[tor-project] Anti-censorship meeting notes, 09 Jul 2020
phw at torproject.org
Thu Jul 9 17:28:51 UTC 2020
Our MeetBot disappeared halfway through the meeting and was unable to
capture minutes, so I'm attaching our IRC log to this email.
And here is our meeting pad:
Anti-censorship work meeting pad
Next meeting: Thursday July 9th 16:00 UTC
Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress).
== Goal of this meeting ==
Weekly checkin about the status of anti-censorship work at Tor.
Coordinate collaboration between people/teams on anti-censorship at Tor.
== Links to Useful documents ==
* Our anti-censorship roadmap:
* Roadmap: https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards
* The anti-censorship team's wiki page:
* Past meeting notes can be found at:
* Tickets that need reviews: from sponsors we are working on:
* All needs review tickets: https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?scope=all&utf8=%E2%9C%93&state=opened&assignee_id=None
* Sponsor 30
* Sponsor 28
* must-do tickets: https://gitlab.torproject.org/groups/tpo/-/milestones/10
* possible tickets: https://gitlab.torproject.org/groups/tpo/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name=Sponsor%2028&milestone_title=None
* Anti-censorship related tickets that we want other teams to fix:
* https://pad.riseup.net/p/tor-anti-censorship-tickets-keep <-- it will be moved into gitlab with TPO labels
== Announcements ==
== Discussion ==
* Any resolution on accepting public bug reports for the anti-censorship team?
* Last week's discussion: http://meetbot.debian.net/tor-meeting/2020/tor-meeting.2020-07-02-15.58.log.html#l-15
== Actions ==
== Interesting links ==
* Privacy Enhancing Technologies Symposium 2020 is next week. The censorship session is 16:40–17:55 UTC on Thursday.
* I skimmed the program for papers that look relevant to us. There's one on VPN usage, two on decoy routing, and one on rendezvous using cryptocurrency.
* Emotional and Practical Considerations towards the Adoption and Abandonment of VPNs as a Privacy-Enhancing Technology
* Running Refraction Networking for Real
* SiegeBreaker: An SDN Based Practical Decoy Routing System
* MoneyMorph: Censorship Resistant Rendezvous using Permissionless Cryptocurrencies
== Reading group ==
* We will discuss GoodbyeDPI on July 9th
* Questions to ask and goals to have:
* What aspects of the paper are questionable?
* Are there immediate actions we can take based on this work?
* Are there long-term actions we can take based on this work?
* Is there future work that we want to call out, in hopes that others will pick it up?
== Updates ==
- What you worked on this week.
- What you are planning to work on next week.
- Something you need help with.
This week (2020-07-09):
* Fixed tpo/anti-censorship/bridgedb#40001.
* Registered for RightsCon'20.
* Simplified bridgestrap code and fixed bug in caching system.
* Reviewed tpo/anti-censorship/bridgedb!2.
* Roadmap meeting.
* Wrapped up and blogged monthly report.
* Filed tpo/anti-censorship/wolpertinger#40001.
* Merged tpo/anti-censorship/bridgedb#34260.
* Released and deployed BridgeDB 0.11.0.
* Merged and deployed #31422 and #34260.
* Wrap up tpo/anti-censorship/wolpertinger#34259.
cecylia (cohosh): last updated 2020-07-09
- caught up on emails/meetings
- reveiwed and provided feedback on a lot of snowflake mobile tickets
- reviewed some bridgedb tickets
- worked with hc on a gitlab ci script (snowflake#40003)
- came up with list of candidate stun servers and wrote patches to add them to default configs (#30579)
- merged and deployed nat discovery feature (#34129)
- opened and started a build to update snowflake for tor browser (tor-browser-build#40016)
- looked into proxy-go client timeouts for our proxy-go instances (#30498)
- take a look at #25595
- snowflake sponsor 28 evaluation work
- maybe take a look at snowflake#21314 or some other blockers on #19001
- continue with GetTor + BridgeDB refactor
Needs help with:
- review of #30579 (merge request !5)
- review of snowflake#40003 (hc should look at this)
- soon a review of tor-browser-build#40016 (i'll ping the applications team)
- Dig into the algorithm for how BridgeDB distributes bridges
- Implement audio captchas in moat, figure out how to reduce audio captcha request size
- Keep studying BridgeDB to write architectural overview
- follow ups to #33365
- start on #31201
- filed a ticket for bridge port scan usability (bridge-port-scan#1)
- find out what went wrong with trying to give cohosh CDN access (snowflake#30510)
- set up an etherpad for public bug reporting and link it from https://snowflake.torproject.org/#bugs (snowflake#34435)
- (S30) planning activities for the user group in HK:
- Run emma
- Discovery issues with Bridges flow - working on the script
-Slowly started on #34318 (was occupied with GSoC stuff)
-Continue work on #34318 and reviews
- Read existing documentation for BridgeDB. Get acclimated to GitLab.
- Read background information for #32117
- Translate monthly team report and post on forums
- Work on #32117
- Work on #33727
- CI/CD pipeline for multiarch docker images, which has a problem
with the apt tor version even though the apt repository have been
changed into the Dockerfile.
- Working on Snowflake Docker container.
- Resolving issues on MR #4
- MR (merged) Added read me for the #8
- MR (merged) Added LICENSE for the project #13
- MR for CI for the project #14
- #6 Showing users stat about how many clients' they served in the past 24 hours.
Help with: -
-------------- next part --------------
18:00 phw│ #startmeeting anti-censorship team meeting
18:00 MeetBot│ Meeting started Thu Jul 9 15:59:03 2020 UTC. The chair is phw. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00 MeetBot│ Useful Commands: #action #agreed #help #info #idea #link #topic.
18:00 * | MeetBot changed topic of #tor-meeting to: (Meeting topic: anti-censorship team meeting)
18:00 phw│ good morning, everybody
18:00 phw│ here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
18:00 hannelores│ hey
18:01 juggy│ hi
18:02 agix│ hi
18:02 cohosh│ hi
18:02 gaba│ hi
18:02 phw│ gaba: did the tuesday gitlab meeting result in a way forward regarding our problem with anonymous issue submissions?
18:03 gaba│ yes
18:03 gaba│ we are creating all users that people are asking
18:03 gaba│ and then ahf is working on a lobby
18:03 gaba│ on submission form
18:04 gaba│ https://gitlab.torproject.org/ahf/lobby
18:04 phw│ a submission form to apply for accounts?
18:04 gaba│ "This Django application contains the lobby website for Tor's Gitlab instance.
18:04 gaba│ The Gitlab Lobby allows users to:
18:04 gaba│ Request accounts on our Gitlab server, if they are interested in working
18:04 gaba│ with Tor's development teams.
18:04 gaba│ Anonymously submit and comment on issues on Tor's Gitlab instance."
18:05 ahf│ phw: first step is for users to sign up, second step is for users to submit anonymously
18:05 ahf│ hope to have a demo ready next week for the first step
18:06 phw│ what do people sign up with? so it's not a shared account?
18:07 dcf1│ so if I understand correctly, at the moment to submit a bug report, you email gitlab-admin at tpo and get an account, then use the
account to file the report
18:07 gaba│ right
18:07 gaba│ that is how is working right now
18:07 dcf1│ when the lobby website is ready, it will be possible to use it to 1) request an account without emailing gitlab-admin, or 2) submit a
bug report without an account
18:07 ahf│ phw: people wont have to sign-up. people will be able to submit (with moderation) to the issue tracker
18:07 dcf1│ ok
18:07 ahf│ for projects who are willing to do moderations 8)
18:08 ahf│ phw: the discource discussion yesterday might change the plans those, but i'm not tracking that super much right now
18:09 gaba│ the discourse wil help with where discussion is happening before tickets
18:09 gaba│ but i do not think it will change how we submit tickets
18:09 gaba│ discourse will help with blogpost (if we do discourse)
18:09 gaba│ and to redirect people from multiple Tor forums around the Internet
18:09 * ahf nods
18:10 phw│ should we create a cypherpunks-like gitlab account until the lobby website is ready?
18:10 gaba│ why?
18:11 cohosh│ how many weeks until people are able to submit tickets?
18:11 gaba│ there is some debate on the cypherpunk account. Some people do not like that option and is harder to do in gitlab because the
possible changes people can do on the account
18:11 cohosh│ it might be nice to have something to bridge the gap until then
18:11 phw│ as a temporary solution, so people can interact with gitlab until the lobby is done
18:12 gaba│ you think that people asking for accounts is not something that can work for now?
18:13 dcf1│ I guess we as a team could do this, by requesting a new account with the proper permissions.
18:13 dcf1│ I think that requiring an account, and especially requiring emailing someone to make an account, is a high barrier for many of the
people who want to reach us.
