- anti-censorship-team - lists.torproject.org

Turkmenistan's tor users want you to change ports to bypass censorship
by Ahmet Orakov 30 Apr '23

30 Apr '23

Hi, Authorities in Turkmenistan have already blocked almost all the networking ports, a few of them still alive. Please consider contacting relay operators in order to change port addresses of these bridges to 80, 8080 or 443 which I indicated below 6FC0828C5F2BF7231EF237184B168E1A55AFFDAE C60CAF61C9210E5BBF8FCEEF63D7638ED00092CD 1948FEF52897F6A25E456B7DB9C2D37EFB7250C1 7E59CD3DA76A403665ED162243327E6AE255411C DE131D27860718A95CF691948BC36FA16187DB2B CDA13CF52FFF3A70AEFB3A793B16DC2A63406531 3F32DE3EEAEDB3FC05AD8D42FFEF81FB930948DF 2C89244A2E4DE454D06DDBCEB239B233109A73A7 3E073BB0DDB25C7098DF00F49CC7186CC735203C B7E8B832F055435293840D69FE476AA6143C0449 035320676E125E1F85C68B1461E649DC7DA30C84 Best regards, Ahmet tor user from Turkmenistan

1 0

Turkmenistan's tor users face mass bridge blocking
by Ahmet Orakov 26 Apr '23

26 Apr '23

Hi, I'm Ahmet who actively spread active bridges (in our case) across the Turkmenistan. Recent days we face mass blocking and it create issues to surface freely on the internet. Authorities in Turkmenistan intend to restrict us from using tor browser and any other programs which can give access to the external world with the help of modern firewall equipment. Our team have managed to find reachable tor bridges, but problem remains on bridge's ports cause government in Turkmenistan blocked almost all the networking ports. Even reachable bridges by pinging may not often connect to the tor browser because of the port issue. Here is a few available ports which stay unblocked in Turkmenistan's case: 22, 53, 80, 8080, 443, 993, 995, 9999. Here is the full list of reachable bridges with port issue, and changing it's ports will help us to gain access to the external world. obfs4 108.31.127.213:8525 3EF93C217B2D5301FFBCC4880D24D09BD4401C61 cert=lx7lidZJdUriNMCjkSh/xcnVx2t67/KmXFe+YLXq+0bNba3STzmoBlJh+ERtzrnuuOrCTg iat-mode=0 obfs4 93.55.88.235:8081 13DDD2BED74D068AFF3EEE2B9D13C4E4D4667DDA cert=bez4elSLBpp58h6fml9ecJ/epgNWFFAE6YsXz41emzHE/YMCZaBsxPMtBcFA+JoxydDbag iat-mode=0 obfs4 207.188.167.189:45669 99941A7E1CF8C10FEDEDC3655608FD2F502B689A cert=772JkWjGxXoKMH+ptfhA9IArSCXFspI/FxJ8utA/AP1n0jssn4fAq/XacAax4/bJuhYDIw iat-mode=0 obfs4 207.172.185.193:22223 F34AC0CDBC06918E54292A474578C99834A58893 cert=MjqosoyVylLQuLo4LH+eQ5hS7Z44s2CaMfQbIjJtn4bGRnvLv8ldSvSED5JpvWSxm09XXg iat-mode=0 obfs4 79.114.110.223:7778 7DE375B51781A17D247DB34A232AA7601BE1D706 