16:00:14 <Shelikhoo[mds]> #startmeeting tor anti-censorship meeting
16:00:14 <MeetBot> Meeting started Thu Oct  2 16:00:14 2025 UTC.  The chair is Shelikhoo[mds]. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:14 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
16:00:14 <Shelikhoo[mds]> here is our meeting pad: https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469
16:00:14 <Shelikhoo[mds]> editable link available on request
16:00:19 <Shelikhoo[mds]> Hi~Hi~
16:00:22 <onyinyang> hihi :D
16:00:28 <meskio> hello
16:00:29 <cohosh> hi
16:00:32 <onyinyang> oh right, the pad
16:03:16 <Shelikhoo[mds]> I didn't see any discussion point
16:03:30 <Shelikhoo[mds]> let's start with interesting links
16:03:48 <Shelikhoo[mds]> ]    https://github.com/net4people/bbs/issues/422#issuecomment-3316062302 (2025-09-21)
16:03:48 <Shelikhoo[mds]> (Russia) "I've noticed that stun protocol was blocked from mid-summer till today (it worked in June last time when I've used public stun to punch through NAT). Seems that only stun to public stun servers like stun.l.google.com, stun.bethesda.net were affected. Stun between webtunnel client and other webtunnel peer is not affected as can be seen in attached captures below. The only stun server that was accessible all that time was
16:03:48 <Shelikhoo[mds]> stun.rtc.yandex.net (of all the gists and lists of public stun servers I could find)."
16:03:48 <Shelikhoo[mds]> "<...> is another website using cdn77 I know. www.cdn77.com is blocked by SNI (session freezes after client hello), and www.phpmyadmin.net, though it doesn't cause hetzner to be blocked anymore, might cause stricter filtering or other side-effects."
16:03:55 <Shelikhoo[mds]> Is this a new topic?
16:04:34 <Shelikhoo[mds]> I could have a check of vantage point domain fronting test results next week
16:04:48 <Shelikhoo[mds]> and see if we could discover a new working fronting domain
16:05:31 <Shelikhoo[mds]> anything we would like to discuss on this interesting link?
16:06:07 <dcf1> It's new information in the past few weeks.
16:06:13 <cohosh> yeah that's new to me
16:06:29 <meskio> yes, maybe we need to figure out new domains for domain fronting, AFAIK we only use cdn77.com in snowflake
16:06:42 <cohosh> we definitely do
16:06:55 <dcf1> "Had to change front though ... where <...> is another website using cdn77 I know. www.cdn77.com is blocked by SNI (session freezes after client hello), and www.phpmyadmin.net, though it doesn't cause hetzner to be blocked anymore, might cause stricter filtering or other side-effects."
16:07:01 <cohosh> it might be worth updating the censorship settings for snowflake in china in the meantime
16:07:13 <dcf1> This thread is Russia
16:07:39 <cohosh> yeah, sorry, we also know that our cdn77 fronts are blocked in china
16:07:56 <cohosh> although this will affect moat requests as well
16:08:40 <meskio> yes, we've being testing netlify in the alpha channel of TB, maybe is a time to use it in the stable
16:08:46 <meskio> I mean for moat
16:08:57 <meskio> and keep cdn77 only for snowflake, with new domain names
16:08:57 <cohosh> i think that's a good idea
16:09:17 <Shelikhoo[mds]> Yeah, we should also looking for new fronting domains
16:09:18 <meskio> I have a list of useful domain names in cdn77 somewhere, we need to check wich works
16:10:06 <cohosh> meskio: ah, great, can you add it to https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/168
16:10:15 <Shelikhoo[mds]> yeah, we can send this list of potentially useful domain for testing with the updated domain fronting testing support on our vantage points
16:10:22 <cohosh> (when you find it)
16:12:04 <cohosh> and we'll need to update circumvention settings in russia
16:12:26 <cohosh> we're using ampcache as a backup there https://bridges.torproject.org/moat/circumvention/map
16:12:35 <Shelikhoo[mds]> yes, we can test if there are some working fronting domains
16:12:46 <cohosh> and sqs in china, both places we know the current cdn77 front domains are blocked
16:13:18 <Shelikhoo[mds]> in theory, we could also get a lot of fronting domains, and only distribute one of them at a time to users
16:13:46 <meskio> I see the list I have is the ones we've being using in multiple transports around, I can try to produce more but not sure if I'll be able today
16:13:50 <meskio> I just pasted my list there
16:13:54 <Shelikhoo[mds]> in this way even if the fronting domain has limited significance, they won't be easily blocked
16:14:10 <cohosh> i'm checking when the next stable tor browser release is
16:14:28 <meskio> BTW, new prospective domains maybe should be shared as a "internal note" until we start using them
16:14:41 <cohosh> but maybe we should do at least a forum post in the meantime?