18:13 phw│ gaba: we're talking about anonymous submissions, specifically. i don't think that asking for an account is a good solution for this
18:14 phw│ i wouldn't mind managing an account that's only allowed to report issues in the anti-censorship group
18:14 phw│ ...so it wouldn't bother anyone else
18:14 ahf│ the permission systems are not setup correctly yet, which makes it hard to maintain such a user. the user would have access to
everything practically and we haven't audited all group access yet
18:15 phw│ i see
18:15 ahf│ and first time someone logs in and changes the pw, you will need someone to reset it :-/
18:15 dcf1│ hmm
18:15 ahf│ i do agree the barrier to entry is higher than anybody wants it
18:15 dcf1│ an easy alternative is we designate a bug-reporting etherpad and remember to check it every week
18:15 gaba│ like that alternative
18:16 phw│ sounds good to me
18:16 ahf│ or take issues by mail? the first suggestion we had when we moved was for people to write to tor-dev@, but a mailing list also have
higher barriers than somebody wants
18:16 gaba│ we could even setup a form somewhere where people send tickets...
18:16 dcf1│ We just need something concrete to write at https://snowflake.torproject.org/#bugs
18:16 cohosh│ yeah an etherpad is a good call
18:17 cohosh│ is then when the lobby is ready we can write that information on the pad
18:17 ahf│ from what i can tell, the lobby stuff is the only thing i have on my plate for gitlab stuff next week, and it's not a big project for
the account sign-up. i think i could spend half a day more on it and do some very basic ticket submission stuff (but probably not
comments) if you are willing to beta-test something like that
18:17 * cohosh is willing to beta test
18:17 cohosh│ ahf: thanks for doing all this
18:17 HashikD│ I am available for testing aswell.
18:17 ahf│ trying with the anti-censorship teams' project would be nice before we try opening it up. i've been hoping to find a test team this
week or next
18:18 ahf│ cool
18:18 phw│ thanks ahf
18:19 ahf│ np! let me try to poke you all sometime next week when i have something we can try
18:19 phw│ dcf1: do you mind updating https://snowflake.torproject.org/#bugs ?
18:20 dcf1│ Yes I'll do it.
18:20 phw│ thanks
18:21 cohosh│ dcf1: i just remembered that i haven't updated the badge yet for #34129 >.<
18:21 zwiebelbot:#tor-meetingtor#34129: Use STUN to determine NAT behaviour of peers - https://bugs.torproject.org/34129 - [Closed (moved) →
18:21 phw│ oh, there are a bunch of censorship-related pets'20 papers. take a look at the 'interesting links' section
18:22 dcf1│ I found a badge in the wild in Sergey's site: https://sfrolov.io/
18:22 cohosh│ dcf1: woah heh
18:23 cohosh│ looks like it's populating the strings right though
18:23 cohosh│ it's not*
18:24 phw│ any other topics to discuss before we move on to our 'needs review' section?
18:25 valdikss│ I'm the author of GoodbyeDPI, it's listed on the pad. Feel free to ask me anything.
18:25 cohosh│ valdikss: hi!
18:25 phw│ valdikss: welcome!
18:26 dcf1│ hey valdikss, we're scheduled to talk about it right after the normal meeting business
18:26 valdikss│ I'll be here, mention me and I'll check the chat.
18:27 * phw takes a look at today's reviews
18:28 phw│ #30579 for cohosh, and i think that's it?
18:28 zwiebelbot:#tor-meetingtor#30579: Add more STUN servers to the default snowflake configuration in Tor Browser - https://bugs.torproject.org/30579
- [Closed (moved) → tor:tpo/anti-censorship/pluggable-transports/snowflake#30579]
18:28 phw│ oh, is that still relevant?
18:30 dcf1│ sorry I'm behind on the last week of tickets
18:30 cohosh│ yeah it's a small change to add a new default stun server to the proxy-go isntances
18:30 cohosh│ so that they'll do nat discovery by default
18:30 cohosh│ i'm almost done rolling out all the nat discovery changes
18:30 phw│ gotcha
18:31 phw│ does anyone else need help with anything?
18:31 phw│ *crickets* means no
18:32 phw│ let's move on to the reading group
18:32 dcf1│ I'll at least leave a ticket on merge request !5
18:32 dcf1│ *a comment
18:32 cohosh│ dcf1: thanks
18:33 phw│ i didn't get around to this week's reading, so i would appreciate it if anyone else can moderate today's session :/
18:34 cohosh│ i took a look but don't have a summary pre-prepared
18:34 dcf1│ I believe cohosh suggested the topic; also I am prepared to talk about it
18:34 dcf1│ And of course valdikss can correct any errors
18:35 cohosh│ okay i can do a brief summary of what i learned
18:36 cohosh│ i have some questions too
18:36 cohosh│ <summary>
18:37 cohosh│ GoodbyeDPI is a service for bypassing censorship by either ignoring redirects sent by DPI boxes or tricking the DPI into ignoring the
18:37 cohosh│ a lot of the techniques used are somewhat similar to the ones we've discussed in some of the recent reading groups on symTCP and
18:38 cohosh│ e.g., fragmenting the first TCP data packet
18:38 cohosh│ and some HTTP-level tricks like playing with the capitalization of the Host: header
18:38 dcf1│ E.g. https://github.com/ValdikSS/GoodbyeDPI#how-does-it-work
18:39 cohosh│ but it will also just ignore packets that it thinks are sent by the DPI
18:39 cohosh│ these are packets that have an IP id of 0x0000 or 0x0001 that contain tcp rst
18:40 cohosh│ my understanding is that these techniques are specifically catered to the DPI boxes used by censors in Russia
18:40 dcf1│ Yes, the tuning for local conditions is interesting to me.