cert=fYYGpWdrQrm3ulRuNP0yM97fTt0ZB5jWaUli9R8wmPzAuw0XfR85nnnRkXHIdYkUA3F5ew iat-mode=0 obfs4 90.146.72.121:7985 D6699CA3CF1D8BA4246A15E5635824F52ABB127F cert=DgG3Mls043qsaI31mNTfc35yGcMSv9L9rOkTLINRC8fXrFNnGRWPvoeBKpQV/Snty+kVNA iat-mode=0 obfs4 75.134.106.30:35501 99C8AF7D79F8CA0D9D70F779503ECAA49F6C3FA2 cert=TlqfINuhMlbmoJhJ2mDISf/Eg8xHakPcPLBOC4usQTwzGCEagpOYuV4ZSs9t7rUCeBrtDg iat-mode=0 obfs4 92.194.180.141:42935 DE131D27860718A95CF691948BC36FA16187DB2B cert=D3++fMxl72GBW+/IyVBBDy8EIWSqy1jlO6xA10N6nsdOLlpQLvNSbY26jw9J3yKYiRG4Dg iat-mode=0 obfs4 81.174.32.138:45159 035320676E125E1F85C68B1461E649DC7DA30C84 cert=JxcDiqlANfYVzu34qeNkmCn0xOmd+SbqB42u9TbaoBRQkwyALZSx98cZeMMuZDevqmkxTA iat-mode=0 obfs4 177.104.92.101:25001 821CAED1A79AC1878B4ADEC0712E4DFC358768F4 cert=1TNR/XswmhC3if9+mBo6JS6gklBltC5T27s/3ffZj4v6F5gnAUXLbImBGBZCB9qhLSY5EQ iat-mode=0 obfs4 2.205.244.68:8888 B7E8B832F055435293840D69FE476AA6143C0449 cert=X2IIgewaeED2fctW8uSAd9NTsq8fP3uhsm7yS6QUC3k/NdXvEMtJelEz/t3X5SnmFCnHJQ iat-mode=0 obfs4 71.73.124.31:8887 F33989B6E8E3FFD37B6F764169B78ED0B83321F5 cert=FeLwuG61HwXuOXSYDxScC9K4nVp9GQdGVAdRUKilk3/0J2GsDyikvEhV/1ADpShsYQlSaw iat-mode=0 obfs4 187.75.226.94:8988 AF19883740E44E541795020EC59EC5F746851E19 cert=/n/ygNigvyPr5LVJfJoKd3JAuiSi9UnY61FzOCgqdCi1HD7WIGw6jR/mzLyJzhaLziT/JQ iat-mode=0 obfs4 92.221.111.176:1395 3E073BB0DDB25C7098DF00F49CC7186CC735203C cert=8KqBavNDfLHPMeB5HRxKDwliC7u5lI7e03xNU1/FZYrUK/+TDSSL5+osnkSOarfxHL/HAw iat-mode=0 obfs4 97.115.76.192:4343 AF7993FF8BDDD7F99AB26A09F9738414569BEF27 cert=MrF6L5jh+MqdVfoMfpz/QRhDl/yjqhxf24wjll4PBQKRe4OUXPJ+rESJcc5OGSTlLOAheg iat-mode=0 obfs4 177.73.92.19:5242 3FCF4978110BCE7AC92370BD9BD8E145F9630DFB cert=Z6wBTMa/gZDGWXSox0MYX6jW+zjNelKqvg3sYwZyIOY/Xkwflno554OhYNoQib3/ubjKdA iat-mode=0 obfs4 51.241.113.176:9003 661CACC60315EE3C67A1DA5D3F858819CE5F8BB8 cert=XiqiFAQR/83BbdxhUsN5G1C+QWUY2RVPwyPABlG53wT+tQHZwzMR0aFOQEeAK7d+FSzJDQ iat-mode=0 obfs4 188.27.166.105:61001 2D9B02D11541D942E3B1AB4B53B59A13EDC52689 cert=f6gO0qbkhh/rZ0lkiTr1ieH5t3EkXmCUISkLogB32VvhTc7KzWlCaBfSHYghGhpLBrliZg iat-mode=0 obfs4 217.86.148.59:10235 ECDE7860636D20A3374804FE8FF36D89B7AFE96D cert=O3GU2XtIUe6umRZqDk5uoHH1aP8zxqNLPF9l9oTMSknYnyI4XN81OA/UUIJN3d8Qf77NQw iat-mode=0 obfs4 79.116.39.249:32001 9DA2468ACD8BE06F66EBC62DFAE7042ABBBE6A45 cert=yi9MvwPMMG+SNhQGKRwCxsFogLWIUqMRfSAV4SRVNz9/scReT28qkNo4UXLfagK1a8OGLA iat-mode=0 obfs4 79.231.112.13:42893 3A76222696BA38823C43521FD604189A285D9859 cert=FR1z74IEj2chaLm4ztMtjnU1X4VfAAC6m6fPVSN37IggVKmhJqH0w81b1eEyYoBYDDAyZQ iat-mode=0 obfs4 92.211.9.209:1338 2C89244A2E4DE454D06DDBCEB239B233109A73A7 cert=jQcCwZNLeQV26cMposGJlhhUnKrYsHw6c60MAmEqEDiBy7GzZO3P3OJFBfla2UoJD0HPBw iat-mode=0 obfs4 88.152.121.42:18013 3F32DE3EEAEDB3FC05AD8D42FFEF81FB930948DF cert=uVHTPWVuScMjgw+xJl6JGkgTSkk84LbdT9XAH4V0d9qW0qBNlnxjld4vhKLOGSAkJrh6cg iat-mode=0 obfs4 86.119.0.151:25262 CDA13CF52FFF3A70AEFB3A793B16DC2A63406531 cert=veuTKH5BmSqP3Lbashf8DiprMXxenwTryXRVNKMqMJ+vL2lyC3rzQQQlVwaGgjv6UUU/QA iat-mode=0 obfs4 92.194.198.136:42935 DE131D27860718A95CF691948BC36FA16187DB2B cert=D3++fMxl72GBW+/IyVBBDy8EIWSqy1jlO6xA10N6nsdOLlpQLvNSbY26jw9J3yKYiRG4Dg iat-mode=0 obfs4 88.15.20.180:8024 8F0CCF3F6FDFE65A4341BCB8921D92DEFBBC57BA cert=Hs80aPMdaWhVSO7zQH99gJOgNX6QXibdj6i+bXoibFlvXsoU7a5q5BgCbjQeKVXh0aA1bQ iat-mode=0 obfs4 81.2.237.101:46688 2E80CA22679F0855612D4B5C6E14F515B8DBFEAC cert=OXOZwG0qx0UhHxawivrIj+W5Hv8+GWQrvZpZjDQarcwuuish16q6mFr/E3MJi9r6sKRrAw iat-mode=0 obfs4 173.75.228.117:7655 57DD323A976B78B7AB71297FA855A1DB5AA84E26 cert=Aqc+jkyQLxi29oxZcxxsMcExUz6B0UoWofBsLVxvK2T16QAnExVGDe0Ss4BAeYyxWz6hCg iat-mode=0 obfs4 86.30.100.123:42957 F3FA0D45D35E987484848345F8D92AB1D883889B cert=cxC0DfySYT/IBGBesOq64QKHCl5WdiR08qxcdsCpbpkj/2m6vwzpCFsP6m8r/+ZhdC26CA iat-mode=0 obfs4 72.65.246.86:19002 649B458222B1DB29DD1CFF0BF84DBD46019E260F cert=5JhfiNXzWL0gafmi6rFMtUo2Vb4MxN7ih7pNij6vlOhRvbh//rD57eDI4QPdUXaR6ZqSJA iat-mode=0 obfs4 143.177.166.29:9089 5B11A0A5E929354846930081B9F41184FCB0B9A8 cert=26lt8B0gaB9hyL7LEGPyYU3lz5uHAL+D7T0NsaVMxp7Q53f0WW5NneNMTPal5YUwG6ugHw iat-mode=0 obfs4 95.89.239.67:6433 6FC0828C5F2BF7231EF237184B168E1A55AFFDAE cert=2Lapv8zlsKDmheQsY+l4R/39dHT0TMe7mMN9ctkIacz2WgpKagfGiPLAUB+GUKG1Zg5sGQ iat-mode=0 obfs4 95.248.228.75:80 11790370D080C588C1CD210D55B58EF0C634191D cert=gYvzB9u82/ld5pyBigDmhAg23MfvIcJY3IXKu/hDf0bgb+6YsTKWGz/nmM7ZJsTvs9V3WA iat-mode=0 obfs4 88.193.230.188:34669 8A3153FCFADC2C3671A6996BF9C0DB28C8DC1792 cert=i0QTJIz6nV6kfY3q91Wa15JCEGRIn3mfMk1hLz/u0zQxEzre65xRzpoY5W5WBvNh/dIQTA iat-mode=0 obfs4 88.2.229.205:31417 393C21E212C6561DBB37CBC73ADE26CA475E7D0E cert=HGHYdF7SpYNgzCtxTAkD4rI2UESAcrSQ/Ak+pp6EVtFepZkWHQ+pmz5tF2Qx8pDH33FhDA iat-mode=0 obfs4 100.38.225.64:9958 202748B7A34254D6AFED0889FBAEE4A3DC7E7F56 cert=KXJT8LJNBQ+GPpTUccWBCNZNwd/X/pa8qpTLutYwtApljmK+N5NpM+WrCtlKyo4GJDFYLA iat-mode=0 obfs4 177.73.92.19:5242 3FCF4978110BCE7AC92370BD9BD8E145F9630DFB cert=Z6wBTMa/gZDGWXSox0MYX6jW+zjNelKqvg3sYwZyIOY/Xkwflno554OhYNoQib3/ubjKdA iat-mode=0 *Please contact and ask relay operators to update their bridges ports!* Best regards, Ahmet

