Tor Browser 13.5 doesn't show default Built-in bridges, is it a bug or a feature?

Radar451 · July 1, 2024, 3:01am

OS: Linux
Tor Browser Version: 13.5

The issue:
Updated Tor Browser to 13.5, but unlike previous versions, all of the default Built-in brigdes are not shown.
The … menu right to the “Built-in” text only have 1 option “Remove all bridges”.

Desired solution:
Show built-in bridges like before and make it editable.

But If this is a intended feature, I wish dev team could reconsider it.

My Reasons:

I live in a place with heavy censorship. In previous censor events i can tweak default Built-in bridges to make them work when internet is blocked,for example changing domain front. Please see the section about “Change the domain front” in the link below.

relevant link:

github.com/net4people/bbs

Snowflake domain front blocked in some ISPs in Iran; suggested workarounds

opened 05:42AM - 21 Jan 23 UTC

wkrp

Iran

The number of Snowflake users has decreased by about 20% since 2023-01-16, five …days ago. The cause has been determined to be [the blocking of the domain name cdn.sstatic.net](https://bugs.torproject.org/tpo/anti-censorship/team/115), which is the default for one of Snowflake's rendezvous methods. Snowflake currently supports two rendezvous methods: [domain fronting](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/b443e99417714a6d74c1cb8c6f5746b6dbd6fe1c/client/README.md#domain-fronting-https) and [AMP cache](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/b443e99417714a6d74c1cb8c6f5746b6dbd6fe1c/client/README.md#amp-cache). Accordingly, there are two ways to work around the blocking of the default front domain: change to a different front domain, or use the AMP cache rendezvous. AMP cache rendezvous is easier to activate, so I suggest trying that first. ## AMP cache rendezvous On Orbot and Onion Browser, you just have to select a menu option. On Tor Browser (desktop and Android), you have to enter a custom bridge line. [More information about changing bridges](https://tb-manual.torproject.org/bridges/) ([فارسی](https://tb-manual.torproject.org/fa/bridges/)). ### Orbot for Android 1. From the home screen, tap the **Use Bridges** toggle. 2. Select the option **Connect through other Tor users using Snowflake (Method 2 - AMP)**. 3. Go back to the home screen and tap **Start**. ### Orbot for iOS 1. Tap the **⚙️** icon (top right). 2. From the dropdown, select **Bridge Configuration**, then **Built-in snowflake (AMP)**. Then tap **Save**. 3. Go back to the home screen and tap **Start**. ### Onion Browser for iOS 1. Tap the **onion icon**. 2. From the dropdown, select **Bridge Configuration**, then **Built-in snowflake (AMP)**. 3. Tap **Connect**. ### Tor Browser for Android 1. Tap the **⚙️** icon. 2. Tap **Config Bridge**. Toggle **Use a Bridge** to "on", then tap **Provide a Bridge I know**. 3. Copy and paste this entire bridge address: `snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://snowflake-broker.torproject.net/ ampcache=https://cdn.ampproject.org/ front=www.google.com ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn` 4. Go back to the home screen and tap **Connect**. You can experiment with different Google-related domain names for `front=www.google.com`. For example, `front=cdn.ampproject.org`. ### Tor Browser for desktop 1. Click **≡** (hamburger menu) in the toolbar and then click **Settings**. 2. Click **Connection** in the sidebar, find the **Bridges** section, then click the **Add a Bridge Manually...** button. 3. Copy and paste this entire bridge address: `snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://snowflake-broker.torproject.net/ ampcache=https://cdn.ampproject.org/ front=www.google.com ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn` 4. It will start to connect automatically. Browse to a web page. Click the **View Logs...** button under **Advanced** to troubleshoot the connection if needed. You can experiment with different Google-related domain names for `front=www.google.com`. For example, `front=cdn.ampproject.org`. ## Change the domain front You can edit an existing bridge line that has `url=https://snowflake-broker.torproject.net.global.prod.fastly.net/`, and change `front=cdn.sstatic.net` to something else. [Here is a list of possible alternatives:](https://bugs.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/40068#note_2767823) ``` front=fastly.jsdelivr.net front=foursquare.com front=www.shazam.com front=www.jimdo.com front=www.rvu.co.uk front=js.sentry-cdn.com front=www.drupal.org front=www.1stdibs.com front=www.filestack.com ``` For example, a complete bridge line would be `snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ front=fastly.jsdelivr.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn` [More information about changing bridges](https://tb-manual.torproject.org/bridges/) ([فارسی](https://tb-manual.torproject.org/fa/bridges/)). ## Evidence of blocking This graph shows the top 6 countries by Snowflake users. You can see a decrease in IR and US since 2023-01-16. We suspect many of the users that are being attributed to US are actually from IR, because of [geolocation errors](https://bugs.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/40207#note_2844116). ![Snowflake users by country, January 2023](https://user-images.githubusercontent.com/41267675/213845419-505c35f4-b62f-4a95-894e-f55e937c0cdc.png) From [OONI MAT charts](https://github.com/net4people/bbs/issues/115), we see an increase in anomalies when attempting to use Snowflake, since 2023-01-16: https://explorer.ooni.org/chart/mat?probe_cc=IR&test_name=torsf&since=2023-01-06&until=2023-01-22&axis_x=measurement_start_day ![Iran, Tor test](https://user-images.githubusercontent.com/41267675/213845258-cb54652f-eefc-4b03-856b-26625310af54.png) Checking the Web Connectivity results for cdn.sstatic.net, we see anomalies starting 2023-01-16. [Examination of the specific measurements](https://explorer.ooni.org/search?since=2023-01-16&until=2023-01-21&probe_cc=IR&test_name=web_connectivity&domain=cdn.sstatic.net&failure=true) shows a timeout after TLS Client Hello in certain ISPs. https://explorer.ooni.org/chart/mat?probe_cc=IR&test_name=web_connectivity&domain=cdn.sstatic.net&since=2023-01-06&until=2023-01-22&axis_x=measurement_start_day ![Iran, Web connectivity test, cdn.sstatic.net](https://user-images.githubusercontent.com/41267675/213845276-94d1e2ab-9350-498d-965d-62a5b349a827.png)

