[anti-censorship-team] Plans for Orbot and OnionBrowser domain fronting update

Jon Camfield (jcamfield@INTERNEWS.ORG) jcamfield at INTERNEWS.ORG
Fri Apr 2 13:59:28 UTC 2021

(Jon peeks his head in, waves hi)

Are people discussing this with CloudFlare? I'd hate for us to lift over
to CF just to get shut down there.

I recall they were one of the original meek test cases, but also closed
off "simple" domain fronting early on as well. I imagine they would not
object to "voluntary" fronting that doesn't put other CF-hosted
domains/services or CF broadly at risk, and may even be supportive (this
being part of their argument in favor of pushing towards ESNI).  Happy
to nudge my contacts there to start that discussion if it's not already

On seeds - I really very much like this idea, and I think we could
easily brainstorm a collection of different seed sources to round-robin
and reduce the risk of discovery / blocking; if we can solve how to
manage the server-side resolution without really challenging costs
(isn't NthLink doing something like this?) .  CF's no-markup registry
may also be useful there, and/or trying to make inroads with PIR or
another registrar (but that feels like a very long road/negotiation).

On 4/1/21 4:25 PM, Nathan of Guardian wrote:
> Thanks for these thoughts, Tom. We can generate thousands of AWS or
> Azure no-caching CDN subdomains at almost no cost, so we do have that
> going for us.
> I like the idea of using an Android system service of some kind, but a
> lot of that goes out the window for non-Google Android devices in China.
> Still, mobile push messaging services might also be a possibility there,
> at least as a way to distributed seed values.
> I do have access from Orbot to Moat and the Snowflake broker working now
> via Cloudfront domains. We are considering best how to bundle these into
> our apps, load them at runtime, decode their obfuscated/encrypted
> format, and then pick one to use when the user needs it.
> On 4/1/21 11:19 AM, Tom Ritter wrote:
>> A common technique for malware to find it's C&C server is to embed a
>> seed into the binary, along with an algorithm that takes the seed and
>> a time epoch (e.g. midnight every day or midnight every 4 days) to
>> generate a new domain name to connect to.  The algorithm and see are
>> designed to be hard to reverse engineer.  It's always possible though,
>> and once one has done so, you can pre-generate (and block) the domain
>> names into the future.
>> One mitigation for that is to distribute a bunch of seeds in the hope
>> the adversary doesn't find all of them.  (Does get expensive with
>> domain names though.)
>> Another technique is to add in an unpredictable value into the
>> generation algorithm alongside the seed and the time epoch. Something
>> the adversary can't predict ahead of time like the closing price of a
>> stock ticker or the tip of the bitcoin blockchain. The problem with
>> that is that it requires the application to make a query to some
>> service to retrieve that information and that query could be (a)
>> blocked or (b) detected (unless anyone has any great ideas there[0]).
>> If we had a reliable, unblockable, anonymous method of making a
>> connection somewhere we wouldn't be in this mess ;)
>> -tom
>> [0] Maybe Android has something system-accessible like the last virus
>> definition update from the Play store or something?
>> On Thu, 1 Apr 2021 at 13:26, Nathan of Guardian
>> <nathan at guardianproject.info> wrote:
>>> It seems like Azure Domain Fronting may already be going offline,
>>> according to some reports. Our own testing from US and EU show that it
>>> is still working for now.
>>> That said, here is our plan for updating Orbot and Onion Browser in
>>> response to what may come at any moment:
>>> 1) Move to Fastly for Snowflake and Moat as soon as they are ready.
>>> Please keep us posted on this.
>>> 2) Remove Meek as a built-in option.
>>> 3) Promote "social distribution" of bridge URLs via links and QR codes
>>> through communities that need them
>>> 4) Work on setting up our own additional pool of CDN front addresses for
>>> Moat and the Snowflake broker(s) that we can round-robin/cat-and-mouse
>>> through for both Snowflake and Moat. These would be compiled into our
>>> apps, or provided through some kind of S3/hard to block bootstrap URL.
>>> 5) Continue our own work in mobile-specific bridge distribution (push
>>> messages, SMS, chat bots, social etc) options we can employ in the
>>> future.
>>> .... any other things to know, that we missed, that we are being naive
>>> about?
>>> Thanks!
>>> +n
>>> _______________________________________________
>>> anti-censorship-team mailing list
>>> anti-censorship-team at lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/anti-censorship-team
> _______________________________________________
> anti-censorship-team mailing list
> anti-censorship-team at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/anti-censorship-team

Jon Camfield | Director, Global Technology Programs
PGP: D776 2A79 A1AE F000 7F53 A127 B46A 01C3 270C 17F1
Mobile/Signal/IM on request

INTERNEWS | Local Voices. Global Change.
www.internews.org | @internews

More information about the anti-censorship-team mailing list