Recently they started testing so-called “white-list”. At this moment it is being tested only by mobile providers. It already makes a lot of problems to mobile network users but in the future, it may be extended to other network providers.
How this method works: as you might have guessed from its name, it uses white list of web sites and resources and blocks everything that is not on the list. So because of this Tor bridges can’t be used (at least all mine obfs4 don’t work during shutdowns). Shutdowns happen not throughout the day, but only from seven in the evening until the morning. This is supposedly explained by the fight against drones, but since they still flying without problems (just because they use Starlink) the true reason might be a testing strong censorship methods before implementing them to their full potential.
First I thought that this is just my bridges don’t work but after few days I realized that working bridge always goes down in the exactly same time. I tested regular Internet on other device and found out that all clearnet connections blocked except the ones leading to the white-listed resources.
I saved all Tor connections logs during many different failed connection attempts while shutdowns were working and provide them here in the hope that they will help find a working method to bypass the blocking. I once read that (probably) somewhere in China was invented a method just for the very similar blocking. It created a fake connection to the white-listed site but in fact redirected traffic to the real destination. Maybe this will work here too. I often had Tor connections that reached 95% and then stuck (nothing was present at this time in the Onion Circuits) (saved their logs too). This brings me hope that at least for now they use not some strong method that blocks literally all connection types but maybe a more light version that often lets Tor connection to reach 95% so maybe there is enough surface left that we can use to by-pass it. I’m not IT expert in any way. Mostly a regular Tor user (maybe just a little more experienced since have experience of some anonymous OSes usage) so don’t expect a lot from me. I’m just here to take the initiative to find a way around evil censorship. All hope lies with the community experts. Maybe someone at least knows more about that Chinese method and can provide more info. Would be good to know if this method can work with Tor or be implemented in Tor.
I am not exactly sure what is being asked here. I read it as “How do I get to use Tor to bypass censorship?”
I operate a Snowflake proxy. I processed my logs for the last 2 weeks see 1023 connections from RU out of 6960 connections; 183 < 1 minute so, to me, they are failed connections. IR is first with 2394 and RU is second. I don’t know how many tried and could not connect.
I also can’t tell you how to make a connection because I don’t know how it is done.
What I know is it starts with a connection to a broker which is snowflake-broker.torproject.net [37.218.242.175]. Is that blocked?
I offer a usable connection and the user makes a request for a connection. The broker handles the rest with some magic.
Hi and thank you for asking and sharing the log files.
Unfortunately I am far from the expertise that you look for.
https://en.m.wikipedia.org/wiki/Great_Firewall pretty well describes where China is these days as a potential blue print for Russia. You are observing some techniques mentioned at the wiki. Like hindering to etablish tcp connections and resetting those that exist.
(Please manually override IPs in logs. Fingerprints are fine)
Part of log taken during active, working connection, when shutdown started (deleted all timestamps in advance. Please, let me know if there is still any private information left there):
[notice] Delaying directory fetches: No running bridges
... [notice] Failed to find node for hop #1 of our path. Discarding this circuit.
... [notice] Our circuit 0 (id: 1248) died due to an invalid selected path, purpose Unlinked conflux circuit. This may be a torrc configuration issue, or a bug.
