16:00:04 #startmeeting tor anti-censorship meeting 16:00:04 Meeting started Thu Jan 29 16:00:04 2026 UTC. The chair is onyinyang. Information about MeetBot at https://wiki.debian.org/MeetBot. 16:00:04 Useful Commands: #action #agreed #help #info #idea #link #topic. 16:00:04 hello everyone! 16:00:04 here is our meeting pad: [https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469](https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469) 16:00:17 hello ^^ 16:00:22 hello 16:00:23 hi~hi~ 16:01:35 hi 16:01:59 I'll give everyone a couple of minutes to fill out the pad before starting :) 16:02:28 If anyone needs a link to edit the pad, please let me know 16:05:27 ok let's start 16:05:47 I think there are only 2 new discussion points 16:05:55 but is there any follow up from last week's items? 16:06:44 I guess the silence means no... 16:06:59 i don't think so, thanks for the comments on the issues :) 16:07:03 great :D 16:07:13 ok, let's move on to this week's items then 16:07:16 Proceed with merging DTLS imitation MR 16:07:21 This first topic is from me. I think the dtls-imitation merge request is more or less ready for merge, with some minor code refactoring pending. Do we have any blockers on this merge request? 16:07:36 \o/ 16:07:43 I am currently working on your review comments Shelikhoo 16:07:56 Just testing locally before pushing to the MR 16:07:56 yes, thanks theodorsm 16:08:32 I think we can merge it without changing the default configuration first 16:10:04 Then we could discuss configuration after the reading group next week 16:10:14 yes 16:10:50 I think randomizemimc does not trigger any dtls negotiations failure 16:11:23 the plan was to merge it but don't enable it by default, isn't it? 16:11:28 yes 16:12:25 cohosh: I think we are considering to release a new version of snowflake 16:12:40 you mean new major version? 16:12:43 do we wants to do this before or after the merge 16:12:48 no 16:12:49 ah 16:13:00 just a mid version bump 16:13:12 yeah there's also a bug fix in snowflake!659 16:13:12 Uhm, which one of [tpo/anti-censorship/pluggable-transports/snowflake, tpo/web/snowflake] did you mean? 16:13:19 so i'd like to get that in too 16:13:47 but yeah if it's not enabled by default we can get this one in too 16:13:59 i don't think we need to worry too much about tagging versions too frequently though 16:14:17 yes, I think we can tag versions more frequently 16:14:50 right now I think we are tagging too few versions for snowflake, in my opinion 16:15:22 although this is partially as a resulting of its client side is now managed by lyrebird 16:15:51 so dependency update usually do not require a new snowflake version 16:16:12 if there is no blockers, that is EOF on this topic from me 16:16:46 EOF 16:17:16 ok, let's move on to the next topic 16:17:21 snowflake proxies overloaded with the surge of Iranian users 16:17:29 I added that one 16:17:47 we have a surge of users coming from Iran's been reconnected to Internet 16:18:17 actually that surge is more noticable in users marked as US than IR 16:18:26 https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/108 16:18:35 but that is another issue 16:19:00 anyway, the problem is that the snowflake proxies are overloaded 16:19:05 and many clients are denied 16:19:19 we are making a call over social networks and other circles for more proxies 16:19:38 not sure we can do much here, but I wanted to raise it here so we are aware 16:19:43 hi 16:19:50 o/ 16:19:54 at the same time, we have never so many snowflake proxies 16:19:55 hi gus! 16:19:55 200k 16:20:16 BTW, this is the issue were this is been discused: https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40068#note_3330856 16:20:32 yes, 200k, but many inside Iran, so not sure if they are failing 16:20:43 we should check if the bridges are reachable from inside iran 16:21:06 from the vantage point, even `torproject.net` is reachable... 16:21:13 wow 16:21:38 https://people.torproject.org/~dcf/metrics-country.html?start=2025-11-01&end=2026-01-30&country=ir 16:21:56 I am not totally sure, but I suspect the golang's tls fingerprint might got blocked 16:23:00 I need to run some experiment to verify that... 16:23:22 we are not using that one, isn't it? we are using uTLS... 16:23:30 right now from the packet capture, I see some rst after clienthello from golang client 16:23:31 meskio[mds]: i can ask pavel to write more posts on social media 16:23:55 ggus: I did check with him yesterday and he said he was planning to do more on that 16:23:56 the proxy's connection to snowflake server might not use utls 16:24:03 if I recall correctly 16:24:07 i have been sharing stats on mastodon and it has good outreach - https://mastodon.social/@ggus/115978051478680236 16:24:23 Shelikhoo: I see 16:24:34 love you so much community team 16:24:45 <3 16:24:51 <3 16:25:06 <3 16:25:07 !! <# 16:25:26 \o/ >~< 16:26:04 Shelikhoo[mds]: i wonder if the bridge reachability checks we implemented to a full TLS handshake 16:26:12 BTW, the issue of misscounting IR users as US is weird because it only affects snowflake 16:26:24 I wonder if somehow is our bridges having a different geoipdb 16:26:35 i would assume so, but sometimes those errors only show up after a Write() or Read() call 16:26:38 I've seen this happening also with google services and other places, so problably not 16:26:51 how do you know it only affects snowflake users? 16:27:00 and maybe is more about been mobile or whatever the affected IPs 16:27:22 haha the first "Sign in with Google" prompt I saw after the shutdown ended was localized in Farsi 16:27:26 dcf1: https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/108 16:27:35 cohosh: I think sometimes tls's "func tls.Client" does not handshake until we read or write the first time 16:27:37 see the graph goes up for snowflake, but not for other transports 16:27:49 while in Iran obfs4 and webtunnel does also go up 16:28:06 oh I see. how interesting. 16:28:12 unless we run a handshake() manually 16:28:14 nice natural experiment 16:28:28 this makes sense as tls sometime supports 0rtt 16:29:14 Shelikhoo[mds]: ok thanks, i'll open an issue to rethink the reachability tests and confirm this 16:29:35 cohosh: nice! 16:30:27 https://cs.opensource.google/go/go/+/refs/tags/go1.25.6:src/crypto/tls/tls.go;l=60 16:30:34 actually from the source code 16:30:47 meskio[mds]: you might be onto something with the difference between mobile and desktop users 16:30:58 tls.Client don't actually call anything at all 16:31:29 it is just a pure function constructor 16:35:14 Shelikhoo[mds]: ok i'll add a note to pluggable-transports/snowflake#40504 which is still open 16:35:19 EOF from me on this topic 16:36:17 ok that brings us to the end of the discussion points 16:36:58 if there are no other comments, I will just remind everyone that next week we will have a reading group 16:37:01 We will discuss "Fingerprint-resistant DTLS for usage in Snowflake" on Feb 5 16:37:01 https://www.petsymposium.org/foci/2025/foci-2025-0006.php 16:38:06 and that's it. Enjoy the extra 20 min and the rest of your Thursday :D 16:38:09 #endmeeting