In addition,in previous versions when i can seen the default Built-in bridges,I can also backup the default bridges easily, It might sounds strange to some but I really do need to backup the default bridges for legit reasons. But now since the bridges can not be seen, thus it can not be edited in Tor Browser. and I can not backup the bridges now.

I really appreciate the works of tor team and thank you for your hard works and constant helps in maintaining internet access freedom. I wish tor browser become better and better.
Thank you all.

morgan · July 6, 2024, 12:36am

The list of current default bridges can be found in the pt_config.json file in the tor-expert-bundle: Tor Project | Download Tor

Or more directly, it can be found in tor-browser-build’s gitlab repo here: projects/tor-expert-bundle/pt_config.json · main · The Tor Project / Applications / tor-browser-build · GitLab

In the future, you should really just be adding new bridge-lines via the Replace Bridges button in about:preferences#connection rather than modifying the browser’s core configuration.

donuts · July 8, 2024, 12:57pm

Hey @Radar451, thank you for the feedback. I’m curious how you were going about this workaround previously – I’m assuming you were:

Copying the built-in bridge address(es) from the bridge cards
Selecting “Add a Bridge Manually”
Pasting the built-in bridge address(es) here
Making the desired modifications
Hitting the OK/Connect button

Does that sound correct?

Radar451 · July 9, 2024, 7:13am

Thanks for replying.

The “replace bridge (used to be called ‘add bridges’)” function can not solve this problem alone. For I wish to backup and edit existing default built-in bridges used to be shown within Tor browser itself, which was shown to users before version 13.5.

And the reason for this is because I can not access to any of the links you provided without circumvention tools.

As I said there is a strong state censorship, thus I do not have direct access to most foreign websites, including not limited to Tor official website and any tor repos on gitlab.

