- tor-project - lists.torproject.org

minutes from the sysadmin meeting
by Antoine Beaupré 17 Nov '25

17 Nov '25

This is your monthly dose of sysadmin meeting minutes! More coming next week, for people really into that stuff... # Roll call: who's there and emergencies All hands present. Dragon died, but situation stable, not requiring us to abort the meeting. # Express check-in We tried a new format for the check-in for our monthly meeting, to speed things up to leave more room for the actual discussions. How are you doing, and are there any blockers? Then pass the mic to the next person. # 2026 Roadmap review This is a copy of the notes from the [TPA meetup][]. Review and amend to get a final version. [TPA meetup]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/meeting/2025-10 Things to add already: - add hardware replacement plan to yearly roadmap, to solve the [manage the lifecycle of systems issue][] - OpenVox packaging [manage the lifecycle of systems issue]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/29304 We split the 2026 roadmap in "must have", "nice to have" and "won't do": ## Must have Recurring: - YEC (@lavamind) - regular upgrades and reboots, and other chores (stars) - no hardware replacements than the ones already planned with tails (dragon etc) Non-recurring: - tails moving to Prometheus, requires TPA prometheus server merge (because we need the space, mostly, @zen) - shift merge, which requires tails moving to prometheus (stars) - email mailboxes (TPA-RFC-45, @groente) - authentication merge phase 1 (after mailboxes, @groente) - completed trixie upgrades (stars) - SVN retirement or migration (@anarcat) - mailman merge (maybe delegate to tails team? @groente can followup) - MinIO migration / conversion to Garage? (@lelutin) - marble on community, blog, and www.tpo websites (@lavamind) - donate-neo CAPTCHA fixes (@anarcat / @lavamind) - TPA-RFC-38 wikis, perhaps just for TPA's wiki for starters? (@anarcat) - OpenVox packaging (@lavamind) ## Nice to have - RFC reform (maybe already done in 2025, @anarcat) - firewall merge, requires TPA and Tails to migrate to nftables (@zen) - Tails websites merge - Tails mirror coordination (postpone to 2027?) - Tails DNS merge - Tails TLS merge - (TPA?) in-person meeting (@anarcat) - reform deb.tpo, further idea for a roadmap to fix the tor debian package (@lelutin / @lavamind, filed as [tpo/tpa/team#42374][]) [tpo/tpa/team#42374]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/42374 Let's move that deb.tpo item list to an epic or issue. ## Won't do - backups merge (postponed to 2027) ## Observations - lots of stuff, hard to tell whether we'll be able to pull it off - we assigned names, but that's flexible - we don't know exactly when those things will be done, will be allocated in quarterly reviews - this is our wishlist, we need to get feedback from other teams, web team and perhaps team leads / ops meeting coming up about that # holidays vacation planning - zen AFK Jan 5 - 23 (3 weeks) - zen takes the two weeks holidays for tails - lelutin and lavamind share them for TPA - vacation calendar currently lost, but TPO closing weeks expected to be from dec 22nd to jan 2nd - announce your AFK times and add them to the calendar! # skill-share proposals We talked about doing skill-shares/trainings/presentations at our meetup. We still don't know when: during office hours, after check-ins? - Offer (zen): Tails Translation Platform setup (i.e. weblate + staging website + integration scripts) "What's new in TPA" kind of billboard. Presenter decides if it's mandatory, if it is, make it part of the regular meeting schedule. # RFC to ADR conversion Short presentation of the [ADR-95 proposal][]. [ADR-95 proposal]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/0095-adr postponed # long term (2030) roadmap - review the tails merge roadmap - what's next for tpa? postponed # Next meeting Next week, to tackle the other two conversations we skipped above. # Metrics of the month * host count: 99 * number of Apache servers monitored: 33, hits per second: 705 * number of self-hosted nameservers: 6, mail servers: 12 * pending upgrades: 0, reboots: 0 * average load: 1.98, memory available: 4.4 TB/7.2 TB, running processes: 294 * disk free/total: 122.4 TB/228.4 TB * bytes sent: 545.6 MB/s, received: 354.9 MB/s * [GitLab tickets][]: 249 tickets including... * open: 0 * ~Roadmap::Icebox: 128 * ~Roadmap::Future: 42 * ~Needs Information: 3 * ~Roadmap::Backlog: 41 * ~Roadmap::Next: 20 * ~Roadmap::Doing: 12 * ~Needs Review: 4 * (closed: 4277) * [~Technical Debt][]: 12 open, 39 closed [Gitlab tickets]: https://gitlab.torproject.org/tpo/tpa/team/-/boards [~Technical Debt]: https://gitlab.torproject.org/groups/tpo/tpa/-/issues/?state=opened&label_n… Upgrade prediction graph lives at https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/upgrades/trixie/ Now also available as the main Grafana dashboard. Head to <https://grafana.torproject.org/>, change the time period to 30 days, and wait a while for results to render. -- Antoine Beaupré torproject.org system administration

1 1

Anti-censorship team meeting notes, 2025-11-13
by Shelikhoo 13 Nov '25

13 Nov '25

Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-11-13-16.00.html And our meeting pad: Anti-censorship work meeting pad -------------------------------- Anti-censorship -------------------------------- Next meeting: Thursday, November 20 16:00 UTC Facilitator:meskio ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator:shelikhoo == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == * duplicatedcontainerimages is being removed == Discussion == * Move Snowflake Staging to team namespace (src shell) * Relicense uget to 3BSD (src shell) == Actions == * Remove webtunnel setuid script in 0 weeks.(This week!) == Interesting links == * https://opencollective.com/censorship-circumvention/projects/snowflake-dail… == Reading group == * We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-11-13 Last week: - revised and merged proxy churn metrics (snowflake#40494) - helped debug rdsys error with goroutine profiles (rdsys!606) - worked on researching enumeration attacks (snowflake#40396) Next week: - deploy proxy churn metrics patch (snowflake#40494) - research snowflake enumeration attacks (snowflake#40396) - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-30 Last week: - made snowflake-graphs use SQLite as intermediate data representation rather than CSV https://gitlab.torproject.org/dcf/snowflake-graphs/-/merge_requests/3 - fixed a bug with snowflake-graphs undercounting coverage for certain rarely occurring levels of factors https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/3#note_3281215 - opened an issue for coverage=2.00 in snowflake-stats descriptors during a time when 2 brokers were running simultaneously https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/5 Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… Help with: meskio: 2025-11-13 Last week: - multi-front support in meek (lyrebird#40027) - update teams wiki's how the team relates to other teams - register brdg.es domain name again (the registar lost it) Next week: - investigate the status of builtin bridges (team#141) Shelikhoo: 2025-11-13 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) testing environment setup/research - Add sni-imitation syntex sugar option (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyre…) - Remove setuid migration script after it have finished its work: Revert "Add state migration setuid script chown-states.sh" (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webt…) Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) Building custom Tor Browser with patch applied - Add sni-imitation syntex sugar option (cont.) onyinyang: 2025-11-06 Last week(s): - Investigating rdsys#248 i.e., why dysfunctional webtunnel bridges are being distributed - Troubleshooting conjure not connecting in China - waiting for more information from conjure authors/maintainers - Monitoring email profiler for rdsys #129 - Monitoring rdsys#249 - Submitted talk proposal for Splintercon Next week: - Continue troubleshooting conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#249 hopefully (take 3? 4?) - Continue looking into bridgestrap#47/rdsys#248 Switch back to some of these: As time allows: - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conj… - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096) - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Help with: - Should we do user testing of covert-dtls? Facilitator Queue: meskio onyinyang shelikhoo 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue

1 0

User support report for October 2025
by ebanam 06 Nov '25

06 Nov '25

Hello everyone, This is the report from user support team for the month of October. Note: (↑), (↓) and (-) are indicating if the number of tickets we received for these topics have been increasing, decreasing or have been the same from the previous month respectively. - Summary of updates from user support - General user support - Farsi-speaking user support - Russian-speaking user support - Frontdesk (email user support channel) - Telegram, WhatsApp and Signal user support channels - Topics from the Tor Forum - Highlights from Google Play Store # Summary of updates from user support ## General user support * 464 tickets in total (↓463 as compared to September) * 283 tickets on Email * 148 tickets on Telegram * 16 tickets on Signal * 17 tickets on WhatsApp * With the major Tor Browser 15 update, we received one query about the "Custom" security level showing up on the browser. As noted on the [release blog post][]: > Users who have manually set javascript.options.wasm to "false" while > in the Standard security level will see their security level > represented as "Custom" instead. To mitigate any issues that may arise > with the browser's PDF reader, we encourage those users to switch the > preference back to "true", thereby passing management of Wasm over to > NoScript. [release blog post]: https://blog.torproject.org/new-release-tor-browser-150/ * We also received numerous tickets about Tor VPN beta, with the major topics being: - Users enquiring about [WebTunnel support][] for Tor VPN, which is a work in progress. - [Reports][] of Tor VPN beta downloaded from Aurora Store not working on Android devices without Google Mobile Service. - Some reports of the Tor VPN [app freezing][] when using the toggles in the 'Browser' section within the per-App configuration settings. [WebTunnel support]: https://gitlab.torproject.org/tpo/applications/vpn/-/issues/323 [Reports]: https://gitlab.torproject.org/tpo/applications/vpn/-/issues/395 [app freezing]: https://gitlab.torproject.org/tpo/applications/vpn/-/issues/394 ## Farsi-speaking user support * 34 tickets in total (↓49 as compared to September) * 4 tickets on Email * 30 tickets on Telegram * Last month, we started collecting some more specific feedback from users about how they were accessing Tor. Interestingly, we received a few queries from users using little-t tor (the network daemon) on Linux and even on Android (through the "Termux" terminal emulator on Android). * Some tickets from users testing and trying out the Tor VPN beta app as well. Overall Tor-powered VPN apps (like Orbot and Tor VPN beta) seem much more popular amongst the users as compared to Tor Browser, as internet is highly restricted. * We received some feedback that using Tor with Snowflake pluggable transport is working for users in Iran. ## Russian-speaking user support * 1193 tickets in total (↓852 as compared to September) * 199 tickets on Email * 982 tickets on Telegram * 7 tickets on Signal * 5 tickets on WhatsApp * The significant drop in tickets from Russia can be explained by improvements and new features in the @GetBridgesBot (Telegram). The bot now provides both obfs4 and WebTunnel bridges and allows users to copy bridge lines with a single click or tap, improving usability for mobile users. * Although internet access in Russia is already heavily restricted — with recent measures such as blocking calls on Telegram and WhatsApp — mobile internet is subject to even stricter limitations than home broadband. * [Internet censorship in Russia][] is intensifying: almost every day, we are receiving reports from users about the ‘white list’ or 'allow list' regime - a period of Internet restrictions, especially on mobile devices, when they can only visit websites and use applications from a special approved list, which includes only websites and applications based in Russia. At the moment, users have reported that Tor doesn't work to bypass such 'whitelist' restriction. [Internet censorship in Russia]: https://forum.torproject.org/t/help-find-working-method-to-circumvent-inter… * This month we tested new Snowflake domain fronting in Russia, which worked even with mobile internet. Users noted that the bootstrapping speed was slower when compared to WebTunnel or obfs4 bridges, and internet browsing speed was a bit slower as well, but the overall stability and performance are good. * We received a few tickets from users and testers of Tor VPN beta in Russia. The apps itself works but, with WebTunnel bridges not yet supported in Tor VPN beta, users are unable to use the app on mobile internet. That's it for the summary, following is a more detailed report about the tickets our user support team worked on last month. # Frontdesk (email user support channel) * 535(↓) RT tickets created * 486(↓) RT tickets resolved Tickets by topics and numbers: 1. 260(↓) tickets: instructions to circumvent censorship for Chinese speaking users. 2. 199(↓) tickets: circumventing censorship in Russian speaking countries. 3. 40(↓) tickets: help with troubleshooting existing Tor Browser install on Desktop (Windows, macOS and Linux). 4. 10(↓) tickets: questions, feedback and help with troubleshooting Tor VPN beta. 5. 4(↑) tickets: reports of websites blocking Tor connections or not performing well in Tor Browser. 6. 4(↓) tickets: circumventing censorship with Tor in Farsi. 7. 3(-) tickets: help with troubleshooting existing Tor Browser install on Android. 8. 3(-) tickets: help with instructions to download, install or properly uninstalling Tor Browser. 9. 2(↓) tickets: questions about which Tor app to install on iOS (i.e. Onion Browser or Orbot). 10. 2(-) tickets: question about onion services and how to access them. 11. 2(-) tickets: reports of fake apps on iOS AppStore masquerading as official Tor Browser. 12. 2(↑) tickets: question about installing extensions and add-ons on Tor Browser. 13. 1(↓) ticket: users seeing a "proxy refused" error when visiting websites on Tor Browser for Android using Samsung devices. 14. 1(↓) ticket: question about changes to the Security level settings on latest versions of Tor Browser. The browser prompts a restart when changing the Security Level for changes to properly take effect. 15. 1(-) ticket: instructions to download Tor Browser 13.5 legacy for legacy operating systems. 16. 1(-) ticket: help with installing Tor Browser on Desktop on Linux. 17. 1(↓) ticket: help with instructions to troubleshoot Tails operating system. 18. 1(↑) ticket: question about Tor Browser support on Arm Linux. # Telegram, WhatsApp and Signal user support channels * 1205(↓) tickets resolved Breakdown: * 1160(↓) tickets on Telegram * 23(↑) tickets on Signal * 22(↑) tickets on WhatsApp Tickets by topics and numbers: 1. 994(↓) tickets: circumventing censorship in Russian speaking countries. 2. 49(↓) tickets: instructions to circumvent censorship for Chinese speaking users. 3. 30(↓) tickets: circumventing censorship with Tor in Farsi. 4. 17(↓) tickets: questions, feedback and help with troubleshooting Tor VPN beta. 5. 13(↓) tickets: helping users on iOS, using Onion Browser or Orbot, to use censorship circumvention methods. 6. 7(↑) tickets: [GetBridgesBot freezes][] and stops sending bridges. 7. 6(↑) tickets: instructions to use WebTunnel bridges with Tor Browser. 8. 6(↑) tickets: instructions on how to get Tor Browser binaries from GetTor. 9. 6(↓) tickets: help with troubleshooting Tor Browser Desktop on Windows, macOS and Linux. 10. 5(-) tickets: questions about onion services and how to access them. 11. 4(↓) tickets: help with instructions to troubleshoot Tails operating system. 12. 3(-) tickets: users seeing a "proxy refused" error when visiting websites on Tor Browser for Android using Samsung devices. 13. 2(↓) tickets: help with installing Tor Browser on Desktop on Linux. 14. 2(↓) tickets: help with troubleshooting Tor Browser Android. 15. 2(-) tickets: help with instructions to use bridges with Orbot on Android. 16. 2(-) tickets: instructions to download Tor Browser 13.5 legacy for legacy operating systems. 17. 1(-) ticket: help with instructions to verify Tor Browser GPG signature. 18. 1(↓) ticket: help with using Snowflake with Tor to circumvent censorship. [GetBridgesBot freezes]: https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/286 # Topics from the Tor Forum * A new home for Tor [user documentation][]. * Snowflake and Conjure inaccessible due to CND77 blockage, [try this workaround][]. [user documentation]: https://forum.torproject.org/t/a-new-home-for-tor-user-documentation/20732 [try this workaround]: https://forum.torproject.org/t/snowflake-and-conjure-inaccessible-due-to-cn… # Highlights from Google Play Store * Tor Browser for Android (TBA) had a Google Play rating of 4.4 stars in October, which is the same as compared to in September. * Tor Browser for Android (TBA) got 740 (↑16) new reviews. The total count of reviews for the app stands at 65,769. * Tor Browser for Android Alpha (TBA Alpha) app had a rating of 4.192 (↓0.004) in October which is lower as compared to in September. * In October, Tor Browser for Android Alpha (TBA Alpha) got 22 (↓10) new reviews. The total count of reviews for the app stands at 8,687. * We received a few comments and [reports][] of Tor Browser Android not working properly on certain Samsung and Motorola Android devices. [reports]: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43841 Thanks! -- ebanam