2 1

Identify from which continent people connect from
by mxz+tor-anti-censorship-team＠mxzero.de 23 Mar '23

23 Mar '23

Hi, a while ago (10.02.2023) I tried to send an email on the tor-talk mailing list but apparently it never got through as it's still awaiting approval. (it wasn't denied either, afaik) So, I'll try my luck here as this is sort of censorship related, too. Copy and paste of the email: --- Hi, recently, there was an interesting side note on the cryptography mailing list [1]. Quote: > (People have written code to predict what continent an anonymous person using Tor is on, based on noticing over a period of time when their remote system clocks ran faster or slower, assuming that was caused by nighttime versus daytime temperatures.) I was wondering if any of you know about this and where I could find code that does this? Any links to research and papers would be highly appreciated, too. Especially, I'm wondering how they do this: - via differences in the above mentioned system clock (impressive?!) - timing analysis with latency? things like lower latency in Europe as there are more tor relays around compared to Argentina. - do you need to have any prerequisites? e.g. controlling at least one node, or the exit node, or a "clear text" server/hidden service that someone connects to? Finally, if that's the wrong list, please refer me to the right one. Thanks! [1]: https://www.metzdowd.com/pipermail/cryptography/2023-February/038109.html

3 6

Snowflake
by Jordan Hillis 22 Mar '23

22 Mar '23

I have a snowflake link embedded in my website www.computerrepairjs.com

1 0

Partially reliable and/or unordered WebRTC data channels
by David Fifield 16 Mar '23