So if I can not see the tor bridges within the Tor browser itself then I can not edit the domain-fronting for the workarounds as easy as before.

“rather than modifying the browser’s core configuration.”

I never edited core configuration files themselves.
Then still I known I can dig into tor configuration files to get the bridges but I don’t believe hiding the default bridges from users in the Tor browser itself,like version 13.5 ,is a good approach.

If it is for security concern, then I think this is “Security through obscurity” which is not good. Because it only hinder users like me to use workarounds easily. And State censors can always get the bridges by any other means. That is why i wish Tor dev team could reconsider it.

Radar451 · July 9, 2024, 7:41am

@donuts Thank you for replying.

Almost correct. Sorry i forgot to mention this. Clarifying my steps will make my issue more clearly. Thank you for reminding me.

My detailed steps are as follows:

1. Copying the built-in bridge address(es) from the bridge cards
2. Back up the copied built-in bridges
3. Edit the domain fronting of the copied built-in bridge address(es) 
4. Selecting “Add a Bridge Manually”
5. Pasting the modified built-in bridge address(es) here
6. Hitting the OK/Connect button

And with Tor browser 13.5. because I can not seen the default built-in bridges in Tor browser itself, I can not do the step one “Copying the built-in bridge address(es) from the bridge cards” as easily as before.

donuts · July 9, 2024, 1:14pm

Thanks @Radar451! Could you clarify one last thing for me please – what’s the purpose behind backing up built-in bridges, as you described here?

If you’d feel more comfortable doing so, please feel free to send me a direct message instead

donuts · July 10, 2024, 6:26pm

For reference I’ve opened an issue for this pain point on Gitlab, where we’ve began discussing potential workarounds:

Radar451 · July 11, 2024, 2:37am

@donuts Thank you for opening an issue in gitlab for me.

Sorry I might need to clear some confusion first.

There is no way to “edit” the built-in bridges

Sorry my use of word “Edit” here might created a misunderstanding. I don’t want a new feature created to edit the built-in bridges directly in tor browser. And I don’t wish to increase tor dev’s workload to add new feature. And I certainly don’t want Tor browser to be too bloated in this way.

What I meant is that I want to be able to use the workaround in the steps I mentioned like before : Copy the built-in bridges,then backup and edit them in a file. then add the edited bridge to Tor browser. So just be able to see and copy the default built-in bridges in Tor browser like previous versions is good enough for me.

what’s the purpose behind backing up built-in bridges, as you described here?

One reason that I backup bridges is so that i can edit domain fronting directly in another file and don’t have to always copy the built-in bridges from Tor browser.

the built-in bridges, since they change all the time.

This is another reason. I think it is reasonable to constantly change built-in bridges, and I agree that cycle around bridges is more censorship resilient. I believe this approach is good and I think Tor browser should keep doing it.

But a little problem is that in my previous experience, sometimes new bridges doesn’t work well like previous one, or in the worst case they might not work at all. But the old bridges might still works for some time. So if I have backup old bridges I would still have an option to bypass censorship.

I know it is not secure to use old bridges but atleast in this way I have free internet access, and I can also report issues and feedbacks regarding new updates. And I will be able to get new Tor browser updates if there is a new fix released.

One last reason to backup Built-in bridges in recent versions of Tor browser is that it will make it possible to share them with people who have very old version of Tor browser.

As the bridges in those very old version probably won’t work, and due to censorships they might not be able use the request bridges nor access to Tor official bridge pages, and they might not be able to get brdiges via E-mail neither. Also they might not have other means to bypass censorship to update their circumvention tools.

So sharing new built-in bridges in recent versions with them might give them workable bridges to gain free internet access, in doing so they can update their circumvention tools including Tor browsers to the latest versions.

donuts · July 11, 2024, 6:36pm

@Radar451 Thanks very much for the extra details! Judging by the direction of the conversation in Gitlab, it looks like we’ll be re-implementing the ability to copy built-in bridges addresses to your clipboard in the near future.