[tor-project] Anti-censorship team meeting notes, 2025-03-13

--------------------------------
Anti-censorship
--------------------------------

Next meeting: Thursday, March 20 16:00 UTC
Facilitator: shelikhoo
^^^(See Facilitator Queue at tail)

Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC
(channel is logged while meetings are in progress)

This week's Facilitator: onyinyang

== Goal of this meeting ==

Weekly check-in about the status of anti-censorship work at Tor.
Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community.

== Links to Useful documents ==
* Our anti-censorship roadmap:
* Roadmap:Development · Boards · Anti-censorship · GitLab
* The anti-censorship team's wiki page:
* Home · Wiki · The Tor Project / Anti-censorship / Team · GitLab
* Past meeting notes can be found at:
* The tor-project Archives
* Tickets that need reviews: from projects, we are working on:
* All needs review tickets:
* Merge requests · Anti-censorship · GitLab
* Project 158 <-- meskio working on it
* Issues · Anti-censorship · GitLab

== Announcements ==

 \*

== Discussion ==

 \* snowflake dependencies need go 1\.23
     \* https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/510#note_3163693
     \* https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/529
     \* should we update it?
     \* go 1\.23 is already in debian backports
     \* Tor Browser is already using go 1\.23?
         \* no, Tor Browser is staying on 1\.21 on macOS until ESR 140, due June 2025
     \* we will hold off on the dependency updates \(which contain changes we believe do not affect us\) until after ESR 140 and Tor Browser updating to go 1\.23
         \* https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/536
         \* https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/527
 \* should we change default relay pattern policy on snowflake broker
     \* https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40454#note_3172488
     \* we still have relays that have not updated since we added support for multiple bridges
     \* The purpose of the allowed relay pattern check at the broker is not to avoid surprising proxy operators by connecting to a new relay destination; it's because old proxies that do not send a relay pattern to the broker cannot connect to any other relay destination\. They have snowflake\.torproject\.net hardcoded and do not know how to connect to any other relay\. If a client were to request a connection to the snowflake\-02 relay, and was assigned such an old proxy, the proxy would connect to snowflake\-01 anyway, and leave the client with a Tor fingerprint mismatch error\.
     \* Therefore adjusting the presumedPatternForLegacyClient on the broker to accept old proxies would not work\. Old proxies \(that don't support relay patterns\) would start getting clients again, but any clients that request a relay other than snowflake\-01 would get failed connections\.
     \* There's no facility on the broker to, say, match old proxies only with those clients that happen to request snowflake\-01\. Once a proxy is in the pool, it's treated equally to all other proxies\. Such a matching facility could conceivably be implemented, but none currently exists\. It may not be worth the complexity anyway\.
     \* The intention therefore was that the broker simply reject old proxies \(that do not send a relay pattern\)\. That is, in effect, what is now happening, but it happens by a roundabout way: proxy polls and doesn't set an allowed relay pattern → broker assigns a default allowed relay pattern that never works → broker rejects the proxy poll because of the relay pattern mismatch\.
     \* The downsides of the status quo are that \(1\) the broker logs are full of "rejected relay pattern from proxy" errors, and \(2\) the old proxies just keep on uselessly polling\.
     \* Consensus for dealing with the current situation:
         \* Make the broker code more straightforward with respect to rejecting old proxies: do it at an early stage, don't even bother assigning a default relay pattern to them \(and remove the code that does\)\.
         \* Update metrics/logging\. Disable the "rejected relay pattern from proxy" at the broker, and just keep it as a metrics counter\.
     \* For the future, it would be handy if there were a feature whereby the broker, by sending a specific kind of response to a proxy, could cause the proxy to disable itself \(say, stop polling for 24h\) and log a visible message to the operator\. In effect, we could push the "rejected relay pattern from proxy" error out to the proxy logs, which would \(1\) stop proxies that only support an obsolete protocol from uselessly polling, and \(2\) inform the operator and encourage them to upgrade\.
         \* In the absence of such a feature, it might be possible to find a way to crash old proxies by sending a specific kind of broker response\. For example, an overlong HTTP body, or a JSON unmarshaling error\. Even if it is not possible to convey a reason why it is happening to the proxy operator, it might get the operators attention, and at least reduce unhelpful polling volume\.
         \* One complication with this idea: some proxies are running in a container, or similar, and are configured to auto\-restart after they exit\. Proxies that work this way might paradoxically increase their effective polling rate if remotely disabled, because there's no interval rate limiting on the first poll\.
         \* Even so, if we find such a "disable" broker response, we could try having the broker send it to old proxies \(those that don't support relay patterns\) for 1h\. The ones that are configured to restart will restart, but the one that are not will stop operating\.
         \* Related issue: "Let the broker inform proxies how often to poll" https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/25598. The broker could send a time many hours in the future\. This would help with reducing the polling rate, even if it does not result in the proxy log message\.
     \* A standalone proxy auto\-update mechanism could be an alternative or addition to support for a broker "disable" signal\.

