18:57 <cohosh> dcf1: yeah good point, i had completely forgot about that merge request and it was almost done
16:20:06 <shelikhoo> yes, maybe in the future the rendezvous methods can just act as a http proxy
16:20:30 <shelikhoo> to relay arbitrary reasonable message between broker and client/proxy
16:20:57 <shelikhoo> that is something we could do in the maybe 'planned' signaling library
16:21:04 <dcf1> yes, my dream is that each rendezvous method is separately restartable on the broker: `systemctl restart snowflake-broker-sqs`
16:21:38 <shelikhoo> but when this 'plan' will come true is beyond my knowledge
16:21:43 <dcf1> The broker itself should just be a local process with no external listeners, even the HTTP interface IMO should be a module
16:22:16 <shelikhoo> or we can keep the HTTP as an IPC interface standard?
16:22:45 <shelikhoo> but TLS encryption can handled by another process
16:23:24 <shelikhoo> otherwise I don't know a better way to communicate all the broker's messages
16:23:26 <dcf1> registration messages should be encrypted and authenticated separately from TLS, but that is yet another issue
16:23:46 <dcf1> we did a lot of work deliberately to decouple the rendezvous message format from HTTP
16:23:59 <dcf1> (it used to be highly tied to HTTP, used HTTP header fields and HTTP response codes)
16:24:44 <shelikhoo> yes...  IPC method don't have to be HTTP
16:24:59 <shelikhoo> IPC spec don't have to be HTTP
16:25:25 <shelikhoo> we can have a more detailed discuss when the time have come to work on this
16:25:59 <shelikhoo> right now it feels too remote for me... the situation may change by the time we actually work on this
16:26:25 <dcf1> "...yet another issue" https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/22945
16:26:53 <dcf1> Yes I agree it's not something to assign to the SQS contributors
16:27:42 <cohosh> agreed, so to summarize, i'll look into expensive DoS precautions and we'll proceed with deploying this feature
16:27:58 <shelikhoo> yes! nothing to add from me
16:28:04 <cohosh> *precautions against expensive DoS atacks, that is
16:29:21 <shelikhoo> the next topic is "Our docker containers are out of date for snowflake and obfs4"
16:29:35 <cohosh> yes, ggus alerted us yesterday that the obfs container ships with a version of tor that will be EOL soon
16:29:53 <cohosh> i suspect our snowflake proxy container has also not been updated since the most recent release
16:31:45 <cohosh> i have a lot on my plate with the lox integration and was hoping someone else would pick up the task of updating them
16:32:37 <shelikhoo> okay, then I can update them
16:32:58 <cohosh> thank yuou!
16:33:28 <shelikhoo> no problem!
16:33:34 <cohosh> that's it from me
16:34:06 <dcf1> shelikhoo I have started the review of snowflake!219, thanks for your patience
16:34:07 <tor> Uhm, which one of [tpo/anti-censorship/pluggable-transports/snowflake, tpo/web/snowflake] did you mean?
16:34:19 <dcf1> tpo/anti-censorship/pluggable-transports/snowflake!219
16:34:40 <dcf1> oh wow zwiebelbot text adventure game
16:34:46 <cohosh> :D
16:36:35 <shelikhoo> yes, don't worry it is a large change indeed, and the last 'deadline' was last Dec 31. So it no longer have a deadline now
16:36:54 <shelikhoo> please take your time
16:37:37 <shelikhoo> I think that's it for the docker image update topic
16:38:08 <shelikhoo> Anything we would like to discuss in this meeting?
16:38:16 <shelikhoo> Anything more we would like to discuss in this meeting?
16:38:21 <cohosh> nothing else from me
16:39:37 <dcf1> nothing from me
16:39:50 <shelikhoo> #endmeeting