- tor-project - lists.torproject.org

Anti-censorship team meeting notes, 2025-12-04
by Shelikhoo 04 Dec '25

04 Dec '25

Hey everyone! Here are our meeting logs: https://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-12-04-16.00.ht… And our meeting pad: Anti-censorship work meeting pad -------------------------------- Anti-censorship -------------------------------- Next meeting: Thursday, December 11 16:00 UTC Facilitator:meskio ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator:shelikhoo == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == * No meetings Dec 25 and Jan 1, we'll be AFK for the Tor's year end break == Discussion == == Actions == * == Interesting links == * https://blog.torproject.org/staying-ahead-of-censors-2025/ == Reading group == * We will discuss "CenPush: Blocking-Resistant Control Channel Using Push * Notifications" on January 8th, 2026 * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? * Next in the Reading Group Queue: * Fingerprint-resistant DTLS for usage in Snowflake: https://www.petsymposium.org/foci/2025/foci-2025-0006.php == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-12-04 Last week: - refined proxy churn experiments (snowflake#40494) - deployed proxy churn metrics - discussed signalling channel library - adapted snowflake paper scripts for proxy churn graphs - restarted proxy churn test with proxy type metrics fix (snowflake!645) Next week: - switch to using Tor's AWS account for SQS signalling channel - research snowflake enumeration attacks (snowflake#40396) - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-30 Last week: - made snowflake-graphs use SQLite as intermediate data representation rather than CSV https://gitlab.torproject.org/dcf/snowflake-graphs/-/merge_requests/3 - fixed a bug with snowflake-graphs undercounting coverage for certain rarely occurring levels of factors https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/3#note_3281215 - opened an issue for coverage=2.00 in snowflake-stats descriptors during a time when 2 brokers were running simultaneously https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/5 Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… Help with: meskio: 2025-12-04 Last week: - talk with the operators of failing builtin in bridges (team#141) - update the list of builtin bridges (tor-browser-build!1373) - review blogpost on anti-censorship 2025 - contact yunohost and sandstorm about packaging snowflake proxy - prepare grant Next week: - make an alert for failing builtin bridges (team#141) Shelikhoo: 2025-12-04 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) testing environment setup/research - Release Lyrebird v0.7.0 - Update lyrebird version to v0.7.0 (https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4…) - [Merge Request] Release v0.7.0 (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyre…) Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) Building custom Tor Browser with patch applied - [Review]Add covert-dtls to proxy and client (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) onyinyang: 2025-12-04 Last week(s): - Attended Ontario Cryptography Day - Splintercon Prep Next week: - Splintercon - Continue Investigating rdsys#248 i.e., why dysfunctional webtunnel bridges are being distributed - Troubleshooting conjure not connecting in China - waiting for more information from conjure authors/maintainers - Monitoring email profiler for rdsys #129 - Attempting to move to go-imap v2 Switch back to some of these: As time allows: - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conj… - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096) - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Help with: - Should we do user testing of covert-dtls? Facilitator Queue: onyinyang shelikhoo meskio 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue

1 0

Anti-censorship team meeting notes, 2025-11-27
by onyinyang 27 Nov '25

27 Nov '25

Hey everyone! Here are our meeting logs: https://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-11-27-16.00.ht… And our meeting pad: Anti-censorship work meeting pad -------------------------------- Anti-censorship -------------------------------- Next meeting: Thursday, December 4 16:00 UTC Facilitator:shelikhoo ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator:onyinyang == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == * == Discussion == == Actions == * bring interesting papers to decide on our next reading group == Interesting links == * == Reading group == * We will discuss "CenPush: Blocking-Resistant Control Channel Using Push * Notifications" on January 8th, 2026 * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? * Next in the Reading Group Queue: * Fingerprint-resistant DTLS for usage in Snowflake: https://www.petsymposium.org/foci/2025/foci-2025-0006.php == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-11-20 Last week: - reviewed meek-lite url front pairs implementation - started work on moving SQS to torproject AWS account - more research on enumeration defences Next week: - deploy proxy churn metrics patch (snowflake#40494) - research snowflake enumeration attacks (snowflake#40396) - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-30 Last week: - made snowflake-graphs use SQLite as intermediate data representation rather than CSV https://gitlab.torproject.org/dcf/snowflake-graphs/-/merge_requests/3 - fixed a bug with snowflake-graphs undercounting coverage for certain rarely occurring levels of factors https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/3#note_3281215 - opened an issue for coverage=2.00 in snowflake-stats descriptors during a time when 2 brokers were running simultaneously https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/5 Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… Help with: meskio: 2025-11-27 Last week: - make prometheus monitor the builtin bridges (team#141) - redesign meek multifront domain MR (lyrebird!142) - granwriting - a blogpost based on the SOTO presentation - transfer brdg.es to TPI, for bridge URIs Next week: - investigate the status of builtin bridges (team#141) Shelikhoo: 2025-11-27 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) testing environment setup/research - Many dependencies update merge request review - [Merge Request] Rename UTLSInsecureServerNameToVerify option to cert-domain (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyre…) - [Merge Request Review] Count IP churn by proxy type (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) Building custom Tor Browser with patch applied - Release Lyrebird v0.7.0 onyinyang: 2025-11-27 Last week(s): - Investigating rdsys#248 i.e., why dysfunctional webtunnel bridges are being distributed - The ApplyDiff function was suspicious but after investigation, it seems like this is not the issue. . .the search continues - Troubleshooting conjure not connecting in China - waiting for more information from conjure authors/maintainers - Monitoring email profiler for rdsys #129 - Attempting to move to go-imap v2 - Making arrangements for talk/travel to Splintercon Next week: - Attending Ontario Cryptography Day - Splintercon Prep - Continue troubleshooting conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#248 hopefully (take 3? 4?) - Continue monitoring rdsys#249 Switch back to some of these: As time allows: - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conj… - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096) - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Help with: - Should we do user testing of covert-dtls? Facilitator Queue: onyinyang shelikhoo meskio 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue -- --- onyinyang GPG Fingerprint 3CC3 F8CC E9D0 A92F A108 38EF 156A 6435 430C 2036

1 0

Anti-censorship team meeting notes, 2025-11-20
by meskio 20 Nov '25

20 Nov '25

Hey everyone! Here are our meeting logs: https://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-11-20-16.00.ht… And our meeting pad: Anti-censorship -------------------------------- Next meeting: Thursday, November 27 16:00 UTC Facilitator:onyinyang ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator:meskio == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == * duplicatedcontainerimages is being removed(done) == Discussion == * meek: add support for multiple domain front providers * what bridgeline format makes sense? * https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyre… * we will not decide it for now, we'll wait for people to give feedback on the MR == Actions == * bring interesting papers to decide on our next reading group == Interesting links == * == Reading group == * We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-11-20 Last week: - reviewed meek-lite url front pairs implementation - started work on moving SQS to torproject AWS account - more research on enumeration defences Next week: - deploy proxy churn metrics patch (snowflake#40494) - research snowflake enumeration attacks (snowflake#40396) - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-30 Last week: - made snowflake-graphs use SQLite as intermediate data representation rather than CSV https://gitlab.torproject.org/dcf/snowflake-graphs/-/merge_requests/3 - fixed a bug with snowflake-graphs undercounting coverage for certain rarely occurring levels of factors https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/3#note_3281215 - opened an issue for coverage=2.00 in snowflake-stats descriptors during a time when 2 brokers were running simultaneously https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/5 Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… Help with: meskio: 2025-11-20 Last week: - multi-front support in meek (lyrebird#40027) - update obfs4-bridge docker images - deprecate arm and 386 in obfs4-bridge docker - write a blogpost using the SOTO script Next week: - investigate the status of builtin bridges (team#141) Shelikhoo: 2025-11-20 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) testing environment setup/research - Add sni-imitation syntex sugar option (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyre…) - Remove setuid migration script after it have finished its work: Revert "Add state migration setuid script chown-states.sh" (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webt…) - [Cross Team] Some CJK characters cannot be rendered by Tor which uses the Noto font family (https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44227#n…) - lyrebird Release v0.7.0 (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyre…) - WebTunnel: Use tpa managed podman for working defaults values (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webt…) - Relicense uget under 3-bsd license (https://gitlab.torproject.org/tpo/anti-censorship/connectivity-measurement/…) - [Cross Team] Broken PGP public key link on db.torproject.org (https://gitlab.torproject.org/tpo/tpa/team/-/issues/42387) - [MR Review]Measure proxy churn for both proxy pools (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) Building custom Tor Browser with patch applied - Release Lyrebird v0.7.0 onyinyang: 2025-11-20 Last week(s): - Investigating rdsys#248 i.e., why dysfunctional webtunnel bridges are being distributed - The ApplyDiff function was suspicious but after investigation, it seems like this is not the issue. . .the search continues - Troubleshooting conjure not connecting in China - waiting for more information from conjure authors/maintainers - Monitoring email profiler for rdsys #129 - Efforts to fix the (likely) bug in the waitForEmailUpdate function failed - Attempting to move to go-imap v2 - Making arrangements for talk/travel to Splintercon Next week: - Continue troubleshooting conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#248 hopefully (take 3? 4?) - Continue monitoring rdsys#249 Switch back to some of these: As time allows: - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conj… - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096) - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Help with: - Should we do user testing of covert-dtls? Facilitator Queue: onyinyang shelikhoo meskio 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan.

