[tor-bugs] #30579 [Circumvention/Snowflake]: Add more STUN servers to the default snowflake configuration in Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Aug 1 01:13:58 UTC 2019 

#30579: Add more STUN servers to the default snowflake configuration in Tor Browser
-------------------------------------------------+-------------------------
 Reporter:  cohosh                               |          Owner:  (none)
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Circumvention/Snowflake              |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  stun, anti-censorship-roadmap-       |  Actual Points:
  october                                        |
Parent ID:                                       |         Points:  1
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor30-can
-------------------------------------------------+-------------------------

Comment (by cohosh):

 Replying to [comment:6 arlolra]:
 > > Can we exploit this?
 >
 > From my limited understanding, no.  It's not enough to just know the
 external ip.  The client needs to make an outgoing request in order for
 the NAT to add a mapping entry in its table between external ip:port pair
 and the client.  That pair, returned in the response from the STUN server,
 is then communicated to the peer via some signalling method so that
 packets it sends to the external ip are translated to the client.

 Yep, it's not just the ip address but also the port that needs to be
 discovered, and set aside by the client for the purpose of the WebRTC
 connection.

 Although, if there are popular P2P applications in areas that block Tor
 that aren't using STUN, but using something else for NAT traversal, it
 would be good to know and we might be able to modify the WebRTC library to
 use that (not sure if such a thing exists).

 Since the STUN server (or other protocol server) that the client uses
 doesn't need to implement any custom code from us, and doesn't even need
 to know that it's being used for censorship circumvention, I think our
 best bet here is to use specific servers/protocols that are already
 popular for unblocked P2P applications instead of trying to roll our own
 thing.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30579#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list