15:59:45 #startmeeting tor anti-censorship meeting 15:59:45 Meeting started Thu Nov 11 15:59:45 2021 UTC. The chair is cohosh. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:59:45 Useful Commands: #action #agreed #help #info #idea #link #topic. 15:59:50 hi everyone! 16:00:03 here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep 16:00:17 we have reading group at the end of the meeting today, but otherwise an empty agenda 16:00:36 please feel free to add items and also update us on what you've been up to :) 16:00:38 hello 16:01:28 hi~ 16:03:01 * cohosh waits a few mins to allow for updates and agenda items 16:03:27 (but feel free to jump in with topics) 16:04:37 oh, as just a quick update, i was thinking of posting our monthly reports on discourse 16:05:02 after reading ahf's awesome network team update: https://forum.torproject.net/t/updates-from-the-network-team-october-2021/442 16:05:08 :) 16:05:12 sounds good to me 16:05:18 \o/ 16:05:27 <3 16:05:43 maybe more people will check out the forum with more content there \o/ 16:06:37 yea! 16:07:06 we used to post our reports on the blog but stopped because the interaction we were getting wasn't constructive 16:07:14 discourse seems to be a much better setup for that 16:07:38 at least it has a more fluid moderation 16:08:40 yeah 16:08:56 I finally got bridgedb talking to rdsys, the mr is pretty long, but is mostly deleted lines 16:09:19 I'm drafting a plan on how to test it as I would like a bit more testing than just what I've done in my machine 16:09:29 :o 16:09:32 amazing 16:10:08 Yes, I am really worried my code will interact with other part of the system in unexpected way 16:10:17 that is a lot of work finally coming to fruition 16:10:25 Maybe we can create a staging environment? 16:10:44 shelikhoo: yep, this is more or less what I would like to do with bridgedb 16:11:24 I was wondering if I want to propouse using containers for that, as right now our deployment mechanism is a bit manual 16:12:00 but I'm not sure TPI will be happy to provide an environment to run containers, I guess is something we are not doing in production (yet) 16:12:35 sounds like a good thing to talk to the sysadmin team about 16:12:47 polyanthum is honestly kind of a mess right now 16:13:04 yes, I'm a bit scared to touch things there, containers could help 16:13:21 anyway, I can go next monday to the TPI office hours and talk with them and see what they think 16:13:22 It would be great if we can just apply a yaml or tfplan to get everything working 16:13:44 * meskio looks up tfplan 16:13:54 terraform plan file 16:14:04 ahh, I see, never used terraform before :) 16:14:06 just a description of server setup 16:14:28 i think there was experimentation with ansible in the past 16:14:34 not sure whether it's used in production now though 16:14:45 let say we pack each part of software in a container 16:15:11 I have used ansible in the past, is not too bad 16:15:45 and use kubernetes to run it? It is hard to make a desion without investigation 16:16:08 yep, let's talk with TPI (the sysadmin team) and see what they think about it 16:16:29 awesome! 16:17:03 anything else before we move onto reading group? 16:17:14 oh, nice that AC team wants to use the forum to publish the reports! :D 16:17:18 V2Ray/Fly Developers is investigating the report of the current wave of blocking of Shadowsocks and VMess+TCP servers during China's CCP meeting session. Blocking of Shadowsocks is observed on developer-controlled servers. 16:17:26 let me know if you need help with it 16:18:42 ggus: thanks! i watched the discourse training and am writing up the report now :) 16:18:52 Although the exact identification method isn't clear yet 16:19:00 shelikhoo: oh interesting, i didn't know shadowsocks was being blocked 16:19:07 I've seen this discusion on the topic: https://github.com/net4people/bbs/issues/69 16:19:58 but I didn't follow up, it looks like several providers are talking about it 16:20:11 how do you observe the blocking? by usage metrics? 16:20:52 No, we control some of server that are blocked, so we can directly observe it 16:21:23 It is a kind of port block 16:21:52 packet capture is running, but I am not sure the root cause can be discovered. 16:23:04 The block of VMess is reported by user, but so far we cannot reproduce it(https://github.com/v2fly/v2ray-core/issues/1377[Chinese]) 16:23:23 did I understand that it looks like the GFW is able to block it just by observing the traffic? 