1 0

minutes from the sysadmin meeting
by Antoine Beaupré 18 Nov '25

18 Nov '25

This is your monthly dose of sysadmin meeting minutes! More coming next week, for people really into that stuff... # Roll call: who's there and emergencies All hands present. Dragon died, but situation stable, not requiring us to abort the meeting. # Express check-in We tried a new format for the check-in for our monthly meeting, to speed things up to leave more room for the actual discussions. How are you doing, and are there any blockers? Then pass the mic to the next person. # 2026 Roadmap review This is a copy of the notes from the [TPA meetup][]. Review and amend to get a final version. [TPA meetup]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/meeting/2025-10 Things to add already: - add hardware replacement plan to yearly roadmap, to solve the [manage the lifecycle of systems issue][] - OpenVox packaging [manage the lifecycle of systems issue]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/29304 We split the 2026 roadmap in "must have", "nice to have" and "won't do": ## Must have Recurring: - YEC (@lavamind) - regular upgrades and reboots, and other chores (stars) - no hardware replacements than the ones already planned with tails (dragon etc) Non-recurring: - tails moving to Prometheus, requires TPA prometheus server merge (because we need the space, mostly, @zen) - shift merge, which requires tails moving to prometheus (stars) - email mailboxes (TPA-RFC-45, @groente) - authentication merge phase 1 (after mailboxes, @groente) - completed trixie upgrades (stars) - SVN retirement or migration (@anarcat) - mailman merge (maybe delegate to tails team? @groente can followup) - MinIO migration / conversion to Garage? (@lelutin) - marble on community, blog, and www.tpo websites (@lavamind) - donate-neo CAPTCHA fixes (@anarcat / @lavamind) - TPA-RFC-38 wikis, perhaps just for TPA's wiki for starters? (@anarcat) - OpenVox packaging (@lavamind) ## Nice to have - RFC reform (maybe already done in 2025, @anarcat) - firewall merge, requires TPA and Tails to migrate to nftables (@zen) - Tails websites merge - Tails mirror coordination (postpone to 2027?) - Tails DNS merge - Tails TLS merge - (TPA?) in-person meeting (@anarcat) - reform deb.tpo, further idea for a roadmap to fix the tor debian package (@lelutin / @lavamind, filed as [tpo/tpa/team#42374][]) [tpo/tpa/team#42374]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/42374 Let's move that deb.tpo item list to an epic or issue. ## Won't do - backups merge (postponed to 2027) ## Observations - lots of stuff, hard to tell whether we'll be able to pull it off - we assigned names, but that's flexible - we don't know exactly when those things will be done, will be allocated in quarterly reviews - this is our wishlist, we need to get feedback from other teams, web team and perhaps team leads / ops meeting coming up about that # holidays vacation planning - zen AFK Jan 5 - 23 (3 weeks) - zen takes the two weeks holidays for tails - lelutin and lavamind share them for TPA - vacation calendar currently lost, but TPO closing weeks expected to be from dec 22nd to jan 2nd - announce your AFK times and add them to the calendar! # skill-share proposals We talked about doing skill-shares/trainings/presentations at our meetup. We still don't know when: during office hours, after check-ins? - Offer (zen): Tails Translation Platform setup (i.e. weblate + staging website + integration scripts) "What's new in TPA" kind of billboard. Presenter decides if it's mandatory, if it is, make it part of the regular meeting schedule. # RFC to ADR conversion Short presentation of the [ADR-95 proposal][]. [ADR-95 proposal]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/0095-adr postponed # long term (2030) roadmap - review the tails merge roadmap - what's next for tpa? postponed # Next meeting Next week, to tackle the other two conversations we skipped above. # Metrics of the month * host count: 99 * number of Apache servers monitored: 33, hits per second: 705 * number of self-hosted nameservers: 6, mail servers: 12 * pending upgrades: 0, reboots: 0 * average load: 1.98, memory available: 4.4 TB/7.2 TB, running processes: 294 * disk free/total: 122.4 TB/228.4 TB * bytes sent: 545.6 MB/s, received: 354.9 MB/s * [GitLab tickets][]: 249 tickets including... * open: 0 * ~Roadmap::Icebox: 128 * ~Roadmap::Future: 42 * ~Needs Information: 3 * ~Roadmap::Backlog: 41 * ~Roadmap::Next: 20 * ~Roadmap::Doing: 12 * ~Needs Review: 4 * (closed: 4277) * [~Technical Debt][]: 12 open, 39 closed [Gitlab tickets]: https://gitlab.torproject.org/tpo/tpa/team/-/boards [~Technical Debt]: https://gitlab.torproject.org/groups/tpo/tpa/-/issues/?state=opened&label_n… Upgrade prediction graph lives at https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/trixie/ Now also available as the main Grafana dashboard. Head to <https://grafana.torproject.org/>, change the time period to 30 days, and wait a while for results to render. -- Antoine Beaupré torproject.org system administration

1 1

Anti-censorship team meeting notes, 2025-11-13
by Shelikhoo 13 Nov '25

13 Nov '25

Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-11-13-16.00.html And our meeting pad: Anti-censorship work meeting pad -------------------------------- Anti-censorship -------------------------------- Next meeting: Thursday, November 20 16:00 UTC Facilitator:meskio ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator:shelikhoo == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == * duplicatedcontainerimages is being removed == Discussion == * Move Snowflake Staging to team namespace (src shell) * Relicense uget to 3BSD (src shell) == Actions == * Remove webtunnel setuid script in 0 weeks.(This week!) == Interesting links == * https://opencollective.com/censorship-circumvention/projects/snowflake-dail… == Reading group == * We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-11-13 Last week: - revised and merged proxy churn metrics (snowflake#40494) - helped debug rdsys error with goroutine profiles (rdsys!606) - worked on researching enumeration attacks (snowflake#40396) Next week: - deploy proxy churn metrics patch (snowflake#40494) - research snowflake enumeration attacks (snowflake#40396) - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-30 Last week: - made snowflake-graphs use SQLite as intermediate data representation rather than CSV https://gitlab.torproject.org/dcf/snowflake-graphs/-/merge_requests/3 - fixed a bug with snowflake-graphs undercounting coverage for certain rarely occurring levels of factors https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/3#note_3281215 - opened an issue for coverage=2.00 in snowflake-stats descriptors during a time when 2 brokers were running simultaneously https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/5 Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… Help with: meskio: 2025-11-13 Last week: - multi-front support in meek (lyrebird#40027) - update teams wiki's how the team relates to other teams - register brdg.es domain name again (the registar lost it) Next week: - investigate the status of builtin bridges (team#141) Shelikhoo: 2025-11-13 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) testing environment setup/research - Add sni-imitation syntex sugar option (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyre…) - Remove setuid migration script after it have finished its work: Revert "Add state migration setuid script chown-states.sh" (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webt…) Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) Building custom Tor Browser with patch applied - Add sni-imitation syntex sugar option (cont.) onyinyang: 2025-11-06 Last week(s): - Investigating rdsys#248 i.e., why dysfunctional webtunnel bridges are being distributed - Troubleshooting conjure not connecting in China - waiting for more information from conjure authors/maintainers - Monitoring email profiler for rdsys #129 - Monitoring rdsys#249 - Submitted talk proposal for Splintercon Next week: - Continue troubleshooting conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#249 hopefully (take 3? 4?) - Continue looking into bridgestrap#47/rdsys#248 Switch back to some of these: As time allows: - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conj… - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096) - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Help with: - Should we do user testing of covert-dtls? Facilitator Queue: meskio onyinyang shelikhoo 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue

1 0

User support report for October 2025
by ebanam 06 Nov '25

06 Nov '25

Hello everyone, This is the report from user support team for the month of October. Note: (↑), (↓) and (-) are indicating if the number of tickets we received for these topics have been increasing, decreasing or have been the same from the previous month respectively. - Summary of updates from user support - General user support - Farsi-speaking user support - Russian-speaking user support - Frontdesk (email user support channel) - Telegram, WhatsApp and Signal user support channels - Topics from the Tor Forum - Highlights from Google Play Store # Summary of updates from user support ## General user support * 464 tickets in total (↓463 as compared to September) * 283 tickets on Email * 148 tickets on Telegram * 16 tickets on Signal * 17 tickets on WhatsApp * With the major Tor Browser 15 update, we received one query about the "Custom" security level showing up on the browser. As noted on the [release blog post][]: > Users who have manually set javascript.options.wasm to "false" while > in the Standard security level will see their security level > represented as "Custom" instead. To mitigate any issues that may arise > with the browser's PDF reader, we encourage those users to switch the > preference back to "true", thereby passing management of Wasm over to > NoScript. [release blog post]: https://blog.torproject.org/new-release-tor-browser-150/ * We also received numerous tickets about Tor VPN beta, with the major topics being: - Users enquiring about [WebTunnel support][] for Tor VPN, which is a work in progress. - [Reports][] of Tor VPN beta downloaded from Aurora Store not working on Android devices without Google Mobile Service. - Some reports of the Tor VPN [app freezing][] when using the toggles in the 'Browser' section within the per-App configuration settings. [WebTunnel support]: https://gitlab.torproject.org/tpo/applications/vpn/-/issues/323 [Reports]: https://gitlab.torproject.org/tpo/applications/vpn/-/issues/395 [app freezing]: https://gitlab.torproject.org/tpo/applications/vpn/-/issues/394 ## Farsi-speaking user support * 34 tickets in total (↓49 as compared to September) * 4 tickets on Email * 30 tickets on Telegram * Last month, we started collecting some more specific feedback from users about how they were accessing Tor. Interestingly, we received a few queries from users using little-t tor (the network daemon) on Linux and even on Android (through the "Termux" terminal emulator on Android). * Some tickets from users testing and trying out the Tor VPN beta app as well. Overall Tor-powered VPN apps (like Orbot and Tor VPN beta) seem much more popular amongst the users as compared to Tor Browser, as internet is highly restricted. * We received some feedback that using Tor with Snowflake pluggable transport is working for users in Iran. ## Russian-speaking user support * 1193 tickets in total (↓852 as compared to September) * 199 tickets on Email * 982 tickets on Telegram * 7 tickets on Signal * 5 tickets on WhatsApp * The significant drop in tickets from Russia can be explained by improvements and new features in the @GetBridgesBot (Telegram). The bot now provides both obfs4 and WebTunnel bridges and allows users to copy bridge lines with a single click or tap, improving usability for mobile users. * Although internet access in Russia is already heavily restricted — with recent measures such as blocking calls on Telegram and WhatsApp — mobile internet is subject to even stricter limitations than home broadband. * [Internet censorship in Russia][] is intensifying: almost every day, we are receiving reports from users about the ‘white list’ or 'allow list' regime - a period of Internet restrictions, especially on mobile devices, when they can only visit websites and use applications from a special approved list, which includes only websites and applications based in Russia. At the moment, users have reported that Tor doesn't work to bypass such 'whitelist' restriction. [Internet censorship in Russia]: https://forum.torproject.org/t/help-find-working-method-to-circumvent-inter… * This month we tested new Snowflake domain fronting in Russia, which worked even with mobile internet. Users noted that the bootstrapping speed was slower when compared to WebTunnel or obfs4 bridges, and internet browsing speed was a bit slower as well, but the overall stability and performance are good. * We received a few tickets from users and testers of Tor VPN beta in Russia. The apps itself works but, with WebTunnel bridges not yet supported in Tor VPN beta, users are unable to use the app on mobile internet. That's it for the summary, following is a more detailed report about the tickets our user support team worked on last month. # Frontdesk (email user support channel) * 535(↓) RT tickets created * 486(↓) RT tickets resolved Tickets by topics and numbers: 1. 260(↓) tickets: instructions to circumvent censorship for Chinese speaking users. 2. 199(↓) tickets: circumventing censorship in Russian speaking countries. 3. 40(↓) tickets: help with troubleshooting existing Tor Browser install on Desktop (Windows, macOS and Linux). 4. 10(↓) tickets: questions, feedback and help with troubleshooting Tor VPN beta. 5. 4(↑) tickets: reports of websites blocking Tor connections or not performing well in Tor Browser. 6. 4(↓) tickets: circumventing censorship with Tor in Farsi. 7. 3(-) tickets: help with troubleshooting existing Tor Browser install on Android. 8. 3(-) tickets: help with instructions to download, install or properly uninstalling Tor Browser. 9. 2(↓) tickets: questions about which Tor app to install on iOS (i.e. Onion Browser or Orbot). 10. 2(-) tickets: question about onion services and how to access them. 11. 2(-) tickets: reports of fake apps on iOS AppStore masquerading as official Tor Browser. 12. 2(↑) tickets: question about installing extensions and add-ons on Tor Browser. 13. 1(↓) ticket: users seeing a "proxy refused" error when visiting websites on Tor Browser for Android using Samsung devices. 14. 1(↓) ticket: question about changes to the Security level settings on latest versions of Tor Browser. The browser prompts a restart when changing the Security Level for changes to properly take effect. 15. 1(-) ticket: instructions to download Tor Browser 13.5 legacy for legacy operating systems. 16. 1(-) ticket: help with installing Tor Browser on Desktop on Linux. 17. 1(↓) ticket: help with instructions to troubleshoot Tails operating system. 18. 1(↑) ticket: question about Tor Browser support on Arm Linux. # Telegram, WhatsApp and Signal user support channels * 1205(↓) tickets resolved Breakdown: * 1160(↓) tickets on Telegram * 23(↑) tickets on Signal * 22(↑) tickets on WhatsApp Tickets by topics and numbers: 1. 994(↓) tickets: circumventing censorship in Russian speaking countries. 2. 49(↓) tickets: instructions to circumvent censorship for Chinese speaking users. 3. 30(↓) tickets: circumventing censorship with Tor in Farsi. 4. 17(↓) tickets: questions, feedback and help with troubleshooting Tor VPN beta. 5. 13(↓) tickets: helping users on iOS, using Onion Browser or Orbot, to use censorship circumvention methods. 6. 7(↑) tickets: [GetBridgesBot freezes][] and stops sending bridges. 7. 6(↑) tickets: instructions to use WebTunnel bridges with Tor Browser. 8. 6(↑) tickets: instructions on how to get Tor Browser binaries from GetTor. 9. 6(↓) tickets: help with troubleshooting Tor Browser Desktop on Windows, macOS and Linux. 10. 5(-) tickets: questions about onion services and how to access them. 11. 4(↓) tickets: help with instructions to troubleshoot Tails operating system. 12. 3(-) tickets: users seeing a "proxy refused" error when visiting websites on Tor Browser for Android using Samsung devices. 13. 2(↓) tickets: help with installing Tor Browser on Desktop on Linux. 14. 2(↓) tickets: help with troubleshooting Tor Browser Android. 15. 2(-) tickets: help with instructions to use bridges with Orbot on Android. 16. 2(-) tickets: instructions to download Tor Browser 13.5 legacy for legacy operating systems. 17. 1(-) ticket: help with instructions to verify Tor Browser GPG signature. 18. 1(↓) ticket: help with using Snowflake with Tor to circumvent censorship. [GetBridgesBot freezes]: https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/286 # Topics from the Tor Forum * A new home for Tor [user documentation][]. * Snowflake and Conjure inaccessible due to CND77 blockage, [try this workaround][]. [user documentation]: https://forum.torproject.org/t/a-new-home-for-tor-user-documentation/20732 [try this workaround]: https://forum.torproject.org/t/snowflake-and-conjure-inaccessible-due-to-cn… # Highlights from Google Play Store * Tor Browser for Android (TBA) had a Google Play rating of 4.4 stars in October, which is the same as compared to in September. * Tor Browser for Android (TBA) got 740 (↑16) new reviews. The total count of reviews for the app stands at 65,769. * Tor Browser for Android Alpha (TBA Alpha) app had a rating of 4.192 (↓0.004) in October which is lower as compared to in September. * In October, Tor Browser for Android Alpha (TBA Alpha) got 22 (↓10) new reviews. The total count of reviews for the app stands at 8,687. * We received a few comments and [reports][] of Tor Browser Android not working properly on certain Samsung and Motorola Android devices. [reports]: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43841 Thanks! -- ebanam

1 0

Anti-censorship team meeting notes, 2025-11-06
by onyinyang 06 Nov '25

06 Nov '25

Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-11-06-16.00.html And our meeting pad: Anti-censorship work meeting pad -------------------------------- Anti-censorship -------------------------------- Next meeting: Thursday, November 13 16:00 UTC Facilitator:shelikhoo ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator:onyinyang == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == == Discussion == * == Actions == * Remove webtunnel setuid script in 0 weeks.(This week!) == Interesting links == * https://opencollective.com/censorship-circumvention/projects/snowflake-dail… == Reading group == * We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-11-06 Last week: - helped debug and look at profile output of rdsys (rdsys#249) - gave more feedback on latest iteration of snowflake churn tests - responded to IPtProxy issue with PTs and VPNs on android - https://github.com/tladesignz/IPtProxy/issues/73 Next week: - research snowflake enumeration attacks (snowflake#40396) - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-30 Last week: - made snowflake-graphs use SQLite as intermediate data representation rather than CSV https://gitlab.torproject.org/dcf/snowflake-graphs/-/merge_requests/3 - fixed a bug with snowflake-graphs undercounting coverage for certain rarely occurring levels of factors https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/3#note_3281215 - opened an issue for coverage=2.00 in snowflake-stats descriptors during a time when 2 brokers were running simultaneously https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/5 Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… Help with: meskio: 2024-10-30 Last week: - SOTO recording - grant planning - multi-front support in meek (lyrebird#40027) Next week: - AFK Shelikhoo: 2024-11-04 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) testing environment setup/research - SOTO recording + video - Add sni-imitation syntex sugar option (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyre…) Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) Building custom Tor Browser with patch applied - Add sni-imitation syntex sugar option (cont.) onyinyang: 2025-11-06 Last week(s): - Investigating rdsys#248 i.e., why dysfunctional webtunnel bridges are being distributed - Troubleshooting conjure not connecting in China - waiting for more information from conjure authors/maintainers - Monitoring email profiler for rdsys #129 - Monitoring rdsys#249 - Submitted talk proposal for Splintercon Next week: - Continue troubleshooting conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#249 hopefully (take 3? 4?) - Continue looking into bridgestrap#47/rdsys#248 Switch back to some of these: As time allows: - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conj… - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096) - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Help with: - Should we do user testing of covert-dtls? Facilitator Queue: onyinyang shelikhoo meskio 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue -- --- onyinyang GPG Fingerprint 3CC3 F8CC E9D0 A92F A108 38EF 156A 6435 430C 2036

