February 2025 - anti-censorship-team

SQS rendezvous exceeded free tier usage
by Cecylia Bocovich 05 Mar '25

05 Mar '25

I got a notification from AWS that our SQS rendezvous service exceeded the free-tier usage this month with over 1,000,000 SQS API requests. This is in some sense exciting news, because it shows that the rendezvous channel is effective and getting some use. It does, however mean that we will have to start paying for the service. The current billing period falls on month boundaries, from January 1st to January 31st. The budget action fired on January 9th, which is pretty early in the month. Looking at our broker metrics[0,1], there were approximately 38,608 client polls using SQS. That's approximately 2.5 requests per poll, which is about what I'd expect. It's reassuring to know that the budget actions work. I'm going to set them a little higher, to something I can reasonably afford. I don't yet know how the cost will scale with the number of polls, and how that will compare with the cost of domain fronted requests. [0] https://snowflake-broker.torproject.net/metrics [1] https://metrics.torproject.org/collector.html#type-snowflake-stats

3 4

What key does the broker rate-limit on?
by David Fifield 28 Feb '25

28 Feb '25

The Snowflake broker's request rate limiting, what does it key on? The source IP address, X-Forwarded-For, or something else? This is where the rate limiting was introduced: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… location ~ ((proxy)|(client)|(answer)|(metrics)|(prometheus)|(amp/client/.*)|(robots.txt)) { limit_req zone=snowflake burst=3; proxy_pass http://127.0.0.1:8080; proxy_http_version 1.1; } limit_req_zone $binary_remote_addr zone=snowflake:10m rate=1r/s; Here's another, more recent snapshot of the configuration: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… location ~ ((proxy)|(client)|(answer)|(metrics)|(prometheus)|(amp/client/.*)|(robots.txt)) { limit_req zone=snowflake burst=3; proxy_pass http://127.0.0.1:8080; proxy_http_version 1.1; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_send_timeout 300; proxy_set_header X-Forwarded-For $proxy_protocol_addr; } limit_req_zone $proxy_protocol_addr zone=snowflake:10m rate=1r/s; If the limited is using the source IP address, then different clients could be causing each other to be rate-limited, because many requests come from the same CDN IP address (or whatever). If the limiter is using X-Forwarded-For or similar, then it's possible to evade the limiter by putting random or incrementing IP addresses in the header.

2 2

OpenReview of "Identifying VPN Servers through Graph-Represented Behaviors"
by David Fifield 26 Feb '25

26 Feb '25

The peer reviews of this week's reading group paper are public: https://openreview.net/forum?id=7024czziih I hadn't known it before, but peer reviews are public for all ACM WWW accepted papers: https://www2024.thewebconf.org/calls/research-tracks/ "By submitting paper(s) to The Web Conference 2024, the authors agree that the reviews, meta-reviews, and discussions will be made public in OpenReview for all accepted papers." You can see the reviewers' brief written summaries, and reviewer adPJ raising the possibility that VPN detection could "amplify censorship attempts which are rampant on the web today especially by authoritarian governments". While it was still a submission, the system was apparently called "VPNSniffer" rather than "VPNChecker".

2 2

Snowflake bridges using SQS
by Michael Rogers 12 Feb '25

12 Feb '25

Hi all, After updating Briar's bridge config to use the current settings from Moat, we're seeing two Snowflake bridges consistently failing in our CI tests. They're the two bridges that use SQS. Here's a snippet from the log: ``` INFO: NOTICE Managed proxy "/builds/briar/onionwrapper/onionwrapper-java/test.tmp/35/lyrebird": offer created Feb 04, 2025 1:12:34 PM org.briarproject.onionwrapper.AbstractTorWrapper message INFO: NOTICE Managed proxy "/builds/briar/onionwrapper/onionwrapper-java/test.tmp/35/lyrebird": broker failure operation error SQS: GetQueueUrl, https response error StatusCode: 400, RequestID: 60e91cfa-a2a0-55db-beb0-7ce6b621d324, AWS.SimpleQueueService.NonExistentQueue: The specified queue does not exist. ``` Does the queue really not exist, or does this point to some other issue, like the bridges being geoIP restricted or the app needing to pass some extra information to the transport? Thanks, Michael

