16:00:14 <Shelikhoo[mds]> #startmeeting tor anti-censorship meeting 16:00:14 <MeetBot> Meeting started Thu Oct 2 16:00:14 2025 UTC. The chair is Shelikhoo[mds]. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:14 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 16:00:14 <Shelikhoo[mds]> here is our meeting pad: https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469 16:00:14 <Shelikhoo[mds]> editable link available on request 16:00:19 <Shelikhoo[mds]> Hi~Hi~ 16:00:22 <onyinyang> hihi :D 16:00:28 <meskio> hello 16:00:29 <cohosh> hi 16:00:32 <onyinyang> oh right, the pad 16:03:16 <Shelikhoo[mds]> I didn't see any discussion point 16:03:30 <Shelikhoo[mds]> let's start with interesting links 16:03:48 <Shelikhoo[mds]> ] https://github.com/net4people/bbs/issues/422#issuecomment-3316062302 (2025-09-21) 16:03:48 <Shelikhoo[mds]> (Russia) "I've noticed that stun protocol was blocked from mid-summer till today (it worked in June last time when I've used public stun to punch through NAT). Seems that only stun to public stun servers like stun.l.google.com, stun.bethesda.net were affected. Stun between webtunnel client and other webtunnel peer is not affected as can be seen in attached captures below. The only stun server that was accessible all that time was 16:03:48 <Shelikhoo[mds]> stun.rtc.yandex.net (of all the gists and lists of public stun servers I could find)." 16:03:48 <Shelikhoo[mds]> "<...> is another website using cdn77 I know. www.cdn77.com is blocked by SNI (session freezes after client hello), and www.phpmyadmin.net, though it doesn't cause hetzner to be blocked anymore, might cause stricter filtering or other side-effects." 16:03:55 <Shelikhoo[mds]> Is this a new topic? 16:04:34 <Shelikhoo[mds]> I could have a check of vantage point domain fronting test results next week 16:04:48 <Shelikhoo[mds]> and see if we could discover a new working fronting domain 16:05:31 <Shelikhoo[mds]> anything we would like to discuss on this interesting link? 16:06:07 <dcf1> It's new information in the past few weeks. 16:06:13 <cohosh> yeah that's new to me 16:06:29 <meskio> yes, maybe we need to figure out new domains for domain fronting, AFAIK we only use cdn77.com in snowflake 16:06:42 <cohosh> we definitely do 16:06:55 <dcf1> "Had to change front though ... where <...> is another website using cdn77 I know. www.cdn77.com is blocked by SNI (session freezes after client hello), and www.phpmyadmin.net, though it doesn't cause hetzner to be blocked anymore, might cause stricter filtering or other side-effects." 16:07:01 <cohosh> it might be worth updating the censorship settings for snowflake in china in the meantime 16:07:13 <dcf1> This thread is Russia 16:07:39 <cohosh> yeah, sorry, we also know that our cdn77 fronts are blocked in china 16:07:56 <cohosh> although this will affect moat requests as well 16:08:40 <meskio> yes, we've being testing netlify in the alpha channel of TB, maybe is a time to use it in the stable 16:08:46 <meskio> I mean for moat 16:08:57 <meskio> and keep cdn77 only for snowflake, with new domain names 16:08:57 <cohosh> i think that's a good idea 16:09:17 <Shelikhoo[mds]> Yeah, we should also looking for new fronting domains 16:09:18 <meskio> I have a list of useful domain names in cdn77 somewhere, we need to check wich works 16:10:06 <cohosh> meskio: ah, great, can you add it to https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/168 16:10:15 <Shelikhoo[mds]> yeah, we can send this list of potentially useful domain for testing with the updated domain fronting testing support on our vantage points 16:10:22 <cohosh> (when you find it) 16:12:04 <cohosh> and we'll need to update circumvention settings in russia 16:12:26 <cohosh> we're using ampcache as a backup there https://bridges.torproject.org/moat/circumvention/map 16:12:35 <Shelikhoo[mds]> yes, we can test if there are some working fronting domains 16:12:46 <cohosh> and sqs in china, both places we know the current cdn77 front domains are blocked 16:13:18 <Shelikhoo[mds]> in theory, we could also get a lot of fronting domains, and only distribute one of them at a time to users 16:13:46 <meskio> I see the list I have is the ones we've being using in multiple transports around, I can try to produce more but not sure if I'll be able today 16:13:50 <meskio> I just pasted my list there 16:13:54 <Shelikhoo[mds]> in this way even if the fronting domain has limited significance, they won't be easily blocked 16:14:10 <cohosh> i'm checking when the next stable tor browser release is 16:14:28 <meskio> BTW, new prospective domains maybe should be shared as a "internal note" until we start using them 16:14:41 <cohosh> but maybe we should do at least a forum post in the meantime? 16:15:15 <cohosh> there was one two days ago >.< 16:15:35 <cohosh> looks like october 21st 16:16:28 <cohosh> should we encourage users in russia and china to use alpha (with the netlify domain fronting) until then? 16:17:03 <meskio> this will only solve reaching moat 16:17:09 <meskio> and I' 16:17:31 <meskio> I'm not sure if we should encorage using alpha in places where the thread is high 16:17:32 <Shelikhoo[mds]> I think we can also change the circumvention settings 16:17:36 <cohosh> yeah, which includes circumvention settings updates 16:17:49 <Shelikhoo[mds]> which I assumes instantly applys 16:17:54 <cohosh> Shelikhoo[mds]: how will people reach the circumvention settings without moat? 16:18:23 <meskio> sorry, I tend to say moat including circumvention settings 16:19:12 <Shelikhoo[mds]> cohosh: oh.... thanks for the reminder.... if moat isn't working then the circumvention settings won't work either 16:19:48 <cohosh> another thing we can do is move forward with the multiple builtin snowflake bridge lines idea 16:20:11 <cohosh> and add in an ampcache bridge (which works in russia) 16:20:30 <cohosh> we could add an sqs bridge too which would work in china but i'm afraid of what it'll do to the costs 16:21:02 <meskio> I think we have already agreed on including ampcache as builtin bridge, isn't it? 16:21:11 <cohosh> we did but we haven't done it 16:21:13 <cohosh> afaik 16:21:19 <meskio> :) 16:21:26 <cohosh> https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43842 16:21:33 <cohosh> we could prioritize it 16:21:43 <cohosh> and then decide whether we want to ask for an emergency stable release 16:23:05 <meskio> +1 16:23:22 <Shelikhoo[mds]> yes! 16:23:23 <cohosh> should we also ask to move the netlify settings from alpha to stable? 16:23:26 <cohosh> while we're at it 16:24:00 <cohosh> or quickly find a working cdn77 front? 16:24:46 <meskio> I think we should move the netlify setting 16:24:52 <cohosh> i haven't been working with the vantage points 16:25:00 <cohosh> meskio: ok cool, that removes the testing step then 16:25:04 <meskio> anyway it was planned to be moved in the next mayor release (that should happen soon) 16:26:02 <cohosh> ok i'll add the snowflake bridge line and follow up with the applications team about both of these changes 16:26:17 <meskio> thank you 16:26:41 <cohosh> does anyone have time to throw together a forum post? 16:27:50 <onyinyang> I could do it but haven't done this before. Is there any prior work that can be referenced for guidance? 16:28:21 <cohosh> ah, i can add the yandex stun server 16:29:39 <cohosh> onyinyang: here's a past post about snowflake not working https://forum.torproject.org/t/problems-with-snowflake-since-2023-09-20-broker-failure-unexpected-error-no-answer/9346 16:29:46 <onyinyang> cool thanks 16:29:58 <onyinyang> I will work on something and post it in the channel for review later 16:30:13 <cohosh> good things to include are temporary workarounds and maybe who is affected 16:30:23 <cohosh> thanks <3 16:30:31 <onyinyang> kk 16:30:38 * meskio have to leave, and sneaks out, bye 16:30:49 * onyinyang waves 16:30:58 <cohosh> meskio: see ya :) 16:31:13 <cohosh> wow i feel bad for missing this net4people bbs post, i was even mentioned in it :( 16:32:40 <cohosh> anything else we should be doing? 