[tor-relays] Snowflake PT

teor teor at riseup.net
Thu Aug 23 03:03:19 UTC 2018 

> On 23 Aug 2018, at 11:22, Mirimir <mirimir at riseup.net> wrote:
> 
>> On 08/22/2018 05:41 PM, teor wrote:
>> 
>>> On 23 Aug 2018, at 10:16, Mirimir <mirimir at riseup.net> wrote:
>>> 
>>> On 08/22/2018 04:17 PM, teor wrote:
>>>> 
>>>> I don’t know about the current deployment plan for Snowflake, but I
>>>> can point you to the relevant parts of the git repository:
>>>> 
>>>>> On 22 Aug 2018, at 07:58, Nathaniel Suchy <me at lunorian.is> wrote:
>>>>> 
>>>>> Tor Browser 8 Alpha includes the Snowflake PT as it comes near a final release, the adoption and usage of the Snowflake PT will continue to rise. I now have the following questions...
>>>>> 
>>>>> 1) Will a command line tool like an obfs4proxy come out so those of us with infrastructure can run high capacity snowflake bridges.
>>>> 
>>>> Like Meek, Snowflake is a 3-component transport:
>>>> 
>>>> User -> Proxy -> Bridge

Ok, here's a list of all the connections that happen in Snowflake:

1. Proxy -> Website to download the Proxy JS
2. Proxy -> Broker to register with the Broker
3. Client -> Broker to get a list of Proxies
3. Client -> Proxy -> Bridge to transmit data

>>> I've read some of the Snowflake documentation. But I've found it
>>> confusing.
>> 
>> The FAQ explains the different components:
>> https://github.com/keroserene/snowflake#faq
> 
> Thanks. This in particular was helpful:
> 
> | 1. Volunteers visit websites which host the "snowflake" proxy.
> | (just like flashproxy)
> 
> I don't recall seeing such a clear statement in other docs.
> 
>>> I vaguely recall that Snowflake came up in a recent Tor
>>> browser install.
>> 
>> Yes, the *Snowflake client* is in the new Tor Browser alpha.
>> 
>>> And I vaguely recall that there was an option to act as
>>> a Snowflake proxy, via WebRTC. Is that true?
>> 
>> Yes, volunteers on non-censored connections can run the *Snowflake proxy*.
> 
> Wait. From that quote, it's websites that are hosting the snowflake
> proxy. So are "volunteers" running a snowflake script, which is hosted
> on the proxy website?

Yes

>> (Running a proxy in Tor Browser is not possible, because Tor Browser
>> disables WebRTC.)
> 
> OK. Which is a good thing. Because it's an external IP leak.
> 
>>> And if so, what IP address
>>> would be exposed? Would it be the IP address of the device running Tor
>>> browser? That would be rather iffy. Almost like inviting users to run
>>> relays, no? But perhaps I'm just confused.
>> 
>> The Snowflake client connects to the Snowflake proxy.
>> 
>> Snowflake uses the STUN WebRTC method, so clients and proxies discover
>> each others’ external IP addresses.
> 
> The use of "clients and proxies" is confusing here. The proxy is hosted
> on some website, so having its external IP address exposed isn't at all
> problematic. But what I suspect is that it's clients and _volunteers_
> that discover each others’ external IP addresses. So basically, the
> snowflake script is circumventing the WebRTC block in Tor browser.

The Snowflake Client is a separate executable with its own WebRTC
stack. It performs a restricted set of network operations. It is
launched by Tor, which is launched by Tor Browser.

Tor Browser blocks WebRTC so that hostile websites can't run
JavaScript that makes arbitrary connections outside Tor,
revealing the user's IP address and other identifying data to an
adversary.

They're very different scenarios.

>> If Snowflake used the TURN method, then the TURN server would discover
>> both addresses:
>> https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/client/rendezvous.go#n141
> 
> Sure. But the problem here, if I understand this correctly, is that
> volunteers are sharing their external IP addresses with snowflake
> clients. Is that correct?

I'm not sure which IP addresses you think should be secret:
* the IP addresses of the Tor users running the snowflake client
  (the threat to these tor users is the same as any other tor user,
   see below)
* the IP addresses of the non-tor browser users running the snowflake
  proxy (the threat to these non-tor users is similar to browsing other
  WebRTC websites)

> And yes, I get that you say "volunteers on non-censored connections".
> But "non-censored" doesn't mean non-monitored.
> 
> There really needs to be a prominent warning about this.

What should the warning say, and who is it for?

> Many people use
> Tor for privacy and ~anonymity, not just for circumventing censorship.

Tor keeps user IP addresses separate from the sites they're accessing. In
particular, the exit and the remote site never learn user IP addresses.

But Tor does reveal user IP addresses to the entry points into the network,
which can be guards, bridges, or the entry point(s) for pluggable transports.

Anyone can run a guard or a bridge or a snowflake proxy.

How does the snowflake proxy create a different threat model?

T

More information about the tor-relays mailing list