18:40 cohosh│ and that it is meant to be installed as a windows service so that the tricks can be used by any browser or other program that is
making TCP/HTTP requests
18:41 cohosh│ they have also included with the tool some scripts that users can run to test whether goodbyeDPI will work for them
18:41 valdikss│ That is correct. GoodbyeDPI either prevents OS and software from receiving injected packets by DPI or 'breaks' the packets to make
them undetectable by the DPI.
18:41 cohosh│ </short summary>
18:41 HashikD│ I guess, most of the related works and GoodbyeDPI is geared towards bypassing a Russing ISP
18:42 valdikss│ There's a similar software for Linux, https://github.com/bol-van/zapret
18:42 dcf1│ From my notes:
18:42 dcf1│ GoodbyeDPI is for WIndows only. For packet manipulation it relies on WinDivert (https://github.com/basil00/Divert)
18:42 valdikss│ GoodbyeDPI works in Indonesia (they recently got Netflix blocked and the software unblocks it), Turkey. I've also tested it in Saudi
18:43 cohosh│ valdikss: thanks, i was curious about that
18:43 dcf1│ WinDivert itself has its origin in ReQrypt (https://reqrypt.org/reqrypt.html), about which I wrote a summary:
18:43 dcf1│ Here's an example in the source code for Host header manipulation:
18:44 dcf1│ Here's an example of changing the window size on receiving a SYN/ACK (I suppose this is something like brdgrd):
18:44 dcf1│ I unpacked the release the found a file blacklist.txt with a list of domains in it; I suppose that by default, GoodbyeDPI only
affects those domains?
18:44 HashikD│ Additionally, One of the related works suggests to use DNS-Over-Https to bypass DNS. I guess most censors rely on DOT for blocking.
18:45 valdikss│ dcf1: yes, that's Russian blacklist.
18:45 dcf1│ I ran `goodbyedpi.exe -1` on Windows 8, then I used Internet Explorer to open one of the domains on the blacklist, 00seeds.com
18:45 dcf1│ Then in the packet capture, sure enough, I see `hoSt:00seeds.com\r\n`
18:46 dcf1│ Oh, Windows popped up a dialog asking if I wanted to allow GoodbyteDPI to make changes to my computer; I guess this is activating
18:46 dcf1│ valdikss: does the blacklist come directly from roskomnadzor? Or is it inferred in some other way?
18:47 valdikss│ dcf1: Roskomnadzor has an API for ISPs, one of the ISP uploads the list to github since the beginning:
18:48 cohosh│ heh
18:48 valdikss│ This is custom csv format, the original file is XML with its own schema (I could provide it to you if you're curious)
18:48 dcf1│ Ah great, zapret-info is the same data source used in https://censorbib.nymity.ch/#Ramesh2020a
18:48 dcf1│ Actually I used that repo once, watching the number of IP addresses listed during the Telegram block.
18:49 dcf1│ I'm wondering if it's possible to use WinDivert for Geneva, so that Geneva is not Linux-only.
18:50 dcf1│ I had a look at the WinDivert source code; it's a non-trivial piece of software.
18:50 dcf1│ I have heard from the people doing Npcap (packet capture driver for Windows by the Nmap project) that similarly that project is a
18:51 valdikss│ I'm pretty sure. Take a look at Tallow (from ReQrypt and WinDivert developer), it has TCP reassembling code to redirect all the
system traffic to Tor socks proxy: https://www.reqrypt.org/tallow.html
18:53 valdikss│ I have some other anti-censorship ideas you may want to implement. For example, using of TLS Padding Extension to artificially
enlarge TLS handshake, to overflow DPI TLS reassembly buffer:
18:55 dcf1│ Conceivably even vanilla Tor could apply that technique to talk to plain bridges and guards.