16:33:14 <Shelikhoo[mds]> waves... 16:33:53 <Shelikhoo[mds]> I was inspecting what fronting domain are working based on vantage point test results... 16:35:12 <Shelikhoo[mds]> I was able to confirm that vuejs.org with netlify is working 16:35:23 <cohosh> nice thanks for doing that 16:36:06 <onyinyang> oh great, I hadn't gotten back to that issue yet due to some minor rdsys fires 16:36:28 <cohosh> ha, that is the current setting https://gitlab.torproject.org/tpo/applications/tor-browser/-/blob/tor-browser-140.3.0esr-15.0-1/browser/app/profile/000-tor-browser.js#L129 16:36:37 <onyinyang> (that are mostly extinguished now heh) 16:36:39 <cohosh> so if stable went out yesterday, maybe that was in it 16:37:09 <onyinyang> how did they know o.o 16:37:12 <onyinyang> XD 16:37:50 <Shelikhoo[mds]> and all current fronting domains being tested for cdn77 is not working reliability: don't didn't work in at least one region in the past few days 16:38:32 <cohosh> okay it seems like netlify is the best option then 16:39:22 <Shelikhoo[mds]> yes.... we could try to find next working fronting domains, but it will take sometime 16:39:49 <Shelikhoo[mds]> but we have netlify on standby so let's use it 16:40:03 <onyinyang> makes sense to me 16:41:20 <Shelikhoo[mds]> I do hope our signaling library thing get green lighted... since our signaling channels does start to be depleted.... 16:41:37 <onyinyang> same. 16:41:51 <Shelikhoo[mds]> anything more we wants to discuss on this topic? 16:42:34 <Shelikhoo[mds]> Mention of snowflake SNIs in the galaxy/platform/galaxy-qgw-service repo of MESA Git. The filenames include "E21" which is Ethiopia.... (full message at <https://matrix.debian.social/ircbridge/media/v1/media/download/AQZ9_ki93ixlL4Fy0qACy0mqWRtw8jiNniWiyROULS2EdHyQtSAwmW2R1cyJ0mrhc5ZxxTLB8rhUHDhEE66r9nlCeZydpbEgAG1hdHJpeC5kZWJpYW4uc29jaWFsL2xsY2JjVUhRWXFwSE1LZ2lBVmJsbnBGUw>) 16:43:04 <Shelikhoo[mds]> the next topic is about the spotted mention of Tor related domain in the data leak 16:43:11 <dcf1> I'm just grepping the Git repos for various strings, I haven't looked into what they all mean in context 16:44:49 <dcf1> If you want to see yourself, the mesalab_git.tar.zst is not *that* bad to handle. Fully extracted and all the bundles fully cloned is 167 GB. 16:45:47 <dcf1> Probably the tango/maat/test/tsgrule because Maat is an actual rules angine and these lines look like they may figure into actual rules. Though the directory they're in is called "test". 16:46:56 <Shelikhoo[mds]> my personal first guess is that they are testing their domain matcher implementation with these snis 16:49:23 <Shelikhoo[mds]> anything more we wants to discuss about this interesting link? 16:49:44 <Shelikhoo[mds]> https://filter.watch/english/2025/10/02/irans-stealth-blackout-a-multi-stakeholder-analysis-of-the-june-2025-internet-shutdown/ 16:49:44 <Shelikhoo[mds]> https://filter.watch/wp-content/uploads/sites/2/2025/10/Click-here-to-read-the-full-report.pdf 16:49:44 <Shelikhoo[mds]> Discussion of Tor starting on PDF page 23 16:50:18 <Shelikhoo[mds]> There is an interesting link about reports related to Iran Internet shutdown 16:50:24 <Shelikhoo[mds]> in which Tor is mentioned 16:51:27 <Shelikhoo[mds]> anything more we wants to discuss in this meeting? 16:51:43 <onyinyang> nothing from me 16:51:51 <cohosh> i just got an update the next stable release is going out early next week 16:52:16 <cohosh> so i'll aim to have thosw fixes done by tomorrow :) 16:53:09 <Shelikhoo[mds]> #endmeeting