15:57:58 <shelikhoo> #startmeeting tor anti-censorship meeting 15:57:58 <shelikhoo> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep 15:57:58 <shelikhoo> feel free to add what you've been working on and put items on the agenda 15:57:58 <MeetBot> Meeting started Thu Sep 1 15:57:58 2022 UTC. The chair is shelikhoo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:57:58 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 15:58:19 <shelikhoo> hi~ 15:58:36 <meskio> hello 15:58:53 <shelikhoo> I think this meeting bot's time is out of sync... 15:58:59 <cohosh> hi 15:58:59 <anadahz> hi! 15:59:22 <meskio> 2mins :D 16:00:44 <itchyonion> hi 16:00:58 <dbarradas> hi all 16:01:08 <cohosh> dbarradas: welcome :) 16:01:29 <cohosh> here's the meeting pad with the agenda (since you joined after it was linked): https://pad.riseup.net/p/tor-anti-censorship-keep 16:01:51 <dbarradas> thanks! 16:05:12 <meskio> hello dbarradas 16:05:22 <fsilva> hey everyone! 16:05:38 <shelikhoo> hey~ 16:06:14 <shelikhoo> okay, let's begin the meeting. 16:06:14 <shelikhoo> the first announcement is that 16:06:14 <shelikhoo> There will not be a meeting Sept 15th 16:06:53 <meskio> some of us will be meeting in person date date 16:07:59 <shelikhoo> yes, anything more on this topic? 16:08:16 <meskio> not from my side 16:08:40 <shelikhoo> The next topic will be: 16:08:40 <shelikhoo> Conjure PT ready to try out: https://lists.torproject.org/pipermail/anti-censorship-team/2022-August/000240.html 16:08:40 <shelikhoo> Congrats to cohosh! 16:09:00 <meskio> \o/ 16:09:06 <meskio> amazing work 16:09:09 <cohosh> thanks :) 16:09:19 <anadahz> cohosh: Congrats!!! 16:09:24 <cohosh> it needs some work, but is ready for an initial testing phase 16:09:58 <itchyonion> awesome 16:10:12 <dbarradas> great work! :-) 16:12:09 <shelikhoo> anything more on this topic? 16:12:10 <cohosh> thanks! that's all from me on that, feel free to reach out with bugs/comments/questions 16:12:50 <shelikhoo> now is the discussion phase 16:12:57 <shelikhoo> a topic from last week 16:12:59 <shelikhoo> Snowflake in Turkmenistan: https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40024 16:12:59 <shelikhoo> we are providing a different snowflake bridgeline with specific port for stun servers and azure and domain front 16:12:59 <shelikhoo> the changes seems to work for AGTS (one ISP) but not for others, as they block port 3478 and 3479 16:13:20 <meskio> we did deploy the changes last week 16:13:26 <shelikhoo> so we have tried to fix that, but there isn't a significant increase of user 16:13:29 <shelikhoo> I think.... 16:13:36 <meskio> but I haven't seeing any increase on snowflake usage in metrics.tpo 16:13:46 <meskio> I see there are more and more obfs4 users 16:13:50 <meskio> also meek ones 16:14:16 <meskio> not sure if the fix is not working or just not so many people using directly connect assist 16:14:42 <meskio> ggus: do you have any reports of people in TM succesfully connecting using Connect Assist? 16:15:02 <cohosh> do we know how many large the user base is for Turkmentelecom vs AGTS? 16:15:21 <meskio> I have no idea 16:15:51 <cohosh> shelikhoo: i've been thinking about the comment you made regarding STUN servers 16:16:03 <cohosh> if one fails, does that mean everything fails? 16:16:19 <cohosh> i've been meaning to follow up with testing, but maybe you have already 16:16:20 <dcf1> if you want to run your own local analysis if the number of users in one country, you can start from these scripts for Russia: https://gitlab.torproject.org/tpo/community/support/-/issues/40050#note_2826459 16:17:35 <ggus> meskio: i'm going afk and nina is afk today too. 16:17:50 <shelikhoo> cohosh: Yes, I have tested that with wireshark and it send stun packet to all servers 16:17:55 <cohosh> shelikhoo: the comment was here: https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40029#note_2831554 16:18:12 <shelikhoo> (or a lot of server) 16:18:12 <meskio> ggus: ok, thanks 16:18:27 <cohosh> shelikhoo: okay that was my assumption, but if one fails does it cause the snowflake client to give up? or is it sufficient for at least one to work? 16:18:56 <shelikhoo> no it will work if at least one of them is working 16:19:04 <cohosh> great, thanks! 