- tor-project - lists.torproject.org

Anti-censorship meeting notes, 2021 August 26
by Cecylia Bocovich 01 Sep '21

01 Sep '21

Hey everyone! This is a little late, but here were our logs from the meeting last week: http://meetbot.debian.net/tor-meeting/2021/tor-meeting.2021-08-26-15.59.html and here is our meeting pad: Anti-censorship work meeting pad -------------------------------- Next meeting: Thursday August 19th 16:00 UTC Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) == Goal of this meeting == Weekly checkin about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at Tor. == Announcements == Job opening on the anti-censorship team: https://www.torproject.org/about/jobs/software-developer-anticensorship-2/ \o/ == Discussion == == Actions == == Interesting links == USENIX Security 2021 papers https://www.usenix.org/conference/usenixsecurity21/technical-sessions "Domain Shadowing: Leveraging Content Delivery Networks for Robust Blocking-Resistant Communications" https://www.usenix.org/conference/usenixsecurity21/presentation/wei "How Great is the Great Firewall? Measuring China's DNS Censorship" https://www.usenix.org/conference/usenixsecurity21/presentation/hoang "Balboa: Bobbing and Weaving around Network Censorship" https://www.usenix.org/conference/usenixsecurity21/presentation/rosen "Weaponizing Middleboxes for TCP Reflected Amplification" https://www.usenix.org/conference/usenixsecurity21/presentation/bock "Defeating DNN-Based Traffic Analysis Systems in Real-Time With Blind Adversarial Perturbations" https://www.usenix.org/conference/usenixsecurity21/presentation/nasr == Reading group == We will discuss "" on Questions to ask and goals to have: What aspects of the paper are questionable? Are there immediate actions we can take based on this work? Are there long-term actions we can take based on this work? Is there future work that we want to call out, in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): last updated 2021-08-26 Last week: - hiring tasks for ac team and network team - mostly just s28 integration/scrimmage - more work on making OONI's tor tests look more like tor - helped plan tor's autoconnect feature This week: - more hiring and s28 meetings - censorship measurement tests and tools - reviews - snowflake!52 followup - snowflake#25595 followup - lots of miscellaneous gitlab TODOs Needs help with: arlolra: 2021-08-12 Last week: - Migrate to v3 of the webextension manifest Next week: - Maybe get back to snowflake-webext #10 - Write up the pitch for our use case for supporting creating PeerConnections in background service workers https://github.com/w3c/webrtc-extensions/issues/77 Help with: - dcf: 2021-08-19 Last week: - snowflake CDN bookkeeping https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Snowflake-co… - posted a summary of the Turkmenistan situation https://ntc.party/t/recent-drop-in-tor-users-from-turkmenistan-testers-want… https://gitlab.torproject.org/tpo/community/support/-/issues/40030 Next week: Help with: agix:2021-07-15 Last week: -Off due to final exams Next week: -Work on bridgebox for rdsys -More research on httpt #4 Help with: - hanneloresx: 2021-3-4 Last week: - Submitted MR for bridgestrap issue #14 Next week: - Finish bridgestrap #14 - Find new issue to work on Help with: - maxb: 2021-07-15 Last week: - Opened https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… re: utls for broker negotiation - Worked on github.com/max-b/nat-testing for https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - Added a snowflake-proxy-no-nat and a snowflake-client-no-nat to help with debugging - Successfully making connections from snowflake-client and snoflake-client-no-nat through the snowflake-proxy-no-nat, but not having any success with the snowflake-proxy (with nat). - Added a local dockerized STUN server Next week: - Use wireshark to figure out the difference between successful snowflake-proxy-no-nat and unsuccessful snowflake-proxy-nat - Work on implementing different NAT types, particularly in a way that's conducive to automatic testing - Add testing wrapper w/ "pass/fail" conditions meskio: 2021-08-26 Last week: - make bridgestrap CollecTor metrics resistant to restarts (bridgestrap#22) - change bridgedb to send obfs4 bridges by default over email (bridgedb#50) - review gettor upload script mr (gettor!17) - review docker-obfs4-bridge multi arch build (docker-obfs4-bridge!4) - review docker-obfs4-bridge fix for the new debian release (docker-obfs4-bridge!3) - review new translations for GettorWeb (gettor-web!7) Next week: - make censorship snapsot available on moat (bridgedb#40025) - act on comments on rdsys-gettor (rdsys!11) Help with: -

1 0

Monthly status report for irl
by Iain R. Learmonth 01 Sep '21

01 Sep '21

Hi All, This is my monthly status report for work complete during August 2021. This will be my last status report for this contract, please direct all queries about metrics tooling going forward to the network health team. I released and deployed updates for CollecTor to archive bridgestrap data. This is currently disabled until the bridgestrap results can be declared stable by the anti-censorship team. If you're interested in following this, see: https://gitlab.torproject.org/tpo/anti-censorship/bridgestrap/-/issues/25 I completed an update to Onionoo that reads in this data from CollecTor and will use the bridgestrap test result to override the Running flag from the bridge authority, such that bridges with their OR ports hidden do not always show as offline, instead using the reachability of their PT port. I have spent time focussed on getting hiro up to speed on working with the Metrics codebases. During August, we saw releases of metrics-lib and Onionoo, including work on the overload-* lines in server/extra-info descriptors, that should give new insights into bottlenecks in the network. Finally, I have been around in Matrix/IRC to answer Metrics questions and on occasion to provide a little end-user support in #tor. Thanks, Iain.

1 0

Onionoo 8.0-1.28.0 released
by Silvia/Hiro 30 Aug '21

30 Aug '21

Hi, I have released Onionoo 8.0-1.28.0. Onionoo provides current and historical data about relays and bridges via a web-based API. * Medium changes - Reads bridgestrap statistics from CollecTor. - If a bridgestrap test has been recently performed, the result of that test will override the presence of the Running flag. If no test has been recently performed, the flags present in the bridge network status continue to be used. Note: the presence of the running flag determines the value of the "running" field in details documents. - Allow search by overload status * Minor changes - The overload-general server descriptor should be null when not present and not 0 You can find the release at: https://dist.torproject.org/onionoo/8.0-1.28.0/ You can find the sources at: https://gitlab.torproject.org/tpo/metrics/onionoo/-/tree/onionoo-8.0-1.28.0/ Thanks, hiro

1 0

Tor's Bug Smash Fund: Fundraising Campaign
by Al Smith 27 Aug '21

27 Aug '21

Hello Tor! Today, the Tor Project is launching our *third* annual *Bug Smash Fund*,[1] a month-long fundraising campaign (8/1 - 8/31). The goal of the Bug Smash Fund campaign is to raise unrestricted funds that we allocate to finding and fixing bugs / doing maintenance / and addressing issues that aren’t flashy or exciting for most funders, but totally necessary for the health of Tor and all of the third-party apps that rely on Tor to provide privacy, security, and anonymity to their users. Unrestricted funding, like what we’re raising for the Bug Smash Fund, is key for the Tor Project to improve our agility and stop relying on the slow, piecemeal process of grant funding in order to accomplish our goals and respond to emergent issues. _*In the last two years, we’ve used the Bug Smash Fund to close 370 tickets*_ ranging from anti-censorship development, onion services changes, improvements to documentation, Tor Browser UX changes, and creating tooling for development. We posted two updates over the past year where you can read more about what we were able to do with this fund.[2][3] We need your help to amplify the campaign! How to help: * Tweet about the Bug Smash Fund using the #TorBugSmash and a link to our launch blog post. * Quote tweet @torproject posts about the Bug Smash Fund with your own take about why unrestricted funds are so important for the health of Tor. * Forward this email to those who might be able to amplify the campaign. How you can contribute: * Make a one-time donation <https://donate.torproject.org/> (and get swag like Tor stickers and t-shirts in return) * Donate in ten different cryptocurrencies <https://donate.torproject.org/cryptocurrency/> * Become a monthly donor and your own Defenders of Privacy patch <https://donate.torproject.org/monthly-giving/> * Make a contribution of $1,000 and join the major donor group Champions of Privacy <https://donate.torproject.org/champions-of-privacy/> * Transfer your Open Collective gift card <https://opencollective.com/thetorproject> If you have any questions about or ideas for the Bug Smash Fund campaign, please email me or Isabela or grants(a)torproject.org, we would be happy to discuss. Thanks everyone! Al [1] https://blog.torproject.org/tor-bug-smash-fund-2021 [2] https://blog.torproject.org/tor-bug-smash-fund-2020-final-update [3] https://blog.torproject.org/tor-bug-smash-fund-yr2-progress -- Al Smith (they/them) Fundraising • Communications The Tor Project https://www.torproject.org | http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/