... [warn] tor_bug_occurred_(): Bug: ../src/core/or/conflux_util.h:32: CIRCUIT_IS_CONFLUX: Non-fatal assertion circ->purpose != CIRCUIT_PURPOSE_CONFLUX_UNLINKED failed. (on Tor 0.4.8.15 )
... [warn] Bug: Tor 0.4.8.15: Non-fatal assertion circ->purpose != CIRCUIT_PURPOSE_CONFLUX_UNLINKED failed in CIRCUIT_IS_CONFLUX at ../src/core/or/conflux_util.h:32. Stack trace: (on Tor 0.4.8.15 )
... [warn] Bug: /usr/bin/tor(log_backtrace_impl+0x57) [0x6361f1e521d7] (on Tor 0.4.8.15 )
... [warn] Bug: /usr/bin/tor(tor_bug_occurred_+0x169) [0x6361f1e5d139] (on Tor 0.4.8.15 )
... [warn] Bug: /usr/bin/tor(circuit_describe_status_for_controller+0x42b) [0x6361f1f23b3b] (on Tor 0.4.8.15 )
... [warn] Bug: /usr/bin/tor(control_event_circuit_status+0xbd) [0x6361f1f1fd0d] (on Tor 0.4.8.15 )
... [warn] Bug: /usr/bin/tor(circuit_close_all_marked+0x17d) [0x6361f1ecb43d] (on Tor 0.4.8.15 )
Sep 24 18:18... [warn] Bug: /usr/bin/tor(+0x70349) [0x6361f1dd7349] (on Tor 0.4.8.15 )
... [warn] Bug: /lib/x86_64-linux-gnu/libevent-2.1.so.7(+0x21482) [0x7a8ae4610482] (on Tor 0.4.8.15 )
... [warn] Bug: /lib/x86_64-linux-gnu/libevent-2.1.so.7(event_base_loop+0x49f) [0x7a8ae4610c1f] (on Tor 0.4.8.15 )
... [warn] Bug: /usr/bin/tor(do_main_loop+0xf1) [0x6361f1dd86c1] (on Tor 0.4.8.15 )
Now I’m on the way to find a way to take the list of all white-listed sites and to find out how to see what addresses are also used while connection to these sites is being established. You know, when you connect to any site, a lot of addresses flash in the corner of the browser. These are the addresses of other sites that are involved in providing connection to this one. Meek works using this specialty. It fakes connection to such address and redirecting it to the bridge. I want to see if there is any such address that can be used with meek. If anyone already knows a method how to see this information it potentially could save me a lot of time of searching.
Re-attaching built-in meek-azure bridges connection attempts logs. Removed time stamps and fingerprints for privacy purpose.
[warn] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (unexpected eof while reading; TLS_ERROR; count 1; recommendation warn; host FINGERPRINT at *********)
... [warn] 1 connections have failed:
... [warn] 1 connections died in state handshaking (TLS) with SSL state error in HANDSHAKE
... [notice] New control connection opened.
... [warn] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (unexpected eof while reading; TLS_ERROR; count 2; recommendation warn; host FINGERPRINT at ********)
... [warn] 2 connections have failed:
... [warn] 2 connections died in state handshaking (TLS) with SSL state error in HANDSHAKE
... [warn] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (unexpected eof while reading; TLS_ERROR; count 3; recommendation warn; host FINGERPRINT at ********)
... [warn] 3 connections have failed:
... [warn] 3 connections died in state handshaking (TLS) with SSL state error in HANDSHAKE
... [warn] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (unexpected eof while reading; TLS_ERROR; count 4; recommendation warn; host FINGERPRINT at **********)
... [warn] 4 connections have failed:
... [warn] 4 connections died in state handshaking (TLS) with SSL state error in HANDSHAKE
... [warn] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (unexpected eof while reading; TLS_ERROR; count 5; recommendation warn; host FINGERPRINT at ********)
... [warn] 5 connections have failed:
... [warn] 5 connections died in state handshaking (TLS) with SSL state error in HANDSHAKE
... [warn] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (unexpected eof while reading; TLS_ERROR; count 6; recommendation warn; host FINGERPRINT at *********)
... [warn] 6 connections have failed:
... [warn] 6 connections died in state handshaking (TLS) with SSL state error in HANDSHAKE
... [warn] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (unexpected eof while reading; TLS_ERROR; count 7; recommendation warn; host FINGERPRINT at ********)
... [warn] 7 connections have failed:
... [warn] 7 connections died in state handshaking (TLS) with SSL state error in HANDSHAKE
... [warn] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (unexpected eof while reading; TLS_ERROR; count 8; recommendation warn; host FINGERPRINT at ********)
... [warn] 8 connections have failed:
... [warn] 8 connections died in state handshaking (TLS) with SSL state error in HANDSHAKE
... [warn] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (unexpected eof while reading; TLS_ERROR; count 9; recommendation warn; host FINGERPRINT at **********)
... [warn] 9 connections have failed:
... [warn] 9 connections died in state handshaking (TLS) with SSL state error in HANDSHAKE
... [warn] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (unexpected eof while reading; TLS_ERROR; count 10; recommendation warn; host FINGERPRINT at *********)
... [warn] 10 connections have failed:
... [warn] 10 connections died in state handshaking (TLS) with SSL state error in HANDSHAKE
... [warn] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (unexpected eof while reading; TLS_ERROR; count 11; recommendation warn; host FINGERPRINT at *********)
... [warn] 11 connections have failed:
... [warn] 11 connections died in state handshaking (TLS) with SSL state error in HANDSHAKE
... [notice] New control connection opened.