1 0

Anti-censorship team meeting notes, 2025-11-06
by onyinyang 06 Nov '25

06 Nov '25

Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-11-06-16.00.html And our meeting pad: Anti-censorship work meeting pad -------------------------------- Anti-censorship -------------------------------- Next meeting: Thursday, November 13 16:00 UTC Facilitator:shelikhoo ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator:onyinyang == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == == Discussion == * == Actions == * Remove webtunnel setuid script in 0 weeks.(This week!) == Interesting links == * https://opencollective.com/censorship-circumvention/projects/snowflake-dail… == Reading group == * We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-11-06 Last week: - helped debug and look at profile output of rdsys (rdsys#249) - gave more feedback on latest iteration of snowflake churn tests - responded to IPtProxy issue with PTs and VPNs on android - https://github.com/tladesignz/IPtProxy/issues/73 Next week: - research snowflake enumeration attacks (snowflake#40396) - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-30 Last week: - made snowflake-graphs use SQLite as intermediate data representation rather than CSV https://gitlab.torproject.org/dcf/snowflake-graphs/-/merge_requests/3 - fixed a bug with snowflake-graphs undercounting coverage for certain rarely occurring levels of factors https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/3#note_3281215 - opened an issue for coverage=2.00 in snowflake-stats descriptors during a time when 2 brokers were running simultaneously https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/5 Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… Help with: meskio: 2024-10-30 Last week: - SOTO recording - grant planning - multi-front support in meek (lyrebird#40027) Next week: - AFK Shelikhoo: 2024-11-04 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) testing environment setup/research - SOTO recording + video - Add sni-imitation syntex sugar option (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyre…) Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) Building custom Tor Browser with patch applied - Add sni-imitation syntex sugar option (cont.) onyinyang: 2025-11-06 Last week(s): - Investigating rdsys#248 i.e., why dysfunctional webtunnel bridges are being distributed - Troubleshooting conjure not connecting in China - waiting for more information from conjure authors/maintainers - Monitoring email profiler for rdsys #129 - Monitoring rdsys#249 - Submitted talk proposal for Splintercon Next week: - Continue troubleshooting conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#249 hopefully (take 3? 4?) - Continue looking into bridgestrap#47/rdsys#248 Switch back to some of these: As time allows: - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conj… - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096) - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Help with: - Should we do user testing of covert-dtls? Facilitator Queue: onyinyang shelikhoo meskio 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue -- --- onyinyang GPG Fingerprint 3CC3 F8CC E9D0 A92F A108 38EF 156A 6435 430C 2036

1 0

Anti-censorship team meeting notes, 2025-10-30
by meskio 30 Oct '25

30 Oct '25

Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-10-30-16.00.html And our meeting pad: Anti-censorship -------------------------------- Next meeting: Thursday, November 6 16:00 UTC Facilitator:onyinyang ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator:meskio == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == == Discussion == * == Actions == * Remove webtunnel setuid script in 1 weeks.(decrease this by one every week) == Interesting links == * == Reading group == * We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-10-30 Last week: - responded to Abhishek about multipath routing to Tor bridge research - discussed Shadow simulations with UCSC students researching enumeration attacks - updated snowflake proxy README (snowflake#40290) - wrote a proxy churn patch for the snowflake broker (snowflake#40494) - commented on webtunnel sni-spoofing interface Next week: - research snowflake enumeration attacks (snowflake#40396) - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-30 Last week: - made snowflake-graphs use SQLite as intermediate data representation rather than CSV https://gitlab.torproject.org/dcf/snowflake-graphs/-/merge_requests/3 - fixed a bug with snowflake-graphs undercounting coverage for certain rarely occurring levels of factors https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/3#note_3281215 - opened an issue for coverage=2.00 in snowflake-stats descriptors during a time when 2 brokers were running simultaneously https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/5 Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… Help with: meskio: 2024-10-30 Last week: - SOTO recording - grant planning - multi-front support in meek (lyrebird#40027) Next week: - AFK Shelikhoo: 2024-10-23 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) testing environment setup/research - SOTO slide - merge request reviews Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) Building custom Tor Browser with patch applied - SOTO recordingh onyinyang: 2025-10-30 Last week(s): - Troubleshooting conjure not connecting in China - updating the fronts led to different connection issues, looking into these in more detail - differing results connecting to conjure locally vs. from vantage point - investigating issues with the conjure authors/maintainers - Monitoring email profiler for rdsys #129 - Monitoring rdsys #rdsys #249 - Presented at York University - Prepared (and submitting today) talk proposal for Splintercon - Outside of Tor: submitted MR to change Lox to rely on lox-extensions rather than lox-library (this is an updated anonymous credential implementation but functionality is the same) Next week: - Continue troubleshooting conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#249 hopefully (take 3? 4?) - Continue looking into bridgestrap#47 Switch back to some of these: As time allows: - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conj… - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096) - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Help with: - Should we do user testing of covert-dtls? Facilitator Queue: onyinyang shelikhoo meskio 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan.

1 0

Anti-censorship team meeting notes, 2025-10-23
by Shelikhoo 23 Oct '25

23 Oct '25

Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-10-23-16.01.html And our meeting pad: Anti-censorship work meeting pad -------------------------------- Anti-censorship -------------------------------- Next meeting: Thursday, October 23 16:00 UTC Facilitator:meskio ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator:shelikhoo == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == == Discussion == This week: * CDN77 new domains? * there are few prospect domains that work in all our vantage points * we plan on selecting a couple and move back snowflake to those domains * SQS costs are considerable but not imposible, we might be able to enable it in more places * https://lists.torproject.org/mailman3/hyperkitty/list/anti-censorship-team@… * Proposal: repeat proxy churn measurement at broker, but one for each pool this time * should we auto enable utls-authority? * continued from last week about making sni imitation easier to configure * it make easier to configure * will make servername means differerent thing, depending on whether utls is used == Actions == * Remove webtunnel setuid script in 1 weeks.(decrease this by one every week) == Interesting links == * https://github.com/EndPositive/slipstream * DNS tunnel, like dnstt, but using QUIC as the session protocol. The better congestion control of QUIC proves to be important in performance. * https://endpositive.github.io/slipstream/protocol.html * https://geedge-docs.haruue.com/geedge_docs/OM/attachments/129101971_attachm… * *orbot.app, *phpmyadmin.net, *cdn77.com FQDN patterns in a Geedge Networks file * https://github.com/net4people/bbs/issues/519#issuecomment-3417659641 * https://geedge-docs.haruue.com/mesalab_docs/study/attachments/27716171_atta… * 1h44m screenshare video presentation about Tor and hidden services (Chinese text and audio). == Reading group == * We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-10-23 Last week: - discussed potential conjure blocking - researched snowflake enumeration attacks (snowflake#40396) - commented on spike in snowflake client polls (snowflake#40493) - updated snowflake builtin bridge line with new cdn77 fronts (tor-browser-build!1333) Next week: - research snowflake enumeration attacks (snowflake#40396) - watch and follow up on Moat and Connect Assist metrics with new netlify front - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-23 Last week: - fixed a bug with snowflake-graphs client-match overcounting by a factor of 2 https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/4 - restarted the snowflake broker for a VPS provider migration https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - refactoring towards fixing minor snowflake-graphs coverage bug https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/3 Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… Help with: meskio: 2024-10-23 Last week: - SOTO preparation - grant planning - multi-front support in meek (lyrebird#40027) - look into snowflake bursts of requests (snowflake#40493) - lyrebird use go 1.22 in the CI Next week: - preparing SOTO presentation Shelikhoo: 2024-10-23 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) testing environment setup/research - collect vantage point test result for fronting domains - SOTO script - merge request reviews Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) Building custom Tor Browser with patch applied - SOTO script onyinyang: 2025-10-23 Last week(s): - Troubleshooting conjure not connecting in China - updating the fronts led to different connection issues, looking into these in more detail - differing results connecting to conjure locally vs. from vantage point - investigating issues with the conjure authors/maintainers - Monitoring email profiler for rdsys #129 - Monitoring rdsys #rdsys #249 - Working on talk proposal for Splintercon + Presentation at York University Next week: - Continue troubleshooting conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#249 hopefully (take 3? 4?) - Continue looking into bridgestrap#47 - Submit talk proposal for splintercon/present at York Switch back to some of these: As time allows: - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conj… - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096) - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Help with: - Should we do user testing of covert-dtls? Facilitator Queue: meskio onyinyang shelikhoo 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue

1 1

Anti-censorship team meeting notes, 2025-10-16
by onyinyang 16 Oct '25

16 Oct '25

Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-10-16-16.00.html And our meeting pad: Anti-censorship work meeting pad -------------------------------- Anti-censorship -------------------------------- Next meeting: Thursday, October 23 16:00 UTC Facilitator:shelikhoo ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator:onyinyang == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == == Discussion == This week: * CDN77 new domains? * there are few prospect domains that work in all our vantage points * we plan on selecting a couple and move back snowflake to those domains * SQS costs are considerable but not imposible, we might be able to enable it in more places * https://lists.torproject.org/mailman3/hyperkitty/list/anti-censorship-team@… == Actions == * Remove webtunnel setuid script in 2 weeks.(decrease this by one every week) == Interesting links == == Reading group == * We will discuss "The Internet Coup" on October 23rd * https://interseclab.org/wp-content/uploads/2025/09/The-Internet-Coup_Septem… * Particularly relevant sections: "Blocking online privacy and circumvention tools" section of InterSecLab report on Geedge Networks, mentions Tor, Snowflake, WebTunnel * Notes: https://github.com/net4people/bbs/issues/519#issuecomment-3282101626 * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-10-16 Last week: - helped with rdsys profiling - reviews and todos - worked on shadow experiments of enumeration attacks and defences - did some SQS rendezvous cost analysis - https://lists.torproject.org/mailman3/hyperkitty/list/anti-censorship-team@… Next week: - research snowflake enumeration attacks (snowflake#40396) - watch and follow up on Moat and Connect Assist metrics with new netlify front - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-16 Last week: Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… Help with: meskio: 2024-10-16 Last week: - SOTO preparation - grant planning - P146 report - lyrebird CI using go 1.22 - issues triaging & merge reviews Next week: - preparing SOTO presentation Shelikhoo: 2024-10-16 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) testing environment setup/research - SOTO script - backporting utls patch - updating lyrebird with patch - [MR] Update lyrebird version to v0.6.2: uTLS fix for chrome fingerprint imitation (https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_re…) - [MR] Use updated utls fork with aes grease fix to avoid detection of utls when chrome fingerprint is used (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyre…) - [MR] Always use hostname in url for http host header in webtunnel transport (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyre…) Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) Building custom Tor Browser with patch applied - SOTO script - collect vantage point test result for fronting domains onyinyang: 2025-10-16 Last week(s): - Troubleshooting conjure not connecting in China - updating the fronts led to different connection issues, looking into these in more detail - Deployed profiler to email distributor - Looking into GetBridgesBot freezes and stops sending bridgeshttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/286 Next week: - Continue troubleshooting conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#249 hopefully (take 3? 4?) - Continue looking into bridgestrap#47 - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Switch back to some of these: As time allows: Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conj… - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096) - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Help with: - Should we do user testing of covert-dtls? Facilitator Queue: onyinyang shelikhoo meskio 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue -- --- onyinyang GPG Fingerprint 3CC3 F8CC E9D0 A92F A108 38EF 156A 6435 430C 2036

1 0

User support report for September 2025
by ebanam 14 Oct '25

14 Oct '25

Hello everyone, This is the report from user support team for the month of September. Note: (↑), (↓) and (-) are indicating if the number of tickets we received for these topics have been increasing, decreasing or have been the same from the previous month respectively. - Summary of updates from user support - Farsi-speaking user support - Russian-speaking user support - General user support - Frontdesk (email user support channel) - Telegram, WhatsApp and Signal user support channels - Topics from the Tor Forum - Highlights from Google Play Store # Summary of updates from user support * With the release of Tor VPN Beta, we have received number of questions on how to get started testing the app, signing up for the beta through Play Store, questions and feedback about the app as well as help with troubleshooting on the Tor Forum [1] and other support channels. We are keeping track of these requests and feedback on our bug tracker.[2] * Last month, we answered a significant number of support requests for WebTunnel bridges. For some context, newer Telegram accounts were unable to request these bridges directly from our Telegram Bridge Distributor (@GetBridgesBot) and were therefore encouraged to contact us on our support channels. With the Telegram distributor now sharing WebTunnel bridges with all Telegram users [3], we are noticing a big drop in such requests in October. A big shoutout to onyinyang for implementing these changes to the Telegram Bridge Distributor! ## Farsi-speaking user support * 88 tickets in total (↓3 as compared to August) * 83 tickets on Telegram * 5 tickets on Email ## Russian-speaking user support * 2045 tickets in total (↓234 as compared to August) * 1883 tickets on Telegram * 160 tickets on Email * 2 tickets on Signal * In recent months, we've noticed that among the group of Russian-speaking users, we're now also receiving bridge requests every month from users in Belarus. Although the Tor usage in the country on Tor Metrics appears normal, we don't know whether some parts of Tor are being blocked there, and further investigation into possible Tor censorship in the country is needed. * On the Tor Forum, Russian users pointed out a new 'whitelisting' method being implemented in the country and how Tor is unable to connect during the 'curfew' hours.[4] ## General user support * 927 tickets in total (↓159 as compared to August) * 504 tickets on Email * 405 tickets on Telegram * 18 tickets on Signal * Bridges with WebTunnel pluggable transport working most reliably for users in China, we received a number of tickets with queries on how to obtain such bridges and how to use them in Tor Browser and Tails. That's it for the summary, following is a more detailed report about the tickets our user support team worked on last month. # Frontdesk (email user support channel) * 605(↓) RT tickets created * 669(↑) RT tickets resolved Tickets by topics and numbers: 1. 309(↓) tickets: instructions to circumvent censorship for Chinese speaking users. 2. 160(↓) tickets: circumventing censorship in Russian speaking countries. 3. 54(↑) tickets: help with troubleshooting existing Tor Browser install on Desktop (Windows, macOS and Linux). 4. 15(↑) tickets: questions, feedback and help with troubleshooting Tor VPN beta. 5. 7(↑) tickets: questions about which Tor app to install on iOS (i.e. Onion Browser or Orbot). 6. 5(↑) tickets: circumventing censorship with Tor in Farsi. 7. 3(↓) tickets: help with troubleshooting existing Tor Browser install on Android. 8. 3(↑) tickets: help with instructions to download, install or properly uninstalling Tor Browser. 9. 3(↑) tickets: reports of websites blocking Tor connections or not performing well in Tor Browser. 10. 3(↑) tickets: reports of email bridge distributor (bridges(a)torproject.org) not responding. The issue is resolved. 11. 3(↑) tickets: reports of DuckDuckGo's HTML page and search results displayed incorrectly on Safest security level.[5] 12. 2(-) tickets: question about onion services and how to access them. 13. 2(↑) tickets: reports of fake apps on iOS AppStore masquerading as official Tor Browser. 14. 2(↑) tickets: users seeing a "proxy refused" error when visiting websites on Tor Browser for Android using Samsung devices. 15. 2(↑) tickets: question about changes to the Security level settings on latest versions of Tor Browser. The browser prompts a restart when changing the Security Level for changes to properly take effect. 16. 2(↑) tickets: instructions to download Tor Browser 13.5 legacy for legacy operating systems. 17. 2(↑) tickets: question about installing extensions and add-ons on Tor Browser. 18. 1(-) ticket: help with installing Tor Browser on Desktop on Linux. 19. 1(↑) ticket: help with verifying Tor Browser's GPG signature. 20. 1(↑) ticket: report of Tor Browser conflicting with anti-virus installed on users' device. (It was a false alarm and the issue is resolved). 21. 1(↑) ticket: question on how DNS resolution works when using Tor (Browser). 22. 1(↑) ticket: help with setting up a Tor relay. # Telegram, WhatsApp and Signal user support channels * 2391(↓) tickets resolved Breakdown: * 2371(↓) tickets on Telegram * 20(↑) tickets on Signal * No tickets on WhatsApp Tickets by topics and numbers: 1. 1885(↓) tickets: circumventing censorship in Russian speaking countries. 2. 155(↓) tickets: WebTunnel bridge requests from users with newer Telegram accounts and unable to receive one from the @GetBridgesBot on Telegram. 3. 202(↓) tickets: instructions to circumvent censorship for Chinese speaking users. Note: There is a significant overlap in the WebTunnel bridge request tickets on our support channels and support requests from Russian and Chinese speaking users. 4. 83(↓) tickets: circumventing censorship with Tor in Farsi. 5. 36(↑) tickets: instructions to use WebTunnel bridges with Tor Browser. 6. 22(↑) tickets: questions, feedback and help with troubleshooting Tor VPN beta. 7. 20(↓) tickets: helping users on iOS, using Onion Browser or Orbot, to use censorship circumvention methods. 8. 12(↑) tickets: help with instructions to troubleshoot Tails operating system. 9. 7(↓) tickets: instructions on how to get Tor Browser binaries from GetTor. 10. 5(↑) tickets: questions about onion services and how to access them. 11. 10(↓) tickets: help with troubleshooting Tor Browser Desktop on Windows, macOS and Linux. 12. 4(↓) tickets: help with using Snowflake with Tor to circumvent censorship. 13. 3(↓) tickets: users seeing a "proxy refused" error when visiting websites on Tor Browser for Android using Samsung devices. 14. 3(↑) tickets: help with installing Tor Browser on Desktop on Linux. 15. 3(↓) tickets: help with troubleshooting Tor Browser Android. 16. 2(↓) tickets: help with instructions to use bridges with Orbot on Android. 17. 2(↑) tickets: instructions to download Tor Browser 13.5 legacy for legacy operating systems. 18. 2(↑) tickets: help with troublehsooting tor, the network daemon, aka little-t tor. 19. 1(↓) ticket: instructions to verify Tor Browser's GPG signature. 20. 1(↑) ticket: reports of DuckDuckGo's HTML page and search results displayed incorrectly on Safest security level. 21. 1(↑) ticket: can't install Tor Browser for macOS when downloading the dmg file from Telegram GetTor.[6] # Topics from the Tor Forum * Help us test the new Tor User Support Portal.[7] Highlighting some other discussion topics and, in general, frequently asked questions on our support forums: * Should I set Tor Browser as my default browser? [8] * Tor support and discussion channel.[9] * Images uploaded on Tor Browser (Desktop and Android) are randomized for Canvas Fingerprinting protection.[10] # Highlights from Google Play Store * Tor Browser for Android (TBA) had a Google Play rating of 4.4 (↑0.008) stars in September, which is higher as compared to in August. * In September, Tor Browser for Android (TBA) got 724 (↓46) new reviews. The total count of reviews for the app stands at 65,186. * Tor Browser for Android Alpha (TBA Alpha) app had a rating of 4.196 (↑0.016) in September, which is higher as compared to in August. * In September, Tor Browser for Android Alpha (TBA Alpha) got 32 (↑2) new reviews. The total count of reviews for the app stands at 8,671. * The major concern that Tor Browser users express in the comments is regarding the browsing speed. This issue is currently under investigation [11]. * Also there are many comments from users in regions where Tor is censored and whenever possible, we are encouraging users to reach out to our support channels directly. Thanks! -- ebanam [1]: https://forum.torproject.org/tag/torvpn-beta [2]: https://gitlab.torproject.org/tpo/community/support/-/issues/40225 [3]: https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/merge_requests/589 [4]: https://forum.torproject.org/t/help-find-working-method-to-circumvent-inter… [5]: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/44239 [6]: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4… [7]: https://forum.torproject.org/t/tor-project-soft-release-help-us-test-the-ne… [8]: https://forum.torproject.org/t/tor-browser-as-default-browser/20580 [9]: https://forum.torproject.org/t/tor-users-chats/20569 [10]: https://forum.torproject.org/t/why-cant-i-upload-images-using-the-tbb/20525 [11]: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43841

2 1

Anti-censorship team meeting notes, 2025-10-09
by meskio 09 Oct '25

09 Oct '25

Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-10-09-16.00.html And our meeting pad: Anti-censorship -------------------------------- Next meeting: Thursday, October 16 16:00 UTC Facilitator:onyinyang ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator: meskio == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == == Discussion == * Reported blocking of www.cdn77.com by SNI, blocking of STUN servers in Russia, 2025-09-21 * https://github.com/net4people/bbs/issues/422#issuecomment-3316062302 * "I've noticed that stun protocol was blocked from mid-summer till today (it worked in June last time when I've used public stun to punch through NAT). Seems that only stun to public stun servers like stun.l.google.com, stun.bethesda.net were affected. Stun between webtunnel client and other webtunnel peer is not affected as can be seen in attached captures below. The only stun server that was accessible all that time was stun.rtc.yandex.net (of all the gists and lists of public stun servers I could find)." * "Had to change front though ... where <...> is another website using cdn77 I know. www.cdn77.com is blocked by SNI (session freezes after client hello), and www.phpmyadmin.net, though it doesn't cause hetzner to be blocked anymore, might cause stricter filtering or other side-effects." * We've been testing netlify in the alpha channel of Tor Browser, maybe it is time to use it in stable. * cdn77 domain fronts are already known to be blocked in China * https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/168 * meskio has a list of cdn77 domain names. * https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/168#note_32… * Could prioritize adding multiple builting snowflake bridge options * https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43842 * onyinyang will make a forum post with workarounds * CDN77 blocking (new oct 09) * suspected blocking of phpmyadmin.net in Belarus: https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/iss… * Tor Browser 14.5.8 shipped on October 7 and 15.0 is expected to ship at the end of October * Snowflake builtin bridge line now uses netlify: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_re… * Moat and Connect Assist should use netlify settings in stable now: https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… * Netlify has limits on total data transfer and number of requests * we plan to keep using netlify for moat * next week we'll have tests results on what domain names work for CDN77 and switch snowflake to use one of them * the post on the forum is life * https://forum.torproject.org/t/snowflake-and-conjure-inaccessible-due-to-cn… * maintain go 1.22 in PT clients * https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4… * shelikhoo has been backporting security patches * we need to bring 1.22 back to the snowflake CI for the client * let's use 1.22 in lyrebird's CI * Decide whether to simplify webtunnel setting for sni imitation use case * https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyre… == Actions == * Remove webtunnel setuid script in 2 weeks.(decrease this by one every week) == Interesting links == * Mention of snowflake SNIs in the galaxy/platform/galaxy-qgw-service repo of MESA Git. The filenames include "E21" which is Ethiopia. * https://geedge-git.haruue.com/mesalab_git/galaxy/platform/galaxy-qgw-servic… E21-SNI-Top120W-20221020.txt snowflake-broker.freehaven.net 903971 110 snowflake-broker.torproject.net 8667377 55 snowflake-broker.bamsoftware.com 1611029 49 snowflake.torproject.net 105990565 16 snowflake.freehaven.net 24545 6 E21-SNI-Top200w.txt snowflake-broker.bamsoftware.com 14468 snowflake-broker.torproject.net 50 snowflake.bamsoftware.com 8 * https://geedge-git.haruue.com/mesalab_git/galaxy/platform/galaxy-qgw-servic… * "Galaxy SQL, the unified query gateway, is built with Spring Boot 2.0 technology. It provides interactive SQL analysis and routine scheduling windows, supports streaming and batch jobs, and makes it easier to write and submit ETL programs and efficiently execute big data computations, aiming to make big data processing easier." * Mention of torproject.net domain names in tango/maat/test/tsgrule/TSG_OBJ_FQDN.E21. TSG is Tiangou Secure Gateway, E21 is Ethiopia, Maat is a rules matching engine. * https://geedge-git.haruue.com/mesalab_git/tango/maat.git/tree/test/tsgrule?