16:00:45 #startmeeting tor anti-censorship meeting 16:00:45 here is our meeting pad: https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469 16:00:45 editable link available on request 16:00:45 Meeting started Thu Nov 21 16:00:45 2024 UTC. The chair is shelikhoo. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:45 Useful Commands: #action #agreed #help #info #idea #link #topic. 16:00:48 hi~hi~ 16:01:00 hello \o 16:01:23 hi 16:02:13 hihi 16:02:15 please add discussion topic to the pad if any 16:03:06 I didn't see any new topic... 16:03:08 I don't think I have anything for today 16:03:18 and there might not be updates on the old topics, isn't it? 16:03:24 let's start with interesting links.. 16:03:35 https://github.com/doxx/darkflare 16:03:35 TCP over CDN. using cloudflare to tunnel traffic, the client does HTTP requests. 16:03:49 DrWhax shared it in our channel 16:03:50 I got a look into its code, it works in meek way 16:03:55 yes.. 16:04:04 and next link is 16:04:12 good that you actually look into it, I only scheem into the readme 16:04:13 https://www.youtube.com/watch?v=rZYfrj2iqYE&list=PLbRoZ5Rrl5ldQ2K_dpmPKHEyRgyf5JSxd&index=148 16:04:13 Snowflake conference presentation from Usenix Security 2024 16:04:52 nice, the video si finally public 16:05:04 the link for snowflake conference presentation is now live, and it is highly recommended to watch it 16:05:10 it was awesome!!! 16:05:15 I'll love to see dcf1 there :) 16:05:29 okay, anything we wish to discuss about these links? 16:06:24 okay, let move back to the discussion points 16:06:38 do we have any updates about snowflake censorship in russia, cohosh? 16:06:55 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40407#note_3132285 16:07:28 yeah, i wrote a patch to directly test specific proxies by using manual copy-paste as a signaling channel 16:07:48 we used to have this for testing, i just added it back in 16:08:02 https://gitlab.torproject.org/cohosh/snowflake/-/commit/a4a574a4584332fc2825ff4ebe142c9702032fad 16:08:18 i'll probably post instructions on how to use it somewhere later today 16:08:59 i tried it out from the vantage point, and a few proxies i spun up showed the same blocking behaviour 16:09:08 which seems to suggest it's being blocked by protocol 16:09:29 i also tried the padding patch that dcf1 shared last week and it was still blocked 16:09:53 too bad... 16:10:01 i think i'll try and see if it's a data channel block next 16:10:08 I was wondering it it's something else conspicuous right after the initial handshake, like a Hello Retry Request maybe? 16:11:02 i didn't notice any difference in handshake messages between proxies that were blocked and ones that seemingly werent, from our pcaps 16:11:22 including hello retry requests 16:12:08 i'll check again 16:12:10 It's not possible there's something different about Application records, do you think? 16:12:43 that's also possible, i didn't look closely at application records 16:12:58 i only checked how many bytes were sent before the connection went stale 16:13:44 I guess theodorsm is not here. I wonder if it's possible to quickly implement a client with covertDTLS https://github.com/theodorsm/covert-dtls? 16:14:06 I saw that pion webrtc v4 was merged, which I believe was a prerequisite to doing that. 16:14:13 yeah if it's quick it's definitely worth trying 16:15:56 yes... it still need some additional efforts to find out root cause... thanks cohosh and dcf1's work! 16:16:09 theodorsm's notes say "Test Snowflake fork with covert-dtls", but I don't see a snowflake fork at https://github.com/theodorsm?tab=repositories. 16:16:55 maybe this one? https://gitlab.torproject.org/theodorsm/snowflake 16:17:02 an update about snowflake broker transition is that, next monday there will be an dns switch to make new broker primary 16:17:08 there is a covert-tls-test branch... 16:17:30 nice! 16:17:41 yes! 16:17:45 expired cdn77 alerts 16:17:45 https://lists.torproject.org/mailman3/hyperkitty/list/anti-censorship-alerts@lists.torprojec 16:17:50 shelikhoo: nice, shout if you need any help there 16:18:00 I added that one 16:18:12 https://lists.torproject.org/mailman3/hyperkitty/list/anti-censorship-alerts@lists.torproject.org/thread/6BAEW3ENYOPJI3XZWTR67TLSJWND3XFT/ 16:18:18 I see there is being alerts the last couple of days about the cert in cdn77 being about to expire 16:18:35 cohosh: do you know anything about it? does it require any manual intervention? 16:18:47 oh, i didn't know about these alerts 16:19:10 cert expirty was an issue for fastly domains because of their domain fronting policy 16:19:26 i'm not aware of any trouble with cdn77, unless the domain does not renew it's cert at all 16:19:38 I'm not sure where is this alert comming from 16:19:52 but if is not a problem we should probably find a way to silence it 16:20:00 oh these are our domains, lol 16:20:17 i might need to look into this 16:20:25 blackbox is one of the prometheus exporters that tests if a service is reachable, like a website 16:20:55 https://gitlab.torproject.org/tpo/tpa/prometheus-alerts/-/blob/main/targets.d/blackbox_anticensorship.yaml?ref_type=heads 16:21:15 It looks like it was me who added there 16:21:30 hehe 16:22:00 i'll look into it, i think everything is just a let's encrypt cert 16:22:09 thanks 16:22:24 yes 16:22:35 anything more we would like to discuss in this meeting? 16:23:15 nothing from me 16:23:18 I'll send an email to theodorsm and Cc anti-censorship-team@ to ask about the state of the covert-dtls-test branch 16:23:28 thanks dcf1 16:23:34 yes, thanks dcf1 16:23:36 nothing more from me 16:23:40 me neither 16:23:46 #endmeeting