18:55 cohosh│ nice
18:56 dcf1│ One question I had is if there's any relationship between GoodbyeDPI and antizapret.prostovpn.org. Are they related or separate?
18:56 dcf1│ On ntc.party, I have it configured to send me notifications for every topic, except https://ntc.party/c/antizapret-prostovpn-org/5,
which is support for antizapret and is the most active topic.
18:57 valdikss│ dcf1: they are completely separate but both created by me. Antizapret is an automated proxy and VPN service which proxies/routes only
18:58 dcf1│ okay, thanks for the clarification
18:58 dcf1│ anyway, GoodbyeDPI seems to work well and it's easy to use
18:59 cohosh│ valdikss: is it often (or ever) that you need to update goodbyedpi
18:59 cohosh│ for changes they make to the dpi boxes?
18:59 dcf1│ I also appreciate your research posts, valdikss
19:00 valdikss│ cohosh: Yes, the DPIs are updated on a regular basis, at least once a year. It's tricky to find newer bypass methods, they are not as
stable and easy to implement than all existing ones.
19:01 valdikss│ GoodbyeDPI is still very effective in Russia due to the fact that we have hundreds of small ISPs across the country, not dozens like
in most other countries. ISP network setup could be very different, many of smaller ISP use very simple or custom DPI systems.
19:02 valdikss│ we have thousands* (around 3000) of small ISPs.
19:02 cohosh│ aha, that's where the test scripts you included come in handy then? because there is so much variation in censorship
19:03 valdikss│ Yes. I made it somewhere in 2015 I believe, it was interesting for me how ISP implement censorship. I've collected statistics data,
19:04 dcf1│ The Tor Project has a small tool also designed for local testing: https://gitlab.torproject.org/tpo/anti-censorship/emma
19:05 dcf1│ For me, GoodbyeDPI is interesting because it proves that systems based on local packet manipulation can be practically deployed.
19:06 cohosh│ yeah wow, that it's been working since 2015 is pretty cool
19:06 dcf1│ Even if there are a lot of annoyances to work around, such as requiring administrator permission, and OS-specific network APIs.
19:09 valdikss│ I have to go. Feel free to contact me here or on ntc.party. I have many unimplemented ideas, for example GoodbyeDPI alternative for
modern Android smartphones without root access, based on eBPF. I also have a test build of Firefox with TLS Padding 12k, works well.
19:10 phw│ valdikss: thank you for coming and for answering our questions!
19:10 cohosh│ valdikss: thanks for stopping by!
19:10 dcf1│ cheers, thanks so much for being here
19:13 phw│ shall we wrap it up?
19:13 dcf1│ I guess that is all there is to talk about this week.
19:14 phw│ does anyone have suggestions for the next reading group?
19:14 phw│ (doesn't have to be now. you can also post it to our mailing list)
19:14 dcf1│ The next one I'm planning to read and summarize is the ICLab one, though I'm not sure how much of it will be new to this group.
19:15 dcf1│ There are the PETS papers listed in the pad (I'm not totally sure the VPN one is in our wheelhouse but it sounds interesting)
19:15 dcf1│ In about 1 month there are likely to be some FOCI papers as well.
19:16 phw│ the abstract of the pets vpn paper sounds interesting. i'm sure some of its lessons translate to our technology
19:18 * phw votes for the vpn paper
19:18 phw│ i can provide a summary
19:18 cohosh│ cool sounds good to me
19:18 agix│ +1
19:18 phw│ ok, that's it for today. thanks for attending
19:19 cohosh│ \o/ thanks!
19:19 phw│ #endmeeting
19:19 HashikD│ Thanks everyone! that's very interesting!
19:19 agix│ thanks
19:19 hannelores│ thanks
19:19 juggy│ thanksz
19:20 phw│ wait, my #endmeeting does not seem to have ended the meeting...?
19:20 dcf1│ it's leviOsa, not levioSA
19:20 dcf1│ #endmeeting
19:20 dcf1│ i too am powerless
19:20 cohosh│ it looks like there was a netsplit mid-meeting
19:21 phw│ MeetBot seems gone
19:21 cohosh│ maybe the meetbot is on a different server lol
19:21 phw│ guess we'll never know what happened to this meeting
19:21 cohosh│ yeah perhaps one of us should make a manual log in case that happened
19:22 cohosh│ Netsplit reticulum.oftc.net <-> coulomb.oftc.net quits: teor4, +GeKo, MeetBot, sisbell_, isis, +weasel, traumschule, +karsten,
19:22 phw│ i'll attach the log to my meeting summary
19:22 cohosh│ thanks phw
More information about the tor-project