[tor-bugs] #30579 [Circumvention/Snowflake]: Add more STUN servers to the default snowflake configuration in Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Nov 21 22:01:24 UTC 2019 

#30579: Add more STUN servers to the default snowflake configuration in Tor Browser
-------------------------------------------------+-------------------------
 Reporter:  cohosh                               |          Owner:  cohosh
     Type:  defect                               |         Status:
                                                 |  needs_information
 Priority:  Medium                               |      Milestone:
Component:  Circumvention/Snowflake              |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  stun, anti-censorship-roadmap-       |  Actual Points:  .3
  october                                        |
Parent ID:  #31281                               |         Points:  1
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor30-can
-------------------------------------------------+-------------------------

Comment (by phw):

 Replying to [comment:13 cohosh]:
 > Here are some lists of public servers:
 > - https://gist.github.com/zziuni/3741933
 > - https://gist.github.com/mondain/b0ec1cf5f60ae726202e
 > - https://www.voip-info.org/stun/
 > - EmerCoin is some cryptocurrency/blockchain project that
 [https://emercoin.com/en/news/global-changes-in-emercoin-blockchain-
 segwit-tx-optimizer-stun-and-13-more-updates uses STUN] and they maintain
 their own
 [https://github.com/emercoin/emercoin/blob/8808770b98248b0174dc3d6f8c70965e13f17396/src/stun.cpp#L59
 list].
 [[br]]
 Thanks for compiling these lists! That's very useful.
 [[br]]
 > I suppose there's some risk here with choosing a random service.
 Snowflake clients leak their IP address to whichever server we choose.
 Perhaps a better route is to have the broker perform this step over the
 domain fronted connection (#25591)?
 [[br]]
 I'm afraid I don't have great answers but only more questions:

 Assume we're using stun.foo.bar, which is owned by a third party. How easy
 would it be for the operator of stun.foo.bar to tell apart snowflake
 clients from the preexisting user base? I suppose the way we're making
 STUN requests may set us apart from other STUN clients?

 Also, what's the worst a malicious STUN server could do? Publish a list of
 IP addresses of snowflake clients? Lie to the clients, so NAT traversal
 won't work? Anything else? As I understand it, a censor can already do all
 these things (assuming an active adversary) but granted, it's easier to do
 if the censor controls the STUN server.

 I think this is a good topic to discuss for next week's anti-censorship
 meeting. I added it to our meeting pad.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30579#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list