16:15:15 <cohosh> there was one two days ago >.<
16:15:35 <cohosh> looks like october 21st
16:16:28 <cohosh> should we encourage users in russia and china to use alpha (with the netlify domain fronting) until then?
16:17:03 <meskio> this will only solve reaching moat
16:17:09 <meskio> and I'
16:17:31 <meskio> I'm not sure if we should encorage using alpha in places where the thread is high
16:17:32 <Shelikhoo[mds]> I think we can also change the circumvention settings
16:17:36 <cohosh> yeah, which includes circumvention settings updates
16:17:49 <Shelikhoo[mds]> which I assumes instantly applys
16:17:54 <cohosh> Shelikhoo[mds]: how will people reach the circumvention settings without moat?
16:18:23 <meskio> sorry, I tend to say moat including circumvention settings
16:19:12 <Shelikhoo[mds]> cohosh: oh.... thanks for the reminder.... if moat isn't working then the circumvention settings won't work either
16:19:48 <cohosh> another thing we can do is move forward with the multiple builtin snowflake bridge lines idea
16:20:11 <cohosh> and add in an ampcache bridge (which works in russia)
16:20:30 <cohosh> we could add an sqs bridge too which would work in china but i'm afraid of what it'll do to the costs
16:21:02 <meskio> I think we have already agreed on including ampcache as builtin bridge, isn't it?
16:21:11 <cohosh> we did but we haven't done it
16:21:13 <cohosh> afaik
16:21:19 <meskio> :)
16:21:26 <cohosh> https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43842
16:21:33 <cohosh> we could prioritize it
16:21:43 <cohosh> and then decide whether we want to ask for an emergency stable release
16:23:05 <meskio> +1
16:23:22 <Shelikhoo[mds]> yes!
16:23:23 <cohosh> should we also ask to move the netlify settings from alpha to stable?
16:23:26 <cohosh> while we're at it
16:24:00 <cohosh> or quickly find a working cdn77 front?
16:24:46 <meskio> I think we should move the netlify setting
16:24:52 <cohosh> i haven't been working with the vantage points
16:25:00 <cohosh> meskio: ok cool, that removes the testing step then
16:25:04 <meskio> anyway it was planned to be moved in the next mayor release (that should happen soon)
16:26:02 <cohosh> ok i'll add the snowflake bridge line and follow up with the applications team about both of these changes
16:26:17 <meskio> thank you
16:26:41 <cohosh> does anyone have time to throw together a forum post?
16:27:50 <onyinyang> I could do it but haven't done this before. Is there any prior work that can be referenced for guidance?
16:28:21 <cohosh> ah, i can add the yandex stun server
16:29:39 <cohosh> onyinyang: here's a past post about snowflake not working https://forum.torproject.org/t/problems-with-snowflake-since-2023-09-20-broker-failure-unexpected-error-no-answer/9346
16:29:46 <onyinyang> cool thanks
16:29:58 <onyinyang> I will work on something and post it in the channel for review later
16:30:13 <cohosh> good things to include are temporary workarounds and maybe who is affected
16:30:23 <cohosh> thanks <3
16:30:31 <onyinyang> kk
16:30:38 * meskio have to leave, and sneaks out, bye
16:30:49 * onyinyang waves
16:30:58 <cohosh> meskio: see ya :)
16:31:13 <cohosh> wow i feel bad for missing this net4people bbs post, i was even mentioned in it :(
16:32:40 <cohosh> anything else we should be doing?
