<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr">Hi all - </div><div dir="ltr"><br></div><div dir="ltr">My apologies if everyone is already aware of this: I wanted to share a new paper I came across this morning out of China this past week that suggests low-cost identification methods for snowflake traffic. One of their detection mechanisms is by identifying the STUN DNS lookups, so I thought it was relevant to this discussion, but they also propose using other features of the DTLS handshake for identification. </div><div dir="ltr"><br></div><div dir="ltr">I'm a little surprised this was published, but better to know now than have to reverse engineer later I suppose.</div><div dir="ltr"><br></div><div dir="ltr">Best,</div><div dir="ltr">Kevin</div><div dir="ltr"><br></div><div dir="ltr"><div style="display: block;" class=""><div style="display: block;" class=""><div style="-webkit-user-select: all; -webkit-user-drag: element; display: inline-block;" class="apple-rich-link" draggable="true" role="link" data-url="https://www.mdpi.com/2076-3417/13/1/622/pdf"><a style="border-radius:10px;font-family:-apple-system, Helvetica, Arial, sans-serif;display:block;-webkit-user-select:none;width:228px;user-select:none;-webkit-user-modify:read-only;user-modify:read-only;overflow:hidden;text-decoration:none;" class="lp-rich-link" rel="nofollow" href="https://www.mdpi.com/2076-3417/13/1/622/pdf" dir="ltr" role="button" draggable="false" width="228"><table style="table-layout:fixed;border-collapse:collapse;width:228px;background-color:#E9E9EB;font-family:-apple-system, Helvetica, Arial, sans-serif;" class="lp-rich-link-emailBaseTable" cellpadding="0" cellspacing="0" border="0" width="228"><tbody><tr><td vertical-align="center" align="center"><img style="width:228px;filter:brightness(0.97);height:322px;" width="228" height="322" draggable="false" class="lp-rich-link-mediaImage" alt="preview.png" src="cid:5F58A85B-D150-4733-A75E-448854D34CA8"></td></tr><tr><td vertical-align="center"><table bgcolor="#E9E9EB" cellpadding="0" cellspacing="0" width="228" style="font-family:-apple-system, Helvetica, Arial, sans-serif;table-layout:fixed;background-color:rgba(233, 233, 235, 1);" class="lp-rich-link-captionBar"><tbody><tr><td style="padding:8px 0px 8px 0px;" class="lp-rich-link-captionBar-textStackItem"><div style="max-width:100%;margin:0px 16px 0px 16px;overflow:hidden;" class="lp-rich-link-captionBar-textStack"><div style="word-wrap:break-word;font-weight:500;font-size:12px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-topCaption-leading"><a rel="nofollow" href="https://www.mdpi.com/2076-3417/13/1/622/pdf" style="text-decoration: none" draggable="false"><font color="#000000" style="color: rgba(0, 0, 0, 1);">applsci-13-00622-v2</font></a></div><div style="word-wrap:break-word;font-weight:400;font-size:11px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-bottomCaption-leading"><a rel="nofollow" href="https://www.mdpi.com/2076-3417/13/1/622/pdf" style="text-decoration: none" draggable="false"><font color="#A2A2A9" style="color: rgba(60, 60, 67, 0.6);">PDF Document · 2.3 MB</font></a></div></div></td></tr></tbody></table></td></tr></tbody></table></a></div></div><br></div></div><div dir="ltr"><br><blockquote type="cite">On Jan 3, 2023, at 8:53 AM, Nathan of Guardian <nathan@guardianproject.info> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><span></span><br><span></span><br><blockquote type="cite"><span>On Dec 31, 2022, at 12:28 PM, Cecylia Bocovich <cohosh@torproject.org> wrote:</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>On 12/27/22 15:41, John Selbie wrote:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>Thank you Cecylia.  I think this is a good plan.  I like the idea of stun.stunprotocol.org <http://stun.stunprotocol.org> being "in the rotation" for these nodes.  Just not the "exclusive default" unless a user manually configures it that way.  Does that work for you?</span><br></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Sounds good. Here's the issue where we're tracking the changes: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40241</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>It could be a few weeks until you see the traffic drop. Snowflake is distributed and there are a variety of update channels we have to push changes to. For the client traffic, we're dependent on the Tor Browser release schedule.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><span></span><br><span>We’ll take a look at some of the questions around DNS cacheing and stun server rotation in the mobile IPtProxy library and Orbot use of Snowflake this week.</span><br><span></span><br><span>Best,</span><br><span>   Nathan</span><br><span>_______________________________________________</span><br><span>anti-censorship-team mailing list</span><br><span>anti-censorship-team@lists.torproject.org</span><br><span>https://lists.torproject.org/cgi-bin/mailman/listinfo/anti-censorship-team</span><br></div></blockquote></body></html>