16 Mar '23

Shelikhoo brought up an interesting point at today's meeting. Snowflake uses WebRTC data channels on the client–proxy link. Data channels are SCTP in DTLS. They are by default fully reliable and in-order, like TCP, and that is the way we currently use them. But SCTP and in turn WebRTC data channels also have "partial reliability" and "unordered" options that might be a better fit for our uses. http://meetbot.debian.net/tor-meeting/2023/tor-meeting.2023-03-16-15.57.log… 16:25:29 <shelikhoo> webrtc(SCTP to be specific) can be set to not retransmit packet 16:25:34 <shelikhoo> and deliver packet out of order 16:25:43 <shelikhoo> to application 16:26:14 <dcf1> I did not know about that. Do we use it that way in Snowflake? 16:27:28 <shelikhoo> it is called "unreliable mode" https://pkg.go.dev/github.com/pion/webrtc/v3#DataChannel.MaxRetransmits 16:29:28 <dcf1> Ok. I might have missed an issue, is that mode used in Snowflake? Or could it be? 16:30:27 <shelikhoo> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… 16:30:54 <shelikhoo> https://pkg.go.dev/github.com/pion/webrtc/v3#DataChannelInit 16:31:18 <shelikhoo> Maybe no...? but we can enable "unreliable mode" ## Background The specification of WebRTC data channels, RFC 8831, requires the SCTP implementation to support limiting transmissions by either time or number. https://www.rfc-editor.org/rfc/rfc8831 > SCTP, as specified in [RFC4960] with the partial reliability extension > (PR-SCTP) defined in [RFC3758] and the additional policies defined in > [RFC7496], provides multiple streams natively with reliable, and the > relevant partially reliable, delivery modes for user messages. > ... > The partial reliability extension defined in [RFC3758] MUST be > supported. In addition to the timed reliability PR-SCTP policy defined > in [RFC3758], the limited retransmission policy defined in [RFC7496] > MUST be supported. Orthogonal to reliability, the SCTP implementation must support ordered or unordered delivery of messages. https://www.rfc-editor.org/rfc/rfc8831#name-sctp-protocol-consideration > This SCTP stack and its upper layer MUST support the usage of multiple > SCTP streams. A user message can be sent ordered or unordered and with > partial or full reliability. Removing retransmissions and ordering restrictions makes a data channel into a datagram delivery service that preserves message boundaries, but not ordering, and does not guarantee delivery. https://www.rfc-editor.org/rfc/rfc8831#name-sctp-protocol-consideration > Limiting the number of retransmissions to zero, combined with > unordered delivery, provides a UDP-like service where each user > message is sent exactly once and delivered in the order received. The WebRTC Data Channel Establishment Protocol's DATA_CHANNEL_OPEN message is where the ordering and retransmission limits are specified. (Note partial reliability and ordering are two separate concepts, and that you can only limit retransmissions by time or number, not both.) https://www.rfc-editor.org/rfc/rfc8832.html#name-data_channel_open-message > DATA_CHANNEL_RELIABLE (0x00): > The data channel provides a reliable in-order bidirectional > communication. > DATA_CHANNEL_RELIABLE_UNORDERED (0x80): > The data channel provides a reliable unordered bidirectional > communication. > DATA_CHANNEL_PARTIAL_RELIABLE_REXMIT (0x01): > The data channel provides a partially reliable in-order > bidirectional communication. User messages will not be retransmitted > more times than specified in the Reliability Parameter. > DATA_CHANNEL_PARTIAL_RELIABLE_REXMIT_UNORDERED (0x81): > The data channel provides a partially reliable unordered > bidirectional communication. User messages will not be retransmitted > more times than specified in the Reliability Parameter. > DATA_CHANNEL_PARTIAL_RELIABLE_TIMED (0x02): > The data channel provides a partially reliable in-order > bidirectional communication. User messages might not be transmitted > or retransmitted after a specified lifetime given in milliseconds in > the Reliability Parameter. This lifetime starts when providing the > user message to the protocol