2 4

(FWD) Online FOCI workshop 2025-02-20
by Roger Dingledine 12 Feb '25

12 Feb '25

----- Forwarded message from Jeffrey Knockel <jeff(a)citizenlab.ca> ----- Date: Wed, 12 Feb 2025 09:20:44 -0500 From: Jeffrey Knockel <jeff(a)citizenlab.ca> To: undisclosed-recipients: ; Subject: Online FOCI workshop 2025-02-20 Dear FOCI community, The first of two Free and Open Communications on the Internet (FOCI) workshops in 2025 will happen on February 20th 17:00 - 21:30 UTC <https://www.timeanddate.com/worldclock/fixedtime.html?msg=Virtual+FOCI+2025…>. This event is fully online and free. The event will take place on gather.town <https://app.gather.town>, and registration is required to receive a link for attending the event. Event web site: https://foci.community/ Registration: https://foci.community/register The program includes a keynote and 5 research presentations. The full schedule is available on the event website: * *Keynote: When the World Pushes Back: Enumerating Risks of Digital Accountability Research* Ronald Deibert * *Extended Abstract: Using TURN Servers for Censorship Evasion* Afonso Vilalonga, Kevin Gallagher, João Resende, Osman Yagan, and Henrique Domingos * *Is Custom Congestion Control a Bad Idea for Circumvention Tools?* Wayne Wang, Diwen Xue, Piyush Kumar, Ayush Mishra, Anonymous, and Roya Ensafi * *I(ra)nconsistencies: Novel Insights into Iran's Censorship* Felix Lange, Niklas Niere, Jonathan von Niessen, Dennis Suermann, Nico Heitmann, and Juraj Somorovsky * *The Mechanics of Surveillance in Leading Pakistani Mobile Apps* Sana Habib, Mohammad Taha Khan, and Jedidiah R. Crandall * *Revisiting BAT Browsers: Protecting At-Risk Populations from Surveillance, Censorship, and Targeted Attacks* Esther Rodriguez, Lobsang Gyatso, Tenzin Thayai, and Jedidiah R. Crandall -- Jeff & Tariq ----- End forwarded message -----

1 0

moderation in the list
by meskio 11 Feb '25

11 Feb '25

Looks like AI spam is becoming more common, see the last thread "Inquiry Regarding the Deprecation of Azure CDN (azureedge.net)"[0]. To stop it I have enabled the moderation of new messages to the list as a temporary solution. Any subscriber that was already a member of the list before the migration to mailman3[1] is not moderated and can write directly to the list. But any new subscriber will be moderated. I would propose that we unmoderate manually after the first email if is not spam. But let's discuss it next thursday. [0] https://lists.torproject.org/mailman3/hyperkitty/list/anti-censorship-team@… [1] https://lists.torproject.org/mailman3/hyperkitty/list/tor-project@lists.tor… -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan.

1 0

Inquiry Regarding the Deprecation of Azure CDN (azureedge.net)
by tmsimregph＠gmail.com 11 Feb '25

11 Feb '25

Subject: Inquiry Regarding the Deprecation of Azure CDN (azureedge.net) Dear [Recipient's Name or Anti-Censorship Team], I hope this email finds you well. I came across the discussion regarding the early deprecation of Azure CDN services (azureedge.net) by Edgio/Verizon and its replacement with Azure Front Door (azurefd.net). I understand that this unexpected change poses significant challenges for users and services relying on domain fronting for critical operations. The shutdown highlights the need for reliable alternatives during such transitions. Could you provide further insights or recommendations for mitigating service disruptions, especially for those still using snowflake-broker.azureedge.net or similar configurations? Additionally, any updates regarding the migration process to Azure Front Door would be greatly appreciated. In the meantime, I also recommend visiting my website, https://tmsimreg.ph/, for helpful resources and discussions related to similar transitions. Thank you for your time and efforts in addressing these challenges. I look forward to your guidance. Best regards, Leandro tmsimregph(a)gmail.com