16:19:25 <shelikhoo> The thing I am unsure is that whether snowflake select a subset of server and input that into WebRTC ICE 16:19:32 <shelikhoo> I didn't check that part 16:19:57 <cohosh> it does 16:20:21 * cohosh goes to find code line 16:21:09 <cohosh> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/main/client/lib/snowflake.go#L124 16:21:35 <cohosh> it randomizes it and then selects half of them (rounded up) as long as there are greater than 2 servers provided 16:22:35 <shelikhoo> yes, so it means if it is not working, then a random selection of half of them is not working 16:23:12 <cohosh> that's possible 16:24:05 <cohosh> we haven't tested IPv6 STUN servers 16:24:57 <shelikhoo> I have to say I don't think a lot of people in TM will have IPv6 connectivity 16:26:53 <cohosh> okay that's good to know 16:27:32 <shelikhoo> one of way we think we could get around this stun block is by avoiding TM's unidirectional block of connection 16:27:42 <shelikhoo> by forging UDP packets 16:28:28 <shelikhoo> if we already know client IP, in theory we could forge 65536 packet to make a IP fully accessible 16:29:23 <shelikhoo> according to the blocking rule shared by valdikss 16:30:14 <anadahz> According to RIPE stats 50% of networks in Turkmenistan have no IPv6 support -- https://ripeness.ripe.net/pies.html 16:31:45 <meskio> shelikhoo: the UDP fix would be very interesting to try out, will be nice to look into how much work it would require to implement 16:32:22 <shelikhoo> the first step would be getting a actual test environment... 16:32:33 <shelikhoo> which we don't have yet 16:33:20 <meskio> do you want to make a proposal about that? make an issue and some idea on how this would look like 16:33:28 <meskio> I mean the test environment 16:34:13 <shelikhoo> I mean a vantage point in TM 16:34:24 <meskio> ahh, ok 16:34:33 <meskio> yes, that would be pretty useful 16:34:48 <trinity-1686a> shlikhoo: probably half or a quarter of the work is enough, /proc/sys/net/ipv4/ip_local_port_range is 32768-60999 on my system, and on windows 10 `netsh int ipv4 show dynamicport udp` gives me 49152-65535 16:34:48 <meskio> I thought you were talking about some kind of staging/CI/... 16:35:38 <shelikhoo> trinity-1686a: yes.... 16:35:59 <shelikhoo> but anyway this will be super interesting to bypass censorship with packet forging 16:36:17 <shelikhoo> yet, we need to have a vantage point first 16:36:39 <shelikhoo> anything more on this topic? 16:36:47 <meskio> not from me 16:37:29 <shelikhoo> TorCloak Integration with BridgeDB 16:37:29 <shelikhoo> We are currently developing a new Tor Pluggable Transport called TorCloak. TorCloak's basic mechanism is to conceale Tor traffic on the video streams of WebRTC-based video conferencing services. 16:37:29 <shelikhoo> We are now coming to a stage on our project in which we are discussing solutions to disseminate our bridges. 16:37:29 <shelikhoo> Sent a draft of the solution via the mailing list. 16:37:29 <shelikhoo> https://lists.torproject.org/pipermail/anti-censorship-team/2022-August/000239.html 16:37:30 <shelikhoo> Get everyone's opinion and feedback on the solution 16:38:38 <fsilva> Hey. Thank you for your time first of all. 16:38:55 <meskio> TorCloak looks pretty cool, I wanted to reply to the list but I haven't find the time for it 16:39:09 <fsilva> First we would just like to get some feedback from the team about our presented solution. 16:39:12 <fsilva> Thank you :) 16:40:00 <cohosh> do you have a link to the source code? 16:40:08 <meskio> I have some doubts if it makes sense to incorporate it to bridgedb, as it will be some work and TorCloak should not need the features that bridgedb provides (making hard for censors to list the bridges) 16:40:34 <meskio> I think it should use a similar system that snowflake does, having a broker that coordinates the connection between bridges and clients 16:41:40 <fsilva> Where can we find some details to the implementation of snowflakes broker? 