Then maybe you should modify the Tor install on Whonix to support WebTunnel bridges?
WebTunnel is unavailable from packages.debian.org. It is therefore difficult and maintenance time-intensive for Whonix to install WebTunnel in Whonix by default.
Build lyrebird from source and modify the Tor install.
Or… try Tails OS. It can be booted from removable media.
I tried it. Strange but Yandex cloud didn’t work for me. Despite the fact that they say all Yandex services are white-listed. Maybe it also depends on ISP. Here’s the list of white-listed services (hope you know Russian. If not - you can easy use online translator. There are no difficult words there). Not sure if it’s full but it’s big.
In the context of what I said earlier I would focus specifically on such services as VK Video, Rutube, Online cinemas, weather service Gismeteo, Yandex services (though Yandex search and cloud didn’t work for me), VK services. In principle, it could be almost anything. Hopefully it will be useful information for technically skilled guys. I try it myself too, but need to know how to get such information first (I mean to discover all services that participate in specific white-listed site connection).
I tried Webtunnel on other device. Took few Webtunnel bridges from bridges.torproject.org. Don’t know if SNI spoofing was enabled since there was no any buttons enabling/disabling it and no signs showing if it is enabled. I just pasted those Webtunnel bridges that official site provided by default. All of them failed. “General socks 5 server failure”.
I finally found time to find out how to watch all third-party sites that participate in connecting to the white-listed site. Checked a number of sites from that white list and found number of addresses which I consider promising. Highlighted them in bold type. I saved all addresses that were not related to the white-listed site. If some were repeated I didn’t rewrite them again. As I understood, sites with “CDN” in the address are of particular importance. Now it’s up to the specialists to tell if there are addresses that can be used in meek bridge to slip through the firewall. If there are no suitable ones there then I’m asking an advise what addresses I should pay more attention to in the future. What distinctive features should they have? So that I don’t waste time rewriting all the websites.
And now the list of all addresses that I found (first goes the name of the white-listed site then goes the list of all third-party sites that participated in connection to it:
@Toraddicted Unfortunately, no matter what SNI you ‘fake’, it won’t work because the bridges’ IPs are not whitelisted, remember, it’s a whitelist, not a blacklist. (when the mobile-whitelist-mode is turned on)
So it doesn’t matter what bridge type you use in that case… Also, I honestly don’t think that it’s SNI-filtering, but rather just whitelisted IPs.
More context here. I think you’d be best off using a regular internet connection (not mobile).
Sometimes different mobile service providers behave differently (but that’s very unreliable…). There might be wi-fi places around you, etc…
Just as note: obfs4 bridges might not work on mobile networks(when the whole internet is accessible), if anyone’s experiencing that, there are workarounds for that specifically though. (when there’s no whitelist)
I really hope that the whitelist-block won’t be extended into other internet fields. (and that it would be deleted asap)
And I did not bet on Webtunnel bridges. I bet on meek bridges since they can fake connection to some specific site. That’s why I publish here addresses of all third-party sites that participate in connection to the white-listed site. So what does it mean? That they’re white-listed too.
And forgot to say: if to speak about obfs4 bridges, they can reach different % of connection success during shutdown. Sometimes it’s 95 % and it says “downloaded all needed circuits info” (don’t remember exact phrase but it has this meaning). If it could download some info then it means that something there could break through the firewall somehow. So everything is not so simple as it seems.
I tried to use meek bridge composing it like suggested in this article but replacing original front= address with the one which I got from my little research above. Got this link as a result:
But Whonix’s Anon Wizard says that I should enter correct bridge and what I entered is incorrect. Are custom meek bridges unsupported now or did I composed the link incorrectly? Let me know if so. I believe meek bridge composed with principle like this should break through this f***ing firewall.
Maybe someone at least knows more about that Chinese method and can provide more info. Would be good to know if this method can work with Tor or be implemented in Tor.