stack. > DATA_CHANNEL_PARTIAL_RELIABLE_TIMED_UNORDERED (0x82): > The data channel provides a partially reliable unordered > bidirectional communication. User messages might not be transmitted > or retransmitted after a specified lifetime given in milliseconds in > the Reliability Parameter. This lifetime starts when providing the > user message to the protocol stack. Though in SCTP the unordered flag (U) may vary per DATA chunk, data channels can only be entirely ordered or entirely unordered. https://www.rfc-editor.org/rfc/rfc9260#name-ordered-and-unordered-deliv The JavaScript API exposes these settings in the RTCPeerConnection.createDataChannel method: https://developer.mozilla.org/en-US/docs/Web/API/RTCPeerConnection/createDa… > `ordered` (Optional) > Indicates whether or not messages sent on the RTCDataChannel are > required to arrive at their destination in the same order in which > they were sent (`true`), or if they're allowed to arrive > out-of-order (`false`). Default: `true`. > `maxPacketLifeTime` (Optional) > The maximum number of milliseconds that attempts to transfer a > message may take in unreliable mode. While this value is a 16-bit > unsigned number, each user agent may clamp it to whatever maximum it > deems appropriate. Default: `null`. > `maxRetransmits` (Optional) > The maximum number of times the user agent should attempt to > retransmit a message which fails the first time in unreliable mode. > While this value is a 16-bit unsigned number, each user agent may > clamp it to whatever maximum it deems appropriate. Default: `null`. Similar options are exposed in Pion PeerConnection.CreateDataChannel and the DataChannelInit struct: https://pkg.go.dev/github.com/pion/webrtc/v3#DataChannelInit > // Ordered indicates if data is allowed to be delivered out of order. > // The default value of true, guarantees that data will be delivered > // in order. > Ordered *bool > // MaxPacketLifeTime limits the time (in milliseconds) during which the > // channel will transmit or retransmit data if not acknowledged. This > // value may be clamped if it exceeds the maximum value supported. > MaxPacketLifeTime *uint16 > // MaxRetransmits limits the number of times a channel will retransmit > // data if not successfully delivered. This value may be clamped if it > // exceeds the maximum value supported. > MaxRetransmits *uint16 ## Possibilities for Snowflake Currently in Snowflake, we treat the data channel as if it were a TCP stream: we ignore message boundaries and concatenate all messages in order. What we transmit over this stream, though, is a sequence of discrete KCP packets (and possible padding), delimited using length prefixes: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… The boundaries of encapsulated KCP packets do not necessarily correspond to SCTP/data channel message boundaries. We may be able to increase efficiency by using data channel messages directly, one KCP packet per message. Because KCP has its own retransmission and reordering facilities, we could completely turn off reliability and ordering at the data channel layer. One of the reasons we use the packet encapsulation we use now is to permit shaping the size of network packets. But matching data channel messages 1:1 with KCP packet does not necessarily negatively affect traffic shaping capability. We could put a simple length prefix at the head of each message that indicates the effective payload length, with the rest being padding. If the traffic schedule calls for a payload smaller than an immediately available packet, an all-padding message can be sent. Such a change would require changes at the proxy. Proxies would need a second mode to take message boundaries directly from the data channel, rather than concatenating messages and decoding message boundaries from the joined-up stream. Proxies could backward-compatibly forward the messages to the bridge over WebSocket, applying the packet encapsulation at the proxy rather than the client. Or (requiring a change at the bridge too), we could use WebRTC on the proxy–bridge link and similarly send packets with unordered and unreliable data channels.