16:23:50 Yes, shadowsockets is know to have some weakness 16:24:06 and the developers have no plan to fix it 16:24:20 since they perfer a stable protocol 16:24:42 I see, I didn't know it was a known problem 16:24:46 since they prefer a stable protocol 16:25:45 :/ 16:25:50 And some iOS client always send header without the first client payload data 16:26:16 so the packet length give GFW additional infomation 16:26:57 Their decision is not understandable, currently most Shadowsockets servers are running inside firewall 16:26:58 but the blocking method is by port? 16:27:07 yes, not by IP 16:27:50 and these server just accept Shadowsockets protocol traffic from user, and send these traffic with another tunnel 16:28:56 so it is usually just used for accepting traffics, not actually tunnel traffic through GFW 16:29:27 so don't change the protocol means all existing client softwares will still work 16:30:26 and even if the protocol is blocked by GFW, it is still working for sending traffic to a server inside firewall 16:32:10 does the workaround at the end of the net4people/bbs thread still work? 16:32:14 It is not like it is instantly blocked, usually it is after a few days of usage and only during sensitive period. So it is really hard to know the exact method of blocking 16:33:18 I have't tried, but it should work. Since it is block by port. 16:33:47 It is not like it is instantly blocked, usually it is after a few days of usage and only during sensitive period. So it is really hard to know the exact method of identification 16:33:53 i wonder if the bridge blocks we see are also by port 16:34:18 perhaps obfs4 bridge operators don't need to rotate their IP, just change their port 16:34:25 to get unblocked 16:35:16 the blocks we see are from enumeration through BridgeDB/built-in bridge settings, but it would be an interesting thing to try 16:35:33 we should test that, should be easy to check as obfs4 bridges do usually also have a vanilla port that we could try out if the obfs4 one get blocked 16:36:05 (or this is what I understood reading the bridgeauthority files) 16:36:06 +1 16:36:16 usually when a server is blocked by IP, then ping will timeout as well 16:37:26 if we still have a account at a cloud provider, we can just automate the server setup and destory process with terraform 16:37:41 and instantly recreate any blocked server 16:38:02 we have volunteers running obfs4 bridges with terraform i believe 16:38:08 in general, tor doesn't run most bridges 16:38:26 the snowflake bridge is an exception in that way 16:38:40 "we write and maintain the code, we don't run the network" 16:38:40 Yes... maybe we have have some tool to auto recreate a bridges with a new ip when it is blocked? 16:38:56 shelikhoo: yep! that's the idea 16:39:54 censorship-analysis#40020 16:40:08 but we were assuming we had to rotate IP addresses. if it's just ports our job is easier 16:41:08 * meskio wonders how long will take the GFW to start blocking IPs if bridges start rotating ports 16:41:20 but is a nice cat and mouse play 16:41:46 yeah 16:42:12 well, it could be stable... if we haven't been deplatformed from AWS meek... 16:42:51 Let's say AWS Lambda can also be used if they allow us. 16:43:56 yeah, again it can't be us, it has to be volunteers 16:44:15 we have volunteers who are already doing this so after we test it, the next step is to talk to them 16:45:03 i think they already have some nice setups for doing the rotation 16:45:14 hopefully if this works it'll make their lives easier :) 16:46:38 thanks for bringing up this topic shelikhoo! this was really informative and helpful 16:46:58 yes, I've learned a lot here :) 16:47:06 is there a way we can help with the v2ray/shadowsocks users who are affected by this? 16:49:33 I think VMess + WebSocket + TLS is not blocked, so they can just change some config and get everything working 16:49:57 okay nice 16:50:20 I can't think a way that we can help them right now. 16:50:50 okay, thanks shelikhoo 16:51:13 let's move on to the reading for today, unless there's something else? 16:51:33 +1 16:51:58 I have tested that about 2 of 3 of obfs4 bridge given to me is blocked by IP 16:52:04 +1 16:52:07 awesome, today's reading was a FOCI paper from this year 16:52:17 "Measuring QQMail's automated email censorship in China" 16:52:42 by Knockel and Ruan 16:52:51 paper link: https://dl.acm.org/doi/10.1145/3473604.3474560 16:53:11 net4people/bbs summary: https://github.com/net4people/bbs/issues/95 16:53:27 anyone else have a quick summary they want to share? 16:53:49 I think the bbs one is pretty good 16:54:40 +1 16:56:51 The my first though on this paper is that QQMail reused the spam filter system to implement a censorship system. 16:57:38 heh that makes sense 16:57:57 I found pretty interesting to see the keyword distribution, we keep hearing the example of tibet or tiananmen as censored content and I got surprised to see those topics having very few keywords 16:58:13 I'm happy to be reminded that I don't know much about the topic 16:58:57 (at least uyrughurs were high in the keyword list) 16:59:37 meskio: you mean that you think the authors missed testing a lot of relevant keywords? 16:59:56 no, I mean that I don't know what kind of content is censored in china 17:00:04 ah i see 17:00:05 and we keep using outdated examples 17:00:07 The number of term discovered is surprisingly low. I think these are just words that get rejected immediately. 17:00:45 Maybe there is an another list that will trigger a manual review after delivery. 17:01:18 or maybe they have other blocking mechanisms that doesn't trigger a 550 smtp error code 17:01:37 I mean the paper keeps saying that they are surprised that no phising or porn was blocked 17:01:52 but they only know that they didn't get a 440 smtp error 17:02:04 there might be a long pipeline of blocking/spam mechanisms there 17:02:11 s/440/550/ 17:02:25 and only one of the pieces return an error on the smtp connection 17:02:51 yeah 17:03:22 being as big as qqmail is I will be surprised that they don't have any anti-phising mechanism 17:03:48 actually there is, but mostly just send these kind of email to spam folder 17:04:07 I see 17:06:09 there's this line at the end of dcf's summary: A further bit of weirdness is that QQMail does not censor incoming mail to a recipient that has previously sent mail to the sender, which is behavior more characteristic of a spam filter than a content filter. 17:06:38 did they test that these emails actually arrived at the end point? 17:06:52 or just that they didn't trigger the 550 smtp error? 17:07:02 No, they send email to a non-exist mail address 17:07:02 yes, the paper even explores if this behaviour is not intentional to monitor the conversations of dissidents 17:07:16 aha okay 17:07:43 they said they set up a test address, but only run few tests against it 17:07:53 most of the tests where against a non-existant address 17:08:47 they even report this behaviour as a security issue to qqmail, as it will let them discover if someone has sent an email address to a certain address 17:09:58 oof 17:12:19 I'm wondering if they censor only messages in chineese or also in other languages, I guess other languages are a small minority that might not matter for the censor 17:13:10 Usually the sensitive words are in Chinese... 17:14:33 https://zh.m.wikiversity.org/zh-hans/%E4%B8%AD%E8%8F%AF%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9C%8B%E5%AF%A9%E6%9F%A5%E8%BE%AD%E5%BD%99%E5%88%97%E8%A1%A8 17:14:55 You can see these is some english words in the list 17:15:42 (Its title is China's sensitive word list) 17:15:51 this paper includes some discussion of the blocking arabic script: https://www.usenix.org/system/files/conference/foci15/foci15-paper-knockel.pdf 17:16:03 I see 17:18:52 The thing I am thinking is how do we protect our users in the Salmon system. Let's say what will happen if they share the invitation data on an adversary-controlled channel? 17:20:38 that's a good thought, know that plaintext messages can be monitored and processed for information 17:21:11 one option is to steer users towards certain behaviours through the UI 17:21:37 we could, for example, make it hard for users to copy/paste invite info into any channel 17:21:45 do I remember correctly that the invitation data is only valid to create one account? so if the user creats it first and the adversary can't do much with it, the problem is if the adversary is faster will be nice to be able to revoke invitations on those cases 17:21:57 and instead have them scan a friend's QR code on their phone 17:22:06 meskio: yes that's correct 17:22:22 or atleast, that's the intention 17:22:41 for whatever design we actually end up settling on 17:23:02 Since the communication channel in for example China is associated with government issued ID, being discovered for using Tor isn't a good thing 17:23:14 even if the adversary cannot use that token 17:23:18 I like your approach of thinking on the UI instead of crazy crypto mechanisms if possible 17:24:35 Although it is unlikely that a punishment will be made solely based on using tor 17:26:20 yeah :-S 17:26:56 the tor opsec thing is very tricky and dependent on the region or even individual 17:27:50 we're almost 30 mins past --- any last discussion? 17:28:05 Nope 17:28:16 I'm good 17:28:53 okay thanks everyone! this was an awesome meeting and reading group :D 17:29:10 yep, it was pretty good 17:29:18 Yes! 17:29:29 #endmeeting