#tor-meeting log

15:58:08 <cohosh> #startmeeting tor anti-censorship meeting
15:58:09 <MeetBot> Meeting started Thu Mar 25 15:58:08 2021 UTC.  The chair is cohosh. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:58:09 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:58:20 <cohosh> hey everyone!
15:58:36 <dcf1> hi
15:58:39 <cohosh> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
15:59:06 <anarcat> hi
15:59:30 <anarcat> i think i accidentally joined your team for a week or something :p
15:59:40 <cohosh> :D
15:59:49 <maxbee> Hi 👋
15:59:53 <cohosh> for the hackweek next week you mean
15:59:55 <cohosh> ?
16:00:03 <cohosh> maxbee: hey and welcome!
16:00:12 <maxbee> Thanks!
16:00:24 <anarcat> yeah
16:00:46 <cohosh> okay i added that to the agenda
16:01:02 <cohosh> dcf1: is the first discussion point yours?
16:01:09 <dcf1> yes
16:01:45 <dcf1> I'm now sure if these new vulns announce tor, but I imagine core tor will know soon
16:01:52 <anarcat> from what i understand the openssl vuln only allows for MitM if some peculiar config is used
16:02:02 <dcf1> Just wanted to make a note for us to update bridges if necessary
16:02:31 <cohosh> i guess it doesn't hurt
16:02:32 <anarcat> the second part is a DOS attack, for which the debian security advisory (DSA 4875-1) is clearer: "A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service."
16:02:33 <dcf1> anarcat: that's CVE-2021-3450, there is also CVE-2021-3449, a null pointer deref
16:02:40 <anarcat> yep
16:03:03 <anarcat> certainly worth taking a look
16:03:22 <dcf1> I agree the first one doesn't sound like it affects tor
16:03:44 <anarcat> at least the first one is one grep away ;)
16:03:47 <anarcat> easy to check
16:04:12 <dcf1> that's all I had to say
16:04:20 <anarcat> do bridges have TLSv1.2 enabled?
16:05:45 <dcf1> I don't know. I am not up to date with tor's use of TLS.
16:06:54 <cohosh> yeah me neither
16:07:16 <cohosh> they won't be any different from relays in this respect
16:07:26 <cohosh> we're just the admins for them
16:07:47 <anarcat> i guess we could ask #tor-dev, i dumped the link there earlier
16:08:00 <cohosh> yeah good idea
16:08:11 <cohosh> for now let's move on to the next discussion
16:08:23 <cohosh> next week is a hack week at tor
16:08:52 <cohosh> where we set aside sponsor work for a week to work on other projects we're interested in
16:08:53 <anarcat> yay!
16:09:18 <cohosh> there is a mail to tor-project with some more details
16:09:54 <dcf1> https://lists.torproject.org/pipermail/tor-project/2021-March/003070.html
16:09:59 <cohosh> but anarcat and i are planning on expanding the anti-censorship team alerts
16:10:01 <cohosh> thanks dcf1
16:10:15 <cohosh> so if anyone else here wants to join in on that
16:10:26 <cohosh> you're welcome to :)
16:11:02 <anarcat> do we know more about the presentation(s) we're supposed to give on monday and friday?
16:11:04 <cohosh> here's a pad we started: https://pad.riseup.net/p/tor-hackweek-censorship-alerts-keep
16:11:25 <cohosh> uh no i'm not really sure what that entails
16:11:33 <anarcat> fun
16:12:02 <cohosh> i was just going to throw together some slides, maybe with motivating examples of why this is a good idea
16:12:07 <anarcat> i'll also note that friday is good friday here, so it's a bank holiday
16:12:10 <cohosh> and outline the objectives we put in the pad
16:12:22 <anarcat> not that i'm religious or anything, but it's actually observed in canada, so in theory we're supposed to be off :p
16:13:26 <cohosh> oh right, i think i'm going to take a different day off instead XD
16:13:39 <anarcat> i see
16:15:06 <cohosh> so yeah, feel free to add to the pad if there are alerts you'd like to see that we don't already cover
16:15:14 <cohosh> and to join for parts of the hackweek
16:16:16 <cohosh> anarcat: i have some free time this afternoon to work n the slides for monday if you're also free
16:16:47 <anarcat> cohosh: i do! would be happy to join
16:17:03 <cohosh> cool i'll ping you on tor-dev after the meeting
16:17:04 <anarcat> and i'm sorry to say i might miss the last day
16:17:06 <anarcat> ack
16:17:22 <cohosh> yeah no worries
16:17:47 <cohosh> okay let's move on to assigning reviews or anything else we need help with
16:18:34 <cohosh> agix: lmk if i can be useful for your rdsys test environemnt work
16:18:42 <dcf1> I would like to take a look at snowflake!31 but I'm afraid I won't have much time next week to review it thoroughly
16:18:57 <dcf1> I appreciate you leaving detailed notes at https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/31
16:19:01 <cohosh> dcf1: yeah that's okay. it's a big and kind of weird one
16:19:07 <cohosh> there's no rush on it
16:19:19 <cohosh> so i'd like your thoughts but also take your time
16:19:20 <dcf1> hmm okay
16:19:26 <dcf1> I have a question though
16:20:08 <dcf1> This is just for the internal Go API part of PT 2, am I right? As I understand it, PT 2 also adds some requirements on command-line options (e.g. as synonyms for env vars), and this marge req is not about that?
16:20:33 <dcf1> It sounds like the demand from Orbot and I2P, anyway, is for the API part.
16:20:37 <cohosh> right yeah it's just the go part
16:21:11 <cohosh> iirc n8fr8 reached out awhile ago about updating goptlib for the command-line bits
16:21:16 <dcf1> ok, thanks
16:21:19 <cohosh> but i haven't heard anything recent about that
16:22:16 <dcf1> I'm fine with having a fork of goptlib for PT 2 stuff (or a /v2 go modules branch), but at this point I don't want to change the v1 library, I think
16:22:33 <cohosh> that's fair
16:22:56 <dcf1> I will make a note to look at !31, but it may not be fully
16:23:11 <cohosh> okay thanks!
16:23:45 <cohosh> (and no pressure)
16:24:02 <cohosh> anyone else have anything they'd like to bring up?
16:24:30 <agix> cohosh thanks :) I will let you know if I need any help
16:25:32 <cohosh> okay i'll close the meeting here
16:25:37 <cohosh> #endmeeting