16:33:14 <Shelikhoo[mds]> waves...
16:33:53 <Shelikhoo[mds]> I was inspecting what fronting domain are working based on vantage point test results...
16:35:12 <Shelikhoo[mds]> I was able to confirm that vuejs.org with netlify is working
16:35:23 <cohosh> nice thanks for doing that
16:36:06 <onyinyang> oh great, I hadn't gotten back to that issue yet due to some minor rdsys fires
16:36:28 <cohosh> ha, that is the current setting https://gitlab.torproject.org/tpo/applications/tor-browser/-/blob/tor-browser-140.3.0esr-15.0-1/browser/app/profile/000-tor-browser.js#L129
16:36:37 <onyinyang> (that are mostly extinguished now heh)
16:36:39 <cohosh> so if stable went out yesterday, maybe that was in it
16:37:09 <onyinyang> how did they know o.o
16:37:12 <onyinyang> XD
16:37:50 <Shelikhoo[mds]> and all current fronting domains being tested for cdn77 is not working reliability: don't didn't work in at least one region in the past few days
16:38:32 <cohosh> okay it seems like netlify is the best option then
16:39:22 <Shelikhoo[mds]> yes.... we could try to find next working fronting domains, but it will take sometime
16:39:49 <Shelikhoo[mds]> but we have netlify on standby so let's use it
16:40:03 <onyinyang> makes sense to me
16:41:20 <Shelikhoo[mds]> I do hope our signaling library thing get green lighted... since our signaling channels does start to be depleted....
16:41:37 <onyinyang> same.
16:41:51 <Shelikhoo[mds]> anything more we wants to discuss on this topic?
16:42:34 <Shelikhoo[mds]> Mention of snowflake SNIs in the galaxy/platform/galaxy-qgw-service repo of MESA Git. The filenames include "E21" which is Ethiopia.... (full message at <https://matrix.debian.social/ircbridge/media/v1/media/download/AQZ9_ki93ixlL4Fy0qACy0mqWRtw8jiNniWiyROULS2EdHyQtSAwmW2R1cyJ0mrhc5ZxxTLB8rhUHDhEE66r9nlCeZydpbEgAG1hdHJpeC5kZWJpYW4uc29jaWFsL2xsY2JjVUhRWXFwSE1LZ2lBVmJsbnBGUw>)
16:43:04 <Shelikhoo[mds]> the next topic is about the spotted mention of Tor related domain in the data leak
16:43:11 <dcf1> I'm just grepping the Git repos for various strings, I haven't looked into what they all mean in context
16:44:49 <dcf1> If you want to see yourself, the mesalab_git.tar.zst is not *that* bad to handle. Fully extracted and all the bundles fully cloned is 167 GB.
16:45:47 <dcf1> Probably the tango/maat/test/tsgrule because Maat is an actual rules angine and these lines look like they may figure into actual rules. Though the directory they're in is called "test".
16:46:56 <Shelikhoo[mds]> my personal first guess is that they are testing their domain matcher implementation with these snis
16:49:23 <Shelikhoo[mds]> anything more we wants to discuss about this interesting link?
16:49:44 <Shelikhoo[mds]> https://filter.watch/english/2025/10/02/irans-stealth-blackout-a-multi-stakeholder-analysis-of-the-june-2025-internet-shutdown/
16:49:44 <Shelikhoo[mds]> https://filter.watch/wp-content/uploads/sites/2/2025/10/Click-here-to-read-the-full-report.pdf
16:49:44 <Shelikhoo[mds]> Discussion of Tor starting on PDF page 23
16:50:18 <Shelikhoo[mds]> There is an interesting link about reports related to Iran Internet shutdown
16:50:24 <Shelikhoo[mds]> in which Tor is mentioned
16:51:27 <Shelikhoo[mds]> anything more we wants to discuss in this meeting?
16:51:43 <onyinyang> nothing from me
16:51:51 <cohosh> i just got an update the next stable release is going out early next week
16:52:16 <cohosh> so i'll aim to have thosw fixes done by tomorrow :)
16:53:09 <Shelikhoo[mds]> #endmeeting