1 0

sajolida's report for September 2025
by sajolida 01 Nov '25

01 Nov '25

Tails ===== Project 165 ----------- - Fixed all the less critical updates to our website for Tails 7.0: screenshots, style, advanced topics, etc.. (#20203) Overall, we applied more than 60 updates to our website and identified 10 other issues that were not triggered by Tails 7.0. - Wrote the lengthy release notes for Tails 7.0. (#21046) https://tails.net/news/version_7.0/ - Interviewed Joshua, an IT specialist who uses Tails both at work and at home. Despite Joshua not matching our personas, we learned a couple of interesting things. https://tails.net/contribute/how/user_experience/interviews/joshua/ - Updated the version of balenaEtcher and Rufus on our website. (#20989) Misc ---- - Made plans with intrigeri to migrate the homepage of Tor Browser in Tails to about:tor in time for the Year End Campaign. (#21003) - Removed the sponsors page from our website and tore down the infrastructure that we had to send newsletter to donors. * https://gitlab.torproject.org/tpo/team/-/work_items/399 * https://gitlab.torproject.org/tpo/team/-/work_items/382 Other Tor products ================== Tor Browser ----------- - Started preparing usability tests on the display of multi-path circuits (aka. Conflux) in Tor Browser Android and desktop. https://gitlab.torproject.org/tpo/ux/research/-/issues/168 Tor VPN ------- - Tested Tor VPN 1.0.0 Beta against the usability issues identified in August 2024 and reported 4 issues: * Connects despite being configured to use a bogus bridge https://gitlab.torproject.org/tpo/applications/vpn/-/issues/378 * Tapping on the circuit icon doesn't open the circuit view https://gitlab.torproject.org/tpo/applications/vpn/-/issues/379 * "No internet" displays network activity and app protection widgets on Internet deconnection https://gitlab.torproject.org/tpo/applications/vpn/-/issues/380 * Disable "Exit location" in "Configure" screen instead of hiding it when disconnected https://gitlab.torproject.org/tpo/applications/vpn/-/issues/382 -- sajolida The Tor Project — UX Designer

1 1

Anti-censorship team meeting notes, 2025-10-30
by meskio 30 Oct '25

30 Oct '25

Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-10-30-16.00.html And our meeting pad: Anti-censorship -------------------------------- Next meeting: Thursday, November 6 16:00 UTC Facilitator:onyinyang ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator:meskio == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == == Discussion == * == Actions == * Remove webtunnel setuid script in 1 weeks.(decrease this by one every week) == Interesting links == * == Reading group == * We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-10-30 Last week: - responded to Abhishek about multipath routing to Tor bridge research - discussed Shadow simulations with UCSC students researching enumeration attacks - updated snowflake proxy README (snowflake#40290) - wrote a proxy churn patch for the snowflake broker (snowflake#40494) - commented on webtunnel sni-spoofing interface Next week: - research snowflake enumeration attacks (snowflake#40396) - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-30 Last week: - made snowflake-graphs use SQLite as intermediate data representation rather than CSV https://gitlab.torproject.org/dcf/snowflake-graphs/-/merge_requests/3 - fixed a bug with snowflake-graphs undercounting coverage for certain rarely occurring levels of factors https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/3#note_3281215 - opened an issue for coverage=2.00 in snowflake-stats descriptors during a time when 2 brokers were running simultaneously https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/5 Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… Help with: meskio: 2024-10-30 Last week: - SOTO recording - grant planning - multi-front support in meek (lyrebird#40027) Next week: - AFK Shelikhoo: 2024-10-23 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) testing environment setup/research - SOTO slide - merge request reviews Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) Building custom Tor Browser with patch applied - SOTO recordingh onyinyang: 2025-10-30 Last week(s): - Troubleshooting conjure not connecting in China - updating the fronts led to different connection issues, looking into these in more detail - differing results connecting to conjure locally vs. from vantage point - investigating issues with the conjure authors/maintainers - Monitoring email profiler for rdsys #129 - Monitoring rdsys #rdsys #249 - Presented at York University - Prepared (and submitting today) talk proposal for Splintercon - Outside of Tor: submitted MR to change Lox to rely on lox-extensions rather than lox-library (this is an updated anonymous credential implementation but functionality is the same) Next week: - Continue troubleshooting conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#249 hopefully (take 3? 4?) - Continue looking into bridgestrap#47 Switch back to some of these: As time allows: - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conj… - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096) - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Help with: - Should we do user testing of covert-dtls? Facilitator Queue: onyinyang shelikhoo meskio 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan.

1 0

Anti-censorship team meeting notes, 2025-10-23
by Shelikhoo 23 Oct '25

23 Oct '25

Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-10-23-16.01.html And our meeting pad: Anti-censorship work meeting pad -------------------------------- Anti-censorship -------------------------------- Next meeting: Thursday, October 23 16:00 UTC Facilitator:meskio ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator:shelikhoo == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == == Discussion == This week: * CDN77 new domains? * there are few prospect domains that work in all our vantage points * we plan on selecting a couple and move back snowflake to those domains * SQS costs are considerable but not imposible, we might be able to enable it in more places * https://lists.torproject.org/mailman3/hyperkitty/list/anti-censorship-team@… * Proposal: repeat proxy churn measurement at broker, but one for each pool this time * should we auto enable utls-authority? * continued from last week about making sni imitation easier to configure * it make easier to configure * will make servername means differerent thing, depending on whether utls is used == Actions == * Remove webtunnel setuid script in 1 weeks.(decrease this by one every week) == Interesting links == * https://github.com/EndPositive/slipstream * DNS tunnel, like dnstt, but using QUIC as the session protocol. The better congestion control of QUIC proves to be important in performance. * https://endpositive.github.io/slipstream/protocol.html * https://geedge-docs.haruue.com/geedge_docs/OM/attachments/129101971_attachm… * *orbot.app, *phpmyadmin.net, *cdn77.com FQDN patterns in a Geedge Networks file * https://github.com/net4people/bbs/issues/519#issuecomment-3417659641 * https://geedge-docs.haruue.com/mesalab_docs/study/attachments/27716171_atta… * 1h44m screenshare video presentation about Tor and hidden services (Chinese text and audio). == Reading group == * We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-10-23 Last week: - discussed potential conjure blocking - researched snowflake enumeration attacks (snowflake#40396) - commented on spike in snowflake client polls (snowflake#40493) - updated snowflake builtin bridge line with new cdn77 fronts (tor-browser-build!1333) Next week: - research snowflake enumeration attacks (snowflake#40396) - watch and follow up on Moat and Connect Assist metrics with new netlify front - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-23 Last week: - fixed a bug with snowflake-graphs client-match overcounting by a factor of 2 https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/4 - restarted the snowflake broker for a VPS provider migration https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - refactoring towards fixing minor snowflake-graphs coverage bug https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/3 Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… Help with: meskio: 2024-10-23 Last week: - SOTO preparation - grant planning - multi-front support in meek (lyrebird#40027) - look into snowflake bursts of requests (snowflake#40493) - lyrebird use go 1.22 in the CI Next week: - preparing SOTO presentation Shelikhoo: 2024-10-23 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) testing environment setup/research - collect vantage point test result for fronting domains - SOTO script - merge request reviews Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) Building custom Tor Browser with patch applied - SOTO script onyinyang: 2025-10-23 Last week(s): - Troubleshooting conjure not connecting in China - updating the fronts led to different connection issues, looking into these in more detail - differing results connecting to conjure locally vs. from vantage point - investigating issues with the conjure authors/maintainers - Monitoring email profiler for rdsys #129 - Monitoring rdsys #rdsys #249 - Working on talk proposal for Splintercon + Presentation at York University Next week: - Continue troubleshooting conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#249 hopefully (take 3? 4?) - Continue looking into bridgestrap#47 - Submit talk proposal for splintercon/present at York Switch back to some of these: As time allows: - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conj… - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096) - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Help with: - Should we do user testing of covert-dtls? Facilitator Queue: meskio onyinyang shelikhoo 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue

1 1