16:42:04 <cohosh> fsilva: yeah, Conjure is another PT that doesn't use BridgeB, because the phantom IP addresses are too ephemeral and specific to the client 16:42:04 <shelikhoo> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tree/main/broker 16:42:23 <shelikhoo> This is the source of snowflake's broker 16:43:03 <fsilva> cohosh: about the source code, not yet, still in early development 16:43:15 <fsilva> so you think its easier to develop our broker instead of using BridgeDB for our purpose? 16:43:20 <meskio> I think it might make sense to set up an API over domain fronting for clients to get the rooms they should connect to 16:44:07 <meskio> I think your broker/API endpoint will be easier to implement and will let you test it without needing to coordinate with bridgedb 16:44:31 <dcf1> alternative model to consider: the client *tell* the server what room/password it intends to use, that way rendezvous can be one-way 16:45:04 <meskio> :) 16:45:36 <meskio> that might make possible to do it over dns or another slow transport, but as a first phase I think is easier to create an http API for it 16:45:46 <fsilva> dcf1: wouldn't that solution make it easier for a censor to identify this kind of communication? 16:45:51 <cohosh> this is how the tapdance registration of conjure works, you'll probably still need a broker/rendezvous point to get that info to the bridge(s) 16:46:21 <cohosh> i guess unless the bridge is the rendezvous point for itself 16:47:35 <fsilva> and using a broker such as snowflake does, does that introduce a single point of failure or blocking? 16:47:36 <dcf1> notes on rendezvous from the in-progress snowflake paper: https://github.com/turfed/snowflake-paper/blob/6489ffc97180bb74ff39f2dc4a37106aac534d2b/snowflake.tex#L180 16:48:09 <dcf1> fsilva: I don't see why a one-way rendezvous is more identifiable than a two-way rendezvous, maybe I don't understand you 16:48:18 <cohosh> fsilva: it does, but one thing to consider is that it doesn't require a large amount of data transfer 16:48:35 <meskio> fsilva: yes, the broker (like bridgedb) needs a channel to avoid censorship, like domain fronting or AMP cache 16:48:43 <cohosh> so things like domain fronting which aren't sustainable for proxying all traffic are an option 16:48:54 <dbarradas> Thanks for your suggestions. So in the model proposed by dcfl, one would tell the broker about a rendezvous chatroom ID, and the broker would instruct a bridge to use that particular (and ideally ephemeral) chatroom ID, correct? 16:48:54 <meskio> but that is "easy"to plug on an http API 16:49:27 <dcf1> either you connect to something and send, or connect to something and receive, or connect to something and send+recv. but don't get hung up on that point, it's not really material I think. 16:51:05 <fsilva> ok, this seems like a good idea, using a similar method to snowflake. 16:51:19 <meskio> :) 16:51:51 <fsilva> we will look into it, thank you everyone for the help! 16:52:03 <shelikhoo> Yes! anything more on this topic? 16:52:13 <shelikhoo> Next Step for WebTunnel 16:52:13 <shelikhoo> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/tree/7e7bebb499a46345b9adf030666698427965e953 16:52:31 <shelikhoo> WebTunnel(aka HTTPT) is now in MVP 16:52:43 <meskio> congrats \o\ 16:52:46 <meskio> /o/ 16:52:49 <cohosh> shelikhoo: nice! 16:52:50 <shelikhoo> yes! 16:52:52 <meskio> so many new PTs 16:53:07 <meskio> is 2022 the year of the anti-censorship? 16:53:21 <itchyonion> great work! 16:53:56 <shelikhoo> anyway, it still need a lot of work(see issues) to get into tor browser and rdsys 16:54:02 <meskio> I have reviewed the code and is pretty small, so cool :) 16:54:20 <anadahz> shelikhoo: Congrats!! 16:54:25 <shelikhoo> thanks! 