15:59:07 <meskio> #startmeeting tor anti-censorship meeting 15:59:07 <MeetBot> Meeting started Thu Mar 24 15:59:07 2022 UTC. The chair is meskio. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:59:07 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 15:59:11 <meskio> hello everybody 15:59:14 <meskio> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep 15:59:25 <meskio> feel free to add what you've been working on and put items on the agenda 16:00:12 <meskio> the first item in the agenda is 'dnstt bridges' 16:00:23 <meskio> I didn't remove it just in case we still want to talk about it 16:00:24 <cohosh> hi! 16:00:33 <meskio> there are already issues created to work on it 16:01:00 <ggus> hello 16:01:58 <meskio> hello o/ 16:02:25 <itchyonion> hello 16:02:33 <shelikhoo> Hi~ 16:02:56 <meskio> dcf1: did you see the conversation last week about adding support to dnstt as PT for bridges? 16:03:18 <dcf1> yes, I skimmed the discussion 16:03:27 <ln5> hi 16:03:44 <meskio> :) 16:04:36 <meskio> anyway, I guess we might not have anything to talk about it, we'll discuss in the related issue 16:04:41 <meskio> should we move to the next topic? 16:04:54 <meskio> "Prepare all pieces of the snowflake pipeline for a second snowflake bridge" 16:05:17 <shelikhoo> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/28651#note_2787394 16:05:30 <shelikhoo> I have made a design I think will work 16:05:47 <shelikhoo> Comments are welcomed 16:06:12 <shelikhoo> if we agree on this design, i will begin implement its broker 16:06:59 <shelikhoo> dcf1 have later agreed on having broker provide the websocket url(I suppose) 16:07:42 <shelikhoo> and the fused design here is client check the domain name of that websocket url to see if that have a correct suffix 16:07:51 <shelikhoo> if so, it will be accepted 16:08:30 <shelikhoo> this removed the need to synchronise allowed websocket address constantly 16:09:05 <shelikhoo> and made it possible to have only one pool of proxy, instead of have a pool for each accepted fingerprint 16:09:46 <meskio> basically it shifts the trust from the broker to the DNS system 16:09:47 <shelikhoo> and does not decrease the security of client, since in either case it will have to accept a list of allowed websocket destination 16:10:13 <shelikhoo> if we only allow HTTPS connection 16:10:29 <shelikhoo> if we only allow HTTPS Websocket connection 16:10:37 <shelikhoo> then it would not rely on DNS that much 16:11:03 <shelikhoo> even if we have a allow list, then it still depend on DNS to point the domain to correct IP 16:11:24 <cohosh> so the steps to add a new bridge are: have someone agree to run the bridge, talk to TPA to set up a *.torproject.net subdomain to it, distribute the new bridge line with the new fingerprint? 16:11:59 <shelikhoo> Yes, and input that info at the broker 16:12:17 <shelikhoo> we can use an alternative TLD 16:12:25 <shelikhoo> if that is needed for security reason 16:12:53 <cohosh> that sounds reasonable to me 16:12:55 <dcf1> I have access to a host that will probably be the second snowflake bridge (the first one to have a different bridge fingerprint) 16:13:11 <dcf1> I have not set it up yet, but my plan is to get it ready for when you want to start pointing traffic to it. 16:13:40 <shelikhoo> dcf1: Yes, that will take a little while 16:13:49 <dcf1> (ln5's bridge is planned to have the same fingerprint we are using already, with domain name snowflake.torproject.net) 16:15:06 <shelikhoo> I think from Tor's design, it is not designed to have different instance of Tor with same fingerprint 16:15:38 <shelikhoo> so maybe the best way move forward is to accept that 16:15:58 <shelikhoo> and design things around this 16:16:51 <shelikhoo> Is there any suggested amendment to the design there 16:17:07 <cohosh> sounds like a good plan to me 16:17:26 <cohosh> i also don't think it closes any doors if later we want to do the more complex proxy matching idea 16:18:05 <meskio> +1 16:19:22 <meskio> anything more on this topic? it looks like we are all happy with shelikhoo design 16:19:53 <cohosh> thanks shelikhoo :D it will be exciting to get this going 16:20:16 <shelikhoo> no problem~ 16:20:30 <meskio> (: 16:20:31 <shelikhoo> {Add SOCKS5 forward proxy support} is ready to be reviewed again, now with handwritten SOCKS5-DNS 16:20:59 <shelikhoo> so the next topic is SOCKS5 proxy support for snowflake client 16:21:29 <shelikhoo> I have added handwritten DNS to it to get around Go stdlib's mindset 16:21:49 <shelikhoo> and it can be evaluated again 16:22:16 <meskio> nice 16:22:26 <meskio> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/64 16:22:27 <shelikhoo> if we decide to have it, we will consider to upsteam changes to webrtc library 16:23:01 <cohosh> thanks shelikhoo, looks like i'm assigned to review it so i'll take a look 16:23:08 <shelikhoo> and I will rebase it against main 16:23:09 <shelikhoo> yes 16:23:12 <cohosh> (anyone else who is interested also feel free to jump in though) 16:24:23 <shelikhoo> okay maybe we can move on to the next topic. 16:24:25 <shelikhoo> archive state-of-censorship repo https://gitlab.torproject.org/tpo/anti-censorship/state-of-censorship 16:24:26 <itchyonion> shelikhoo: 👍 16:25:05 <meskio> cohosh: I have few things to review in my queue, so I'm happy to you review it, but if you are overloaded say so and I'll have a look 16:25:44 <meskio> the state-of-censorship repo used to contain a json with information on what country blocks what 16:26:02 <meskio> but now this information is part of moat API, and the json lives in the rdsys-admin repo 16:26:23 <meskio> is not exactly the same json, the state-of-censorship one did contain information about websites being blocked 16:26:40 <meskio> while the moat one is only about ways to connect to tor 16:26:56 <meskio> I added a notice to the readme and archived the state-of-censorship repo 16:27:04 <meskio> but I'm happy to revert it if people disagrees 16:28:10 <cohosh> sounds good :) 16:28:37 <meskio> kind of related to that I have an announcement, the circumvention settings API is already deployed 16:28:51 <meskio> I just deployed it today 16:29:03 <cohosh> nice! 16:29:23 <shelikhoo> great! 16:29:25 <meskio> that is all in the agenda 16:29:34 <meskio> do we want to pick a paper for our reading group? 16:30:22 <meskio> itchyonion: I'm not sure we have described the reading group to you, but basically every couple of weeks we pick up a paper on a topic related to anti-censorship and discus it in our weekly meeting 16:30:36 <meskio> any proposals for papers to read? 16:30:52 <itchyonion> awesome 16:31:34 * meskio looks at https://censorbib.nymity.ch/ 16:31:35 <cohosh> i've been meaning to read balboa, personally: https://censorbib.nymity.ch/#Rosen2021a 16:31:59 <meskio> I'm happy to do that one 16:32:16 <shelikhoo> +1 16:32:29 <meskio> two weeks from now? April 7? 16:32:36 <ln5> thta's a great idea 16:33:23 <cohosh> sounds good! 16:33:23 <meskio> great, we have something to read the next couple of weeks 16:33:26 <itchyonion> 👍 16:33:36 <meskio> anything else for today? 16:34:03 <shelikhoo> +1, EOF from Shell 16:34:08 <meskio> nice, we have a fast meeting today :) 16:34:21 <meskio> I'll wait for a minute and close the meeting if noone has anything else 16:35:20 <meskio> #endmeeting