== Actions ==

== Interesting links ==

 \*

== Reading group ==

 \* We will discuss "" on
     \*
     \* Questions to ask and goals to have:
         \* What aspects of the paper are questionable?
         \* Are there immediate actions we can take based on this work?
         \* Are there long\-term actions we can take based on this work?
         \* Is there future work that we want to call out in hopes that others will pick it up?

== Updates ==
Name:
This week:
- What you worked on this week.
Next week:
- What you are planning to work on next week.
Help with:
- Something you need help with.

cecylia (cohosh): 2025-03-13
Last week:
- wrote and deployed a CPU and goroutine profiling patch for the snowflake broker (snowflake#40447)
- found a potential performance improvement related to mutexes (snowflake#40458)
- confirmed that congestion isn't the cause of sqs rendezvous errors (snowflake#4036)
- found source of "rejected relay pattern" log messages (snowflake#40454)
- modified broker metrics to show client polls that timed out (snowflake!530)
- reviewed merge requests
- helped with conjure pt work
This week:
- support conjure work
- follow up on snowflake rendezvous failures
- reduce/remove use of mutexes for broker metrics (snowflake#40458)
- set absolute time limit on broker http responses (snowflake40449)
- snowflake proxy release
- take a look at potential snowflake orbot bug
- [BUG] 20% CPU overhead in kindness mode · Issue #1183 · guardianproject/orbot-android · GitHub
- maybe do some lox work

dcf: 2025-03-13
Last week:
- snowflake VPS hosting bookkeeping Changes · Snowflake costs · Wiki · The Tor Project / Anti-censorship / Team · GitLab
Next week:
- open issue to have snowflake-client log whenever KCPInErrors is nonzero Deploy snowflake-server for QueuePacketConn buffer reuse fix (#40260) (#40262) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
- parent: Improve bug discovery process (#40267) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
Help with:

meskio: 2024-03-13
Last week:
- set up snowflake proxies with coverdtls (snowflake!448)
- investigate why our email distributor is not handing out emails (rdsys#260)
- debug gitlab container proxy (snowflake!522)
- investigate why users get bridges with local addresses (team#156)
Next week:
- steps towards a rdsys in containers (rdsys#219)
- investigate rdsys distributing local addressed bridges (team#156)

Shelikhoo: 2024-03-13
Last Week:
- [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( Draft: Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (!315) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab ) testing environment setup/research
- Vantage Point maintaince
- Merge request reviews
Next Week/TODO:
- Merge request reviews
- [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( Draft: Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (!315) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab ) improvements
- Snowflake Staging Server Discussion(Setup Snowflake Staging Server (#42080) · Issues · The Tor Project / TPA / TPA team · GitLab)
- Vantage Point maintaince

onyinyang: 2025-03-13
Last week(s):
- continued work on ampcache registration method for conjure
- WIP MR: [WIP] Adding AMP Cache registrar to conjure by onyiny-ang · Pull Request #1 · cohosh/conjure · GitHub
- Add AMP Cache registration Method to Conjure (!34) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / conjure · GitLab
- lox issuer efficiency merged!
Next week:
- HACS/Zkproofs/OSCW/RWC
- finish up ampcache registration method
- Begin work on decoy registration option
- review Tor browser Lox integration
- Bug 43096: Move to Rust for the Lox integration (!1300) · Merge requests · The Tor Project / Applications / Tor Browser · GitLab
- add TTL cache to lox MR for duplicate responses:
Enable repeat responses to successful Lox requests (!305) · Merge requests · The Tor Project / Anti-censorship / lox · GitLab
As time allows:
- Work on outstanding milestone issues:
- key rotation automation

     Later:
     pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096):
         \- add pref to handle timing for pubkey checks in Tor browser
         \- add trusted invitation logic to tor browser integration:

- improve metrics collection/think about how to show Lox is working/valuable
- sketch out Lox blog post/usage notes for forum

 \(long term things were discussed at the meeting\!\):
     \- brainstorming grouping strategies for Lox buckets \(of bridges\) and gathering context on how types of bridges are distributed/use in practice
         Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people?
             1\. Are there some obvious grouping strategies that we can already consider?
                 e\.g\., by PT, by bandwidth \(lower bandwidth bridges sacrificed to open\-invitation buckets?\), by locale \(to be matched with a requesting user's geoip or something?\)
             2\. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges \(and untrusted users have access to 1\)? More? Less?

theodorsm: 2025-03-06
Last weeks:
- Implementing key_share extension support in covert-dtls
- Implementing mimicking DTLS 1.3 extensions
- Debugging Tor Build with covert-dtls: Add covert-dtls to proxy and client (!448) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
Next weeks:
- Update MR with new covert-dtls version.
- Write instructions on how to configure covert-dtls with snowflake client
- Fix merge conflicts in MR (Add covert-dtls to proxy and client (!448) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab).
- Condensing thesis into paper (on hold)
Help with:
- Test stability of covert-dtls in snowflake

Facilitator Queue:
onyinyang shelikhoo meskio
1. First available staff in the Facilitator Queue will be the facilitator for the meeting
2. After facilitating the meeting, the facilitator will be moved to the tail of the queue

--
---
onyinyang

GPG Fingerprint 3CC3 F8CC E9D0 A92F A108 38EF 156A 6435 430C 2036