16:54:53 <shelikhoo> the code could be larger as we support more things like 16:54:54 <anadahz> fsilva, dbarradas Congrats for your great work! 16:54:58 <shelikhoo> utls 16:55:18 <shelikhoo> or early data 16:55:19 <fsilva> anadahz: thank you! 16:55:37 <shelikhoo> or additional tor integration 16:55:42 <dbarradas> Another cool nugget, shelikhoo! Very nice! 16:55:53 <shelikhoo> yes! thanks! 16:56:38 <shelikhoo> It is actually from HTTPT paper here; https://censorbib.nymity.ch/#Frolov2020b 16:56:57 <dbarradas> yep yep, rings a bell :) 16:57:00 <shelikhoo> and the version just working is its tor pt integration 16:57:53 <shelikhoo> (the demo server shown in README is temporary) 16:58:07 <shelikhoo> anything more on this topic? 16:58:12 <fsilva> very nice shelikhoo, congrats! 16:58:30 <shelikhoo> fsilva: yes, thanks! congrats on your work as well! 16:59:44 <shelikhoo> okay, anything else we wants to discuss in this meeting? 17:00:01 <cohosh> we have a reading group next meeting, right? 17:00:06 <shelikhoo> yes! 17:00:37 <meskio> dbarradas, fsilva: keep us updated on the adavance on TorCloak, specially when you release the code 17:00:54 <fsilva> meskio: will do, thank you all! 17:01:00 <meskio> what do you use for webrtc? an actual browser? or some standalone library like pion? 17:01:22 <fsilva> we use a modified instance of chromium 17:01:31 <dbarradas> certainly. we'll also reach out for additional clarifications in the close future 17:01:35 <meskio> nice 17:02:11 <dbarradas> it turns out that getting a chromium distribution is some countries (say China) is not trivial, though 17:02:34 <meskio> yep 17:03:01 <dbarradas> the usual repositories are blocked as well, so we ought to do something better there in the future 17:03:40 <shelikhoo> the linux repo is actually fully accessible in china 17:03:43 <shelikhoo> like arch 17:03:52 <shelikhoo> actually hosts v2ray's binary inside china 17:03:55 <shelikhoo> without issue 17:04:19 <dbarradas> do you know whether pion supports video streaming? (or if headless video streaming could be a thing for a typical WebRTC video client?) 17:04:45 <shelikhoo> while when we(V2Ray) try to host it on cdnjs, they specifically blocked v2ray 17:05:07 <dbarradas> ah, that's very interesting 17:06:00 <dbarradas> did you reach out to, say, arch in some way? to get v2ray hosted inside china? 17:06:02 <meskio> I would expect that you need some video library to do video over pion, but I don't know much the details 17:06:47 <shelikhoo> dbarradas: it is a software package you can get with pacman. 17:07:13 <shelikhoo> so it is not like we reached to them, it is just how linux distribution works 17:07:28 <meskio> there are some pion examples sending video: https://github.com/pion/webrtc/blob/v1.1.1/examples/README.md 17:07:45 <dbarradas> pardon for my ignorance here, but so, as long as arch supports your package, then it does not get blocked in china? 17:08:08 <meskio> but pion is blocked by fingerprint in some places, we've being trying to improve that 17:08:22 <shelikhoo> china didn't contact arch to remove v2ray's package 17:08:30 <shelikhoo> the same is probable true for debian 17:08:35 <shelikhoo> and other linux distributions 17:08:45 <dbarradas> right, got it 17:09:28 <shelikhoo> okay, anything more we wish to discuss in this meeting? 17:09:28 <dbarradas> had no idea this was going on, thanks! 17:09:39 <meskio> EOF 17:09:49 <anadahz> Though they could block downloading a specific package if for instance the package manager uses HTTP (was the case in Debian) 17:10:19 <anadahz> Fortinet DPI has this capability ^ 17:10:29 <shelikhoo> if that mirror is inside china then probably it does not pass GFW 17:11:38 <anadahz> ah yes that makes sense, local mirrors should not be affected 17:11:39 <shelikhoo> so GFW's DPI won't work 17:12:02 <dbarradas> I see, clever :) 17:12:47 <shelikhoo> but typically if you host something they don't like inside China, they will call operator in midnight to get it removed in 15 minutes 17:13:12 <shelikhoo> a call from an anonymous official 17:13:24 <shelikhoo> (may call in midnight) 17:13:43 <shelikhoo> okay, anything more we wants to discuss in this meeting?\ 17:14:24 <shelikhoo> #endmeeting