1 0

Re: [anti-censorship-team] anti-censorship-team Digest, Vol 43, Issue 1
by ut0znfpg＠duck.com 24 Feb '23

24 Feb '23

Hi! I was wondering if ANY of the dark or deep web browsers featured on the Chrome/Google Play store are trustworthy in and of themselves, and if Tor can be accessed with them, or if any use Tor automatically. I have a Chromebook, and I know that Tor does not work with it as you have yet to develop a version for it. Why is it that I think that it will be impossible to have Tor work safely with Chrome/Chromebooks; because Google is EVIL?! :-) Who do you trust for DNS? What is the world's most private and secure computer? I remember Australia having some cool guys build a n independent computer system, but these would not be available outside of Oz. Comments? On Feb 24, 2023 at 7:00 AM, "anti-censorship-team-request(a)lists.torproject.org " <> wrote: --------------------------IronVest--------------------------- Preview: Send anti-censorship-team mailing list submissions to anti-ce --> SPAM? CLICK to BLOCK: https://ironvest.com/app/0/#emails/r8196gs9ev5p@opayq.com/toggle This email is Masked using Ironvest - it was sent from duck.com to r8196gs9ev5p(a)opayq.com (your reply stays Masked). To protect your privacy, do not forward this message, or add new recipients like CCs or BCCs. Thanks for being an IronVest customer! --------------------------IronVest--------------------------- Send anti-censorship-team mailing list submissions to anti-censorship-team(a)lists.torproject.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.torproject.org/cgi-bin/mailman/listinfo/anti-censorship-team or, via email, send a message with subject or body 'help' to anti-censorship-team-request(a)lists.torproject.org You can reach the person managing the list at anti-censorship-team-owner(a)lists.torproject.org When replying, please edit your Subject line so it is more specific than "Re: Contents of anti-censorship-team digest..." Today's Topics: 1. onbasca and rdsys (meskio) ---------------------------------------------------------------------- Message: 1 Date: Fri, 24 Feb 2023 12:47:19 +0100 From: meskio <meskio(a)torproject.org> To: anti-censorship-team <anti-censorship-team(a)lists.torproject.org> Subject: [anti-censorship-team] onbasca and rdsys Message-ID: <167723923930.1535.1605523355422205109@localhost> Content-Type: text/plain; charset="utf-8" Hello, Onbasca[0], a relay bandwidth, has just added support for testing bridges. I have modified rdsys to use it[1]. onbasca produces a bandwidth ratio, on how fast is a bridge compared to the rest of bridges (1 is the median), and rdsys decides if distribute a bridge if the ratio is higher than a configured threshold (right now 0.75) or if is jet untested. rdsys does ignore the onbasca results if there is less then 50% of bridges with high enough ratio to be distributed. As this was needed by a sponsor I have already deployed it in production. I wrote a survival guide: https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Onbasca-Surv… I tested it and I don't expect much problems, but as I will be AFK next week if rdsys gives any problem is easy to roll back to the previous version of rdsys without onbasca support. I left the previous binary of rdsys backend in ~/bin/rdsys-backend.old, so rolling back will be running as rdsys user in polyanthum: systemctl --user stop rdsys-backend mv ~/bin/rdsys-backend.old ~/bin/rdsys-backend systemdl --user start rdsys-backend [0] https://gitlab.torproject.org/tpo/network-health/onbasca/ [1] https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/merge_requests/76 -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan.

1 0

WebRTC Encoded Transform (or Insertable Streams) for media channels in Snowflake?
by David Fifield 24 Feb '23

24 Feb '23

We have discussed how Snowflake uses WebRTC data channels (DTLS), while some other WebRTC apps use media channels (DTLS-STRP), and how that could be used in a classifier. See for example Section 2 of https://censorbib.nymity.ch/#Fifield2016b. We have also entertained the possibility of encoding Snowflake data into an audio/video stream, à la FreeWave (https://censorbib.nymity.ch/#Houmansadr2013a) or CovertCast (https://censorbib.nymity.ch/#McPherson2016a) in order to use media channels in Snowflake. I came across an API that may permit us to use media channel, without the trouble of an audio/video codec. WebRTC Encoded Transform (formerly Insertable Streams, I think) provides a way to get at and manipulate the raw bytes of media frames. https://w3c.github.io/webrtc-encoded-transform/ > This API defines an API surface for manipulating the bits on > MediaStreamTracks being sent via an RTCPeerConnection. The API defines RTCEncodedVideoFrame and RTCEncodedAudioFrame types that give you an ArrayBuffer of the encoded media data: https://w3c.github.io/webrtc-encoded-transform/#RTCEncodedVideoFrame-interf… // New interfaces to define encoded video and audio frames. Will eventually // re-use or extend the equivalent defined in WebCodecs. [Exposed=(Window,DedicatedWorker)] interface RTCEncodedVideoFrame { readonly attribute RTCEncodedVideoFrameType type; readonly attribute unsigned long timestamp; attribute ArrayBuffer data; RTCEncodedVideoFrameMetadata getMetadata(); }; https://w3c.github.io/webrtc-encoded-transform/#RTCEncodedAudioFrame-interf… [Exposed=(Window,DedicatedWorker)] interface RTCEncodedAudioFrame { readonly attribute unsigned long timestamp; attribute ArrayBuffer data; RTCEncodedAudioFrameMetadata getMetadata(); }; One of the intended use cases of Encoded Transform is a end-to-end encryption when then media streams pass through a middlebox that removes and re-adds hop-by-hop DTLS-STRP layers: https://webrtchacks.com/true-end-to-end-encryption-with-webrtc-insertable-s… https://jitsi.org/security/ > You can turn on end-to-end encryption (e2ee) as long as you are using > Jitsi Meet on a browser with support for insertable streams. The explainer document has a sample of inverting all the bits in an encoded media frame: https://github.com/w3c/webrtc-encoded-transform/blob/5c7ab84f4ce338f299172f… // Receiver transform function createReceiverTransform() { return new TransformStream({ start() {}, flush() {}, async transform(encodedFrame, controller) { // Reconstruct the original frame. const view = new DataView(encodedFrame.data); // Ignore the last 4 bytes const newData = new ArrayBuffer(encodedFrame.data.byteLength - 4); const newView = new DataView(newData); // Negate all bits in the incoming frame, ignoring the // last 4 bytes for (let i = 0; i < encodedFrame.data.byteLength - 4; ++i) newView.setInt8(i, ~view.getInt8(i)); encodedFrame.data = newData; controller.enqueue(encodedFrame); } }); } I am not clear on the difference between Encoded Transform, Insertable Streams, and WebCodecs, but here are some possible browser support tables: https://chromestatus.com/feature/6321945865879552 https://caniuse.com/?search=webcodec https://developer.mozilla.org/en-US/docs/Web/API/WebCodecs_API

