[anti-censorship-team] Plans for Orbot and OnionBrowser domain fronting update

Tom Ritter tom at ritter.vg
Thu Apr 1 15:19:59 UTC 2021

A common technique for malware to find it's C&C server is to embed a
seed into the binary, along with an algorithm that takes the seed and
a time epoch (e.g. midnight every day or midnight every 4 days) to
generate a new domain name to connect to.  The algorithm and see are
designed to be hard to reverse engineer.  It's always possible though,
and once one has done so, you can pre-generate (and block) the domain
names into the future.

One mitigation for that is to distribute a bunch of seeds in the hope
the adversary doesn't find all of them.  (Does get expensive with
domain names though.)

Another technique is to add in an unpredictable value into the
generation algorithm alongside the seed and the time epoch. Something
the adversary can't predict ahead of time like the closing price of a
stock ticker or the tip of the bitcoin blockchain. The problem with
that is that it requires the application to make a query to some
service to retrieve that information and that query could be (a)
blocked or (b) detected (unless anyone has any great ideas there[0]).
If we had a reliable, unblockable, anonymous method of making a
connection somewhere we wouldn't be in this mess ;)


[0] Maybe Android has something system-accessible like the last virus
definition update from the Play store or something?

On Thu, 1 Apr 2021 at 13:26, Nathan of Guardian
<nathan at guardianproject.info> wrote:
> It seems like Azure Domain Fronting may already be going offline,
> according to some reports. Our own testing from US and EU show that it
> is still working for now.
> That said, here is our plan for updating Orbot and Onion Browser in
> response to what may come at any moment:
> 1) Move to Fastly for Snowflake and Moat as soon as they are ready.
> Please keep us posted on this.
> 2) Remove Meek as a built-in option.
> 3) Promote "social distribution" of bridge URLs via links and QR codes
> through communities that need them
> 4) Work on setting up our own additional pool of CDN front addresses for
> Moat and the Snowflake broker(s) that we can round-robin/cat-and-mouse
> through for both Snowflake and Moat. These would be compiled into our
> apps, or provided through some kind of S3/hard to block bootstrap URL.
> 5) Continue our own work in mobile-specific bridge distribution (push
> messages, SMS, chat bots, social etc) options we can employ in the future.
> .... any other things to know, that we missed, that we are being naive
> about?
> Thanks!
> +n
> _______________________________________________
> anti-censorship-team mailing list
> anti-censorship-team at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/anti-censorship-team

More information about the anti-censorship-team mailing list