… 592177551 151465 .snowflake-broker.torproject.net 0 1 0 1 1683275236000000 0 key=592177551 592561443 151465 .snowflake.torproject.net 0 1 0 1 1683275236000000 0 key=592561443 592691531 151465 .forum.torproject.net 0 1 0 1 1683275236000000 0 key=592691531 594169529 151469 snowflake-broker.torproject.net 0 3 0 1 1683276253000000 0 key=594169529 594553421 151469 snowflake.torproject.net 0 3 0 1 1683276253000000 0 key=594553421 594683509 151469 forum.torproject.net 0 3 0 1 1683276253000000 0 key=594683509 * You can decode the microsecond timestamps like so: $ date -u --iso=sec --date=@1683275236 2023-05-05T08:27:16+00:00 * https://filter.watch/english/2025/10/02/irans-stealth-blackout-a-multi-stak… * https://filter.watch/wp-content/uploads/sites/2/2025/10/Click-here-to-read-… * Discussion of Tor starting on PDF page 23 == Reading group == * We will discuss "The Internet Coup" on October 23rd * https://interseclab.org/wp-content/uploads/2025/09/The-Internet-Coup_Septem… * Particularly relevant sections: "Blocking online privacy and circumvention tools" section of InterSecLab report on Geedge Networks, mentions Tor, Snowflake, WebTunnel * Notes: https://github.com/net4people/bbs/issues/519#issuecomment-3282101626 * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-10-09 Last week: - updated snowflake builtin bridge line in Tor Browser (tor-browser-build#41574) - followed up with applications team about Moat and Connect Assist settings in the stable release - commented on increase of tickets in Belarus (censorship-analysis#40067) - researched snowflake enumeration attacks (snowflake#40396) - released and deployed version 0.9.7 Next week: - research snowflake enumeration attacks (snowflake#40396) - watch and follow up on Moat and Connect Assist metrics with new netlify front - follow up on snowflake rendezvous failures (snowflake#40447) - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-09 Last week: Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… Help with: meskio: 2024-10-09 Last week: - SOTO preparation - grant planning - finding CDN77 domain fronts (team#168) - remove backend deadlock (rdsys!597) - investigate Telegram distributor silence (rdsys#286) Next week: - P146 report Shelikhoo: 2024-10-09 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) testing environment setup/research - Published Snowflake UDP mode test post: https://forum.torproject.org/t/invitation-to-test-snowflake-unreliable-tran… - vantage point maintaince - deploy new vantage point version with fixed performance - [MR]Always use hostname in url for http host header in webtunnel transport. (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyre…) Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) Building custom Tor Browser with patch applied - SOTO script - collect vantage point test result for fronting domains onyinyang: 2025-10-02 Last week(s): - Deployed updated telegram distributor distributing a proportion of webtunnel bridges to telegram users with new accounts https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/283 - Managed some hiccups in the updated deployment - Wrote profiling patch for rdsys: kraken and email - Looked into conjure issue from China: fronts we are using appear to be blocked Next week: - Troubleshoot conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#249 hopefully - Continue looking into bridgestrap#47 - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Switch back to some of these: As time allows: Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conj… - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096) - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) Help with: - Should we do user testing of covert-dtls? Facilitator Queue: onyinyang shelikhoo meskio 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan.

1 0

minutes from the sysadmins
by Antoine Beaupré 07 Oct '25

07 Oct '25

# Roll call: who's there and emergencies all folks on the team present # Normal check-in Went through the normal per person check-in. # Roadmap review (Q4) postponed to next week # Other discussions ## incident response proposal feedback: - good to have procedure, nice that we can keep it simple and the complexity is optional - do we want to document *when* we need to start the procedure? some incidents are not documented right now... yes. - unclear exactly what happens, when roles get delegated... current phrasing implies the original worker is the only one who can delegate - people can bump in and join the team, e.g. "seems like you need someone on comms, i'll start doing that, ok?" - add examples of past or theoretical incidents to the proposal to clarify the process - residual command position, once all roles have been delegated, should default to team lead? it's typically the team lead's role to step in those situation, and rotate into that role - no pager escalation - define severity - discomfort at introducing military naming, we can call it incident lead anarcat will work on improvements to the proposal following the discussion. # Next meeting Next week, we'll try to work again on the roadmap review. # Metrics of the month * host count: 99 * number of Apache servers monitored: 33, hits per second: 659 * number of self-hosted nameservers: 6, mail servers: 99 * pending upgrades: 0, reboots: 0 * average load: 3.40, memory available: 4.1 TB/7.2 TB, running processes: 276 * disk free/total: 106.2 TB/231.7 TB * bytes sent: 564.3 MB/s, received: 382.2 MB/s * [GitLab tickets][]: 248 tickets including... * open: 1 * ~Roadmap::Icebox: 126 * ~Roadmap::Future: 43 * ~Needs Information: 3 * ~Roadmap::Backlog: 38 * ~Roadmap::Next: 16 * ~Roadmap::Doing: 15 * ~Needs Review: 6 * (closed: 4227) * [~Technical Debt][]: 11 opened, 35 closed [Gitlab tickets]: https://gitlab.torproject.org/tpo/tpa/team/-/boards [~Technical Debt]: https://gitlab.torproject.org/groups/tpo/tpa/-/issues/?state=opened&label_n… -- Antoine Beaupré torproject.org system administration

1 0