1 0

onbasca and rdsys
by meskio 24 Feb '23

24 Feb '23

Hello, Onbasca[0], a relay bandwidth, has just added support for testing bridges. I have modified rdsys to use it[1]. onbasca produces a bandwidth ratio, on how fast is a bridge compared to the rest of bridges (1 is the median), and rdsys decides if distribute a bridge if the ratio is higher than a configured threshold (right now 0.75) or if is jet untested. rdsys does ignore the onbasca results if there is less then 50% of bridges with high enough ratio to be distributed. As this was needed by a sponsor I have already deployed it in production. I wrote a survival guide: https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Onbasca-Surv… I tested it and I don't expect much problems, but as I will be AFK next week if rdsys gives any problem is easy to roll back to the previous version of rdsys without onbasca support. I left the previous binary of rdsys backend in ~/bin/rdsys-backend.old, so rolling back will be running as rdsys user in polyanthum: systemctl --user stop rdsys-backend mv ~/bin/rdsys-backend.old ~/bin/rdsys-backend systemdl --user start rdsys-backend [0] https://gitlab.torproject.org/tpo/network-health/onbasca/ [1] https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/merge_requests/76 -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan.

1 0

(FWD) [anti-censorship-alerts] monit alert -- Connection failed default-bridge-georgetown
by Roger Dingledine 19 Jan '23

19 Jan '23

Hi Micah! Is the georgetown bridge is flaky as it seems? We have alerts set up for the default bridges and it seems like yours alerts a lot and the others alert rarely. It always comes back after a little while, so this isn't a "hey your bridge is down" mail so much as a "what's up with your bridge" mail. I wonder if it is an issue with the network it's running on; or if it's an issue with the bridge itself, e.g. maybe there is something in Tor's logs that could help diagnose; or if it's something wonky about our alerts. (I am cc'ing anti-censorship-team so others can coordinate and stay in sync; note that this is a public list with archives.) Thanks! --Roger ----- Forwarded message from Monit <anti-censorship-monitor(a)nymity.ch> ----- Date: Thu, 19 Jan 2023 12:26:36 GMT From: Monit <anti-censorship-monitor(a)nymity.ch> To: anti-censorship-alerts(a)lists.torproject.org Subject: [anti-censorship-alerts] monit alert -- Connection failed default-bridge-georgetown X-Mailer: Monit 5.26.0 Connection failed Service default-bridge-georgetown Date: Thu, 19 Jan 2023 13:26:35 Action: alert Host: server01 Description: failed protocol test [DEFAULT] at [209.148.46.65]:443 [TCP/IP] -- Connection timed out _______________________________________________ anti-censorship-alerts mailing list anti-censorship-alerts(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/anti-censorship-alerts ----- End forwarded message -----

2 1

Paper identifying snowflake traffic
by Kevin Bock 09 Jan '23

09 Jan '23

2 1