2 1

[eclips.is] The future of eclips.is
by David Fifield 06 Feb '25

06 Feb '25

The Snowflake broker is currently hosted on Greenhost's subsidized eclips.is platform. Their funding has ended, and they are moving to a partial user-pays model. For the next year Greenhost will self-fund up to 50 EUR per month per user. I am not sure whether we fit under that threshold. ----- Forwarded message from Greenhost <support(a)greenhost.nl> ----- Date: Thu, 31 Oct 2024 14:43:05 +0000 From: Greenhost <support(a)greenhost.nl> To: david(a)bamsoftware.com Subject: [eclips.is] The future of eclips.is Hello david(a)bamsoftware.com, Hope you’re doing well! We’re happy to inform you that all VPSs have been successfully migrated from our Miami data center to Amsterdam. Please take a moment to check that your VPS is functioning as expected, and let us know if you encounter any issues. As mentioned earlier this year, funding support from the Open Technology Fund (OTF) will conclude on October 31st, 2024 (today). However, Greenhost is committed to ensuring continued service and will fully support eclips.is through December 31st, 2024. Starting January 1st, 2025, Greenhost will migrate eclips.is to a hybrid model. We will provide every account with a free tier of up to EUR 50 per month. Based on usage data, this will cover about 90% of current accounts. As a result, for the majority of accounts/users, nothing will change. For accounts using more resources, the portion above EUR 50 per month will be charged, with a discount of 25% applied. This model will be in place until at least October 31st, 2025. During the year, we will assess this model and determine if it is sustainable long-term. With this approach, Greenhost has found a good balance between continuing to fully support grassroots and small organizations, and providing heavy users with an affordable service. This sponsorship represents approximately €120,000 per year, and Greenhost is proud to be able to provide this service to the community without funding. However, we are dedicated to exploring extra funding options to further support the community and broaden our user base. For users who can fully cover their service costs, we encourage you to purchase directly through the Greenhost website. Direct purchases strengthen our ability to support the community in the long term. Thank you for being part of this journey! The Greenhost Team -- Voor vragen of opmerkingen kunt u contact opnemen via info(a)greenhost.nl Volg ons / Follow us: Website: https://greenhost.net/blog Twitter: https://twitter.com/greenhost ----- End forwarded message -----

2 6

Meek config for TM
by Michael Rogers 05 Feb '25

05 Feb '25

Hi all, While updating Briar's built-in bridge config from Moat I noticed that Moat's still listing the Azure front for Meek in TM - is it still working? Cheers, Michael

3 3

Meek/Snowflake/Moat fronts for older Android devices?
by Michael Rogers 05 Feb '25

05 Feb '25

Hi all, Devices running versions of Android older than 7.1.1 can't verify certificates signed with Let's Encrypt's ISRG Root X1 root certificate, so they can't connect to domain fronts that use such certificates. [1] These devices (released in 2016 or earlier) still make up nearly 5% of active Android devices. [2] There was a workaround in place at one point -- cross-signing Let's Encrypt certificates with a different, expired root certificate and relying on Android not to check the expiry date -- but I believe the cross-signature expired in early 2024. [3] With the loss of Fastly and Azure, the only remaining fronts for Meek and Snowflake in the default config served by Moat will be cdn77.com and phpmyadmin.net, both of which use Let's Encrypt certificates that are signed with ISRG Root X1 and don't appear to be cross-signed. It looks like there's some work in progress to address this issue in Lyrebird by adding the relevant certificates, so hopefully Meek and Snowflake will work in a future Lyrebird release. But what about the initial connection to Moat? Orbot has moved from Fastly to CDN77 for its Moat front [4]. Are there any plans underway to make another front available, or should we move to CDN77 and plan for Moat being unavailable on older Android devices? Thanks, Michael [1] https://letsencrypt.org/2020/11/06/own-two-feet/ [2] https://apilevels.com/ [3] https://arstechnica.com/gadgets/2020/12/lets-encrypt-comes-up-with-workarou… [4] https://github.com/guardianproject/orbot/pull/1191/files

4 10

2025

2024

2023

2022

2021

2020

2019

anti-censorship-team February 2025