Hey everyone!
Here are our meeting logs:
And our meeting pad:
Anti-censorship work meeting pad
···
--------------------------------
Anti-censorship
--------------------------------
Next meeting: Thursday, Aug 28 16:00 UTC
Facilitator: meskio
^^^(See Facilitator Queue at tail)
Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC
(channel is logged while meetings are in progress)
This week's Facilitator: shelikoo
== Goal of this meeting ==
Weekly check-in about the status of anti-censorship work at Tor.
Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community.
== Links to Useful documents ==
* Our anti-censorship roadmap:
* Roadmap:Issue Boards · Development · Boards · Anti-censorship · GitLab
* The anti-censorship team's wiki page:
* Home · Wiki · The Tor Project / Anti-censorship / Team · GitLab
* Past meeting notes can be found at:
* The tor-project Archives
* Tickets that need reviews: from projects, we are working on:
* All needs review tickets:
* Merge requests · Anti-censorship · GitLab
* Project 158 <-- meskio working on it
* Issues · Anti-censorship · GitLab
== Announcements ==
== Discussion ==
\* snowflake minimum go version updated to 1\.23
\* https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/606#note_3243116
\* go1\.23 means we can switch back to mainline uTLS, rather than using our current custom\-patched uTLS
\* Doesn't interfere with Tor Browser build requirements\. Tor Browser uses lyrebird, which uses snowflake as a library\. "As long as the client library doesn't require go1\.23 or higher, it will still build with the current version of snowflake with go1\.22\."
\* We can update the version of go used in lyrebird in September 2025, which is when Tor Browser based on Firefox 140 is scheduled\.
== Actions ==
== Interesting links ==
\* Analysis of the GFW's Unconditional Port 443 Block on August 20, 2025
\* https://gfw.report/blog/gfw_unconditional_rst_20250820/en/
\* Can You Hear me? A First Study Of VoIP Censorship Techniques In Saudi Arabia And The UAE
\* https://www.eurosp2025.ieee-security.org/program.html#paper174
\* Talks about STUN protocol fingerprinting
\* Not online anywhere yet as far as I can tell, PDF at https://share.riseup.net/#v0RjsGