Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-10-23-16.01.html And our meeting pad: Anti-censorship work meeting pad -------------------------------- Anti-censorship -------------------------------- Next meeting: Thursday, October 23 16:00 UTC Facilitator:meskio ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator:shelikhoo == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?sc... * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_nam... == Announcements == == Discussion == This week: * CDN77 new domains? * there are few prospect domains that work in all our vantage points * we plan on selecting a couple and move back snowflake to those domains * SQS costs are considerable but not imposible, we might be able to enable it in more places * https://lists.torproject.org/mailman3/hyperkitty/list/anti-censorship-team@l... * Proposal: repeat proxy churn measurement at broker, but one for each pool this time * should we auto enable utls-authority? * continued from last week about making sni imitation easier to configure * it make easier to configure * will make servername means differerent thing, depending on whether utls is used == Actions == * Remove webtunnel setuid script in 1 weeks.(decrease this by one every week) == Interesting links == * https://github.com/EndPositive/slipstream * DNS tunnel, like dnstt, but using QUIC as the session protocol. The better congestion control of QUIC proves to be important in performance. * https://endpositive.github.io/slipstream/protocol.html * https://geedge-docs.haruue.com/geedge_docs/OM/attachments/129101971_attachme... * *orbot.app, *phpmyadmin.net, *cdn77.com FQDN patterns in a Geedge Networks file * https://github.com/net4people/bbs/issues/519#issuecomment-3417659641 * https://geedge-docs.haruue.com/mesalab_docs/study/attachments/27716171_attac... * 1h44m screenshare video presentation about Tor and hidden services (Chinese text and audio). == Reading group == * We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2025-10-23 Last week: - discussed potential conjure blocking - researched snowflake enumeration attacks (snowflake#40396) - commented on spike in snowflake client polls (snowflake#40493) - updated snowflake builtin bridge line with new cdn77 fronts (tor-browser-build!1333) Next week: - research snowflake enumeration attacks (snowflake#40396) - watch and follow up on Moat and Connect Assist metrics with new netlify front - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183 dcf: 2025-10-23 Last week: - fixed a bug with snowflake-graphs client-match overcounting by a factor of 2 https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/4 - restarted the snowflake broker for a VPS provider migration https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... - refactoring towards fixing minor snowflake-graphs coverage bug https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/3 Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... Help with: meskio: 2024-10-23 Last week: - SOTO preparation - grant planning - multi-front support in meek (lyrebird#40027) - look into snowflake bursts of requests (snowflake#40493) - lyrebird use go 1.22 in the CI Next week: - preparing SOTO presentation Shelikhoo: 2024-10-23 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... ) testing environment setup/research - collect vantage point test result for fronting domains - SOTO script - merge request reviews Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... ) Building custom Tor Browser with patch applied - SOTO script onyinyang: 2025-10-23 Last week(s): - Troubleshooting conjure not connecting in China - updating the fronts led to different connection issues, looking into these in more detail - differing results connecting to conjure locally vs. from vantage point - investigating issues with the conjure authors/maintainers - Monitoring email profiler for rdsys #129 - Monitoring rdsys #rdsys #249 - Working on talk proposal for Splintercon + Presentation at York University Next week: - Continue troubleshooting conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#249 hopefully (take 3? 4?) - Continue looking into bridgestrap#47 - Submit talk proposal for splintercon/present at York Switch back to some of these: As time allows: - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conju... - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/... - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305 - Work on outstanding milestone issues: - key rotation automation Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096): - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf...). Help with: - Should we do user testing of covert-dtls? Facilitator Queue: meskio onyinyang shelikhoo 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue
Erratum: The correct time for next meeting is: Next meeting: Thursday,October3016:00 UTC Sorry for the typo. Shelikhoo On 23/10/2025 6:42 pm, Shelikhoo wrote:
Hey everyone!
Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2025/tor-meeting.2025-10-23-16.01.html
And our meeting pad:
Anti-censorship work meeting pad -------------------------------- Anti-censorship --------------------------------
Next meeting: Thursday, October 23 16:00 UTC Facilitator:meskio
^^^(See Facilitator Queue at tail)
Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress)
This week's Facilitator:shelikhoo
== Goal of this meeting ==
Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community.
== Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?sc... * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_nam...
== Announcements ==
== Discussion == This week: * CDN77 new domains? * there are few prospect domains that work in all our vantage points * we plan on selecting a couple and move back snowflake to those domains * SQS costs are considerable but not imposible, we might be able to enable it in more places * https://lists.torproject.org/mailman3/hyperkitty/list/anti-censorship-team@l... * Proposal: repeat proxy churn measurement at broker, but one for each pool this time * should we auto enable utls-authority? * continued from last week about making sni imitation easier to configure * it make easier to configure * will make servername means differerent thing, depending on whether utls is used
== Actions ==
* Remove webtunnel setuid script in 1 weeks.(decrease this by one every week)
== Interesting links ==
* https://github.com/EndPositive/slipstream * DNS tunnel, like dnstt, but using QUIC as the session protocol. The better congestion control of QUIC proves to be important in performance. * https://endpositive.github.io/slipstream/protocol.html * https://geedge-docs.haruue.com/geedge_docs/OM/attachments/129101971_attachme... * *orbot.app, *phpmyadmin.net, *cdn77.com FQDN patterns in a Geedge Networks file * https://github.com/net4people/bbs/issues/519#issuecomment-3417659641 * https://geedge-docs.haruue.com/mesalab_docs/study/attachments/27716171_attac... * 1h44m screenshare video presentation about Tor and hidden services (Chinese text and audio).
== Reading group ==
* We will discuss "" on *
* Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with.
cecylia (cohosh): 2025-10-23 Last week: - discussed potential conjure blocking - researched snowflake enumeration attacks (snowflake#40396) - commented on spike in snowflake client polls (snowflake#40493) - updated snowflake builtin bridge line with new cdn77 fronts (tor-browser-build!1333) Next week: - research snowflake enumeration attacks (snowflake#40396) - watch and follow up on Moat and Connect Assist metrics with new netlify front - follow up on snowflake rendezvous failures (snowflake#40447) - revisit conjure integration with lyrebird - take a look at potential snowflake orbot bug - https://github.com/guardianproject/orbot-android/issues/1183
dcf: 2025-10-23 Last week: - fixed a bug with snowflake-graphs client-match overcounting by a factor of 2 https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/4 - restarted the snowflake broker for a VPS provider migration https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... - refactoring towards fixing minor snowflake-graphs coverage bug https://gitlab.torproject.org/dcf/snowflake-graphs/-/issues/3 Next week: - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... Help with:
meskio: 2024-10-23 Last week: - SOTO preparation - grant planning - multi-front support in meek (lyrebird#40027) - look into snowflake bursts of requests (snowflake#40493) - lyrebird use go 1.22 in the CI Next week: - preparing SOTO presentation
Shelikhoo: 2024-10-23 Last Week: - [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... ) testing environment setup/research - collect vantage point test result for fronting domains - SOTO script - merge request reviews Next (working) Week/TODO: - Merge request reviews - [Deployment]Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf... ) Building custom Tor Browser with patch applied - SOTO script
onyinyang: 2025-10-23 Last week(s): - Troubleshooting conjure not connecting in China - updating the fronts led to different connection issues, looking into these in more detail - differing results connecting to conjure locally vs. from vantage point - investigating issues with the conjure authors/maintainers - Monitoring email profiler for rdsys #129 - Monitoring rdsys #rdsys #249 - Working on talk proposal for Splintercon + Presentation at York University
Next week: - Continue troubleshooting conjure not connecting in China - Finish up debugging rdsys#129 and rdsys#249 hopefully (take 3? 4?) - Continue looking into bridgestrap#47 - Submit talk proposal for splintercon/present at York Switch back to some of these: As time allows: - Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong Blog post for conjure: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conju... - review Tor browser Lox integration https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/... - add TTL cache to lox MR for duplicate responses: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/305
- Work on outstanding milestone issues: - key rotation automation
Later: pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096): - add pref to handle timing for pubkey checks in Tor browser - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum
(long term things were discussed at the meeting!): - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less?
theodorsm: 2025-06-12 Last weeks: - Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round. - Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25 - Key takeaways: * covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable. * Chrome webextensions are more unstable than standalone proxies * covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake. * Chrome randomizes the order of extension list. * Firefox uses DTLS 1.3 by default in WebRTC. * A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers * The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year. * Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users. * Browser extensions make Snowflake resistant to ClientHello fingerprinting. * Standalone proxies can serve more Snowflake clients per volunteer than webextensions. * We need metrics on which types of proxies are actually being matched and successfully used by clients. Next weeks: - Getting paper camera ready. - Fix merge conflicts in MR (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf...). Help with: - Should we do user testing of covert-dtls?
Facilitator Queue: meskio onyinyang shelikhoo 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue
participants (1)
-
Shelikhoo