1 1

Debian 11 bullseye released!
by Antoine Beaupré 27 Aug '21

27 Aug '21

Hi everyone, The latest release of Debian, the operating system running on all the machines managed by the Tor Project system Administrators (TPA), has been published! We're at release eleven, code name "buster". The press release is here: https://www.debian.org/News/2021/20210814 And nerds might particularly enjoy the release notes: https://www.debian.org/releases/bullseye/amd64/release-notes/index.en.html On top of the above, Debian 11 ships with tor 0.4.5 while the previous release (Debian 10 "buster") shipped with 0.3.5, back in 2019. Doesn't time fly? (And yes, that's just two years - who said Debian was slow?) As for TPA, we'll probably start upgrading machines to bullseye soon, but it's a slow process, and it's not actually on the 2021 roadmap yet, so that process *may* just start in 2022. We will, however, try very hard to avoid creating any more "old" machines, which means that any new machine you request from here on will run the latest and greated, Debian 11 bullseye. This may mean a slightly bumpier ride, for example if you expect some Python 2 packages, they might just be missing as there's been a large push to remove Python 2 from Debian (which unfortunately did not completely succeed). Another example is how the "debian:latest" Docker image was broken for a few days after the release. That issue has now been *fixed*, so you can resume using the "debian:latest" and "greatest" (not an actual tag ;) for your GitLab CI builds! The "known issues" section of the release notes has a lot more information than what would be practical to copy here: https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information… Finally note that I wrote an upgrade guide for my own uses: https://anarc.at/services/upgrades/bullseye/ Note that it's a highly technical guide aimed at upgrading many machines as quickly as possible. If you have a single laptop or desktop to upgrade, you might want to follow the normal upgrade guide: https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.e… ... but I did use it for my home machine, and a similar guide will eventually be published (and maintained) by TPA for our own infrastructure. So that's it, enjoy the new release! a. -- Antoine Beaupré torproject.org system administration

1 1

((Tor Demo Day)) Next Wednesday, August 25th 2021, 1600 UTC
by gus 25 Aug '21

25 Aug '21

Dear Tor contributors, Next Wednesday, August 25th @ 1600 UTC, we will have a Tor Demo Day! You're invited! This edition will have presentations about Tor & CAPTCHAs, running relays at universities, helping Tor users, and exit bridges to circumvent blocked pages. To ensure a safe, friendly, and pleasant experience during the event, we ask all participants to read and follow the Tor Project Code of Conduct: https://community.torproject.org/training/code-of-conduct/ The presentation will be recorded. Agenda ------ * "CAPTCHA Monitor: Check if websites block Tor or return CAPTCHAs using real web browsers!" by Barkin Simsek (woswos) * "Tor Captcha and Block Monitoring" (GSoC 2021) by Apratim (_ranchak_) * "Help Tor users" (Outreachy 2021) by Kulsoom * "HebTor: Bypassing Tor Exit Blocking" by Micah Sherr * "Operating Tor Relays at Universities" by kantorkel Meeting room ------------ https://tor.meet.coop/gus-viu-5wr-7cb Full description ---------------- * "CAPTCHA Monitor: Check if websites block Tor or return CAPTCHAs using real web browsers!" - Barkin Simsek (woswos) The CAPTCHA Monitor project aims to track how often various websites block or return CAPTCHAs to Tor clients. The project aims to achieve this by fetching webpages via both Tor & other mainstream web browsers and comparing the results. The tests are repeated periodically to find the patterns over time. Collected metadata, metrics, and results are analyzed and displayed on a dashboard to understand how Tor users get discriminated against while using browsing the internet. * "Tor Captcha and Block Monitoring" - Apratim (_ranchak_) The Project focuses on tracking top websites from alexa/moz500 ranking and aims to get a detailed knowledge of the websites partially blocking, fully blocking or returning Captchas or even websites limiting functionalities. The results will be then collected and will be used to find the answers to different metric related questions (Example: What percentages of websites are blocked by a certain exit node). Further I hope that the metrics could be useful for the campaign to unblock Tor and even the DBM (DontBlockMe) Project * "Help Tor Project support our users" - Kulsoom Zahra During her internship with the Tor Project and Outreachy, Kulsoom Zahra helped Tor users to bypass censorship, fix their Tor Browsers, updated the Tor user documentation and much more. She will share with us her experience on helping Tor users. * "HebTor: Bypassing Tor Exit Blocking" - Micah Sherr Tor exit blocking, in which websites disallow clients arriving from Tor, is a growing and potentially existential threat to the anonymity network. We introduce two architectures that provide ephemeral exit bridges for Tor which are difficult to enumerate and block. Our techniques employ a micropayment system that compensates exit bridge operators for their services, and a privacy-preserving reputation scheme that prevents freeloading. We show that our exit bridge architectures effectively thwart server-side blocking of Tor with little performance overhead. https://seclab.cs.georgetown.edu/hebtor/ * "Operating Tor Relays at Universities" by kantorkel We* report on our experience of operating exit relays at two German universities and provide lessons learned. (*) https://arxiv.og/abs/2106.04277 -- The Tor Project Community Team Lead

1 1

Onionoo 8.0-1.27.0 released
by Silvia/Hiro 23 Aug '21

23 Aug '21

Hi, I have released Onionoo 8.0-1.27.0. Onionoo provides current and historical data about relays and bridges via a web-based API. * Medium changes - Add overload-ratelimits and overload-fd-exhausted ExtraInfo descriptor line fields to the bandwidth document. - Add overoload-general server descriptor line fields to the details document. * Minor changes - Update to metrics-lib 2.19.0 You can find the release at: https://dist.torproject.org/onionoo/8.0-1.27.0/ You can find the sources at: https://gitlab.torproject.org/tpo/metrics/onionoo/-/tree/onionoo-8.0-1.27.0/ Thanks, hiro

1 0

Anti-censorship meeting notes, 2021 August 19
by Cecylia Bocovich 19 Aug '21

19 Aug '21

Hi everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2021/tor-meeting.2021-08-19-16.00.html and our meeting pad: Anti-censorship work meeting pad -------------------------------- Next meeting: Thursday August 19th 16:00 UTC Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) == Goal of this meeting == Weekly checkin about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at Tor. == Announcements == Job opening on the anti-censorship team: https://www.torproject.org/about/jobs/software-developer-anticensorship-2/ \o/ == Discussion == - v3 of the webext manifest doesn't support creating peerconnections in the background - last time: - we will present our need to https://github.com/w3c/webrtc-extensions/issues/77 to encourage them to permit WebRTC in service workers - no updates this week: cohosh will take over drafting a comment for the linked issue - Tor and obfs4/meek blocking in TM: https://gitlab.torproject.org/tpo/community/support/-/issues/40030 - last time: - https://metrics.torproject.org/userstats-relay-country.html?start=2021-05-1… - ggus found a volunteer to help with testing. obfs4, meek-azure, and snowflake did not work; a private obfs4 bridge worked. - http://emma.mhgb.net/ was not reachable, so ggus set up a mirror at http://emma.gus.computer/ - our tester is having difficulty installing a recent Tor browser on an old Windows computer - will ask to install ooniprobe - cohosh will ask OONI (arturo and maria) for contacts in TM - Snowflake reporting its own connection failures and sending messages to tor logs - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - useful for diagnosing failures to connect, by users or our own testing, without having to enable the snowflake-client log file - e.g. using PT protocol LOG or STATUS messages - Ukraine is experiencing an increase in relay users - https://metrics.torproject.org/userstats-relay-country.html?country=ua - in the past this was due to a browser bundling tor for anti-blocking purposes - https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/iss… == Interesting links == USENIX Security 2021 papers https://www.usenix.org/conference/usenixsecurity21/technical-sessions "Domain Shadowing: Leveraging Content Delivery Networks for Robust Blocking-Resistant Communications" https://www.usenix.org/conference/usenixsecurity21/presentation/wei "How Great is the Great Firewall? Measuring China's DNS Censorship" https://www.usenix.org/conference/usenixsecurity21/presentation/hoang "Balboa: Bobbing and Weaving around Network Censorship" https://www.usenix.org/conference/usenixsecurity21/presentation/rosen "Weaponizing Middleboxes for TCP Reflected Amplification" https://www.usenix.org/conference/usenixsecurity21/presentation/bock "Defeating DNN-Based Traffic Analysis Systems in Real-Time With Blind Adversarial Perturbations" https://www.usenix.org/conference/usenixsecurity21/presentation/nasr == Reading group == We will discuss "" on Questions to ask and goals to have: What aspects of the paper are questionable? Are there immediate actions we can take based on this work? Are there long-term actions we can take based on this work? Is there future work that we want to call out, in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): last updated 2021-08-19 Last week: - hiring tasks for ac team and network team - 3 full days of s28 integration/scrimmage prep x_x - checked on censorship measurement tests - looked in TM blocking of Tor bridges (support#40030) - parse SOCKS args for Snowflake (snowflake#40059) This week: - more hiring and s28 meetings - censorship measurement tests and tools - help the browser team with tor's autoconnect feature - reviews - rdsys!11 - snowflake!52 followup - snowflake#25595 followup - follow up on OONI tor tests - lots of miscellaneous gitlab TODOs Needs help with: arlolra: 2021-08-12 Last week: - Migrate to v3 of the webextension manifest Next week: - Maybe get back to snowflake-webext #10 - Write up the pitch for our use case for supporting creating PeerConnections in background service workers https://github.com/w3c/webrtc-extensions/issues/77 Help with: - dcf: 2021-08-19 Last week: - snowflake CDN bookkeeping https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Snowflake-co… - posted a summary of the Turkmenistan situation https://ntc.party/t/recent-drop-in-tor-users-from-turkmenistan-testers-want… https://gitlab.torproject.org/tpo/community/support/-/issues/40030 Next week: Help with: agix:2021-07-15 Last week: -Off due to final exams Next week: -Work on bridgebox for rdsys -More research on httpt #4 Help with: - maxb: 2021-07-15 Last week: - Opened https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… re: utls for broker negotiation - Worked on github.com/max-b/nat-testing for https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - Added a snowflake-proxy-no-nat and a snowflake-client-no-nat to help with debugging - Successfully making connections from snowflake-client and snoflake-client-no-nat through the snowflake-proxy-no-nat, but not having any success with the snowflake-proxy (with nat). - Added a local dockerized STUN server Next week: - Use wireshark to figure out the difference between successful snowflake-proxy-no-nat and unsuccessful snowflake-proxy-nat - Work on implementing different NAT types, particularly in a way that's conducive to automatic testing - Add testing wrapper w/ "pass/fail" conditions meskio: 2021-08-19 Last week: - catch up after 3 weeks AFK (still in process) - debug bridgestrap CollecTor metrics and why are not produced (bridgestrap#22) - review bridgestrap fix to test only uncached bridges (bridgestrap!11) - review bridgedb parse X-Forwarded-For header properly (bridgedb!21) - review snowflake SOCKS arguments (snowflake!53) Next week: - make bridgestrap CollecTor metrics resistant to restarts (bridgestrap#22) - change bridgedb to send obfs4 bridges by default over email (bridgedb#50) - gettor in rdsys architecture documentation (rdsys#44) - make a proposal for duplicated tests in bridgestrap CollecTor metrics (bridgestrap#23) Help with: -

1 0

metrics-lib 2.19.0 released
by Silvia/Hiro 17 Aug '21

17 Aug '21

Hi, I have released metrics-lib 2.19.0. metrics-lib, which also goes by the name DescripTor, is a Java API that fetches Tor descriptors from a variety of sources like cached descriptors and directory authorities/mirrors. The DescripTor API is useful to support statistical analysis of the Tor network data and for building services and applications. This release is the sum of over 9 years of development, with the latest changes: * Medium changes - Expose overload-general fields in ServerDescriptor. * Minor changes - Document ExtraInfoDescriptor classes - Refactor javadoc to remove some style warnings You can find the release at: https://dist.torproject.org/metrics-lib/2.19.0/ You can find the sources at: https://gitlab.torproject.org/tpo/metrics/library/-/tree/metrics-lib-2.19.0 Thanks, -hiro

1 0

CollecTor 1.18.1 released
by Iain R. Learmonth 13 Aug '21

13 Aug '21

Hi, I have released CollecTor 1.18.1. CollecTor fetches data from various nodes and services in the public Tor network and makes it available to the world. The latest changes: * Minor changes - Extract published timestamp for bridgestrap results in the indexer task. You can find the release at: https://dist.torproject.org/collector/1.18.1/ You can find the sources at: https://gitlab.torproject.org/tpo/metrics/collector/-/tree/collector-1.18.1/ Thanks, Iain.

1 0