Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-06-05-16.00.html And our meeting pad: Anti-censorship -------------------------------- Next meeting: Thursday, June 12 16:00 UTC Facilitator: onyinyang ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator: meskio == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?sc... * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_nam... == Announcements == * == Discussion == * Adding more snowflake builtin bridge options * https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43842 * Orbot exposes 3 different snowflake rendezvous methods (domain fronting, ampcache, sqs). Unlike Tor Browser, users can configure a rendezvous method themselves by choosing from a menu. In Tor Browser, the rendezvous method can only change via Circumvention Settings, or by manually entering a bridge line (the latter of which hardly anyone does). * Circumvention Settings is unavailable if domain fronting is unusable or blocked. * But because of cost considerations, it may not be a good idea to expose SQS as an easily configurable and appealing option at this point. Rather ramp up slowly. * SQS is more expensive than other methods. Only a small fraction of total rendezvouses in May 2025, but cost 8 USD. * SQS cost thread: https://lists.torproject.org/mailman3/hyperkitty/list/anti-censorship-team@l... * If you want to track SQS costs in the same place: https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Snowflake-cos... * Exposing "snowflake-google" (ampcache) and "snowflake-cdn77" (domain fronting) as user-visible options in Tor Browser could be a good idea though. * Like we used to have meek-google, meek-amazon, etc. * (dcf thought once about having a custom control panel for each known transport, e.g. for obfs4 it might have a selector for the iat-mode; for snowflake it would have a dropdown of rendezvous options. Something like that is what we're approximating when we encode one or more of the options into the "transport name".) == Actions == == Interesting links == * A Wall Behind A Wall: Emerging Regional Censorship in China (Henan firewall) * https://gfw.report/publications/sp25/en/ * https://github.com/ban6cat6/aparecium * "Aparecium is a proof-of-concept tool designed to detect TLS camouflage protocols, specifically ShadowTLS v3 and REALITY, by exploiting their handling of TLS 1.3 post-handshake messages." * Has nice explanation and diagrams of ShadowTLS and REALITY. * Snowflake users in Turkmenistan remain elevated through May 2025 * https://metrics.torproject.org/userstats-bridge-combined.html?start=2025-03-... * snowflake is now the default option in Circumvention Settings: * https://gitlab.torproject.org/tpo/anti-censorship/rdsys-admin/-/merge_reques... == Reading group == * We will discuss "A Wall Behind A Wall: Emerging Regional Censorship in China (Henan firewall)" on June 19 * https://gfw.report/publications/sp25/en/ * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-06-04 Last week: - rewrote snowflake broker metrics (snowflake#40458, snowflake!574) - wrote conjure bridge installation guide (conjure# 47) - https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Conjure-Bridg... - merged censorship settings update (rdsys-admin!39) - deployed circumvention settings change - opened a PR to fix a potential crash in orbot's Ask Tor code - https://github.com/guardianproject/orbot-android/pull/1317 - updated conjure client to work with cdn77 domain fronts now that the fix is deployed (conjure#49) - worked on some scripts to generate country and rendezvous method plots for client polls (snowflake#40464) - opened issue to add more than one snowflake builtin to tor browser - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43842 - did accounting of SQS in snowflake This week: - follow up on snowflake rendezvous failures - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-06-05 Last week: Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... Help with: meskio: 2024-06-05 Last week: - test email service on the staging server (rdsys#219) - help upgrade gettor telegram bot server to trixie - AFK time Next week: - steps towards a rdsys in containers (rdsys#219) - investigate why we don't distribute webtunnel bridges over https some days (rdsys#262) Shelikhoo: 2024-05-29 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... ) testing environment setup/research - Snowfalke Staging Server Experiment - Support the Testing of domain fronting sites ( https://gitlab.torproject.org/tpo/anti-censorship/connectivity-measurement/l... ) (cont.) - [Merge Request] Add Domain Fronting Testing Support to logcollector ( https://gitlab.torproject.org/tpo/anti-censorship/connectivity-measurement/l... ) - Merge request reviews Next Week/TODO: - Merge request reviews (Away until June 10) onyinyang: 2025-05-29 Last week(s): - Attempted to get conjure DNS registrar working - encountering errors for both conjure and gotapdance cli with DNS registrar https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conju... - hoping for an update: https://github.com/refraction-networking/conjure/issues/293 - Completed staleness check for conjure bufferedconn https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conju... - phantombox improvement Next week: - Continue improvements for phantombox testing environment - Test DNS/Decoy registrar in phantombox Switch back to some of these: As time allows: - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/... - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096): - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-04-10 Last weeks: - fixing bugs in covert-dtls, only mimic DTLS 1.2 - Running proxy with covert-dtls - MR covert-dtls: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... Next weeks: - Write instructions on how to configure covert-dtls with snowflake client (are we going to run a user test?) - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf...). - Condensing thesis into paper Help with: - Test stability of covert-dtls in snowflake Facilitator Queue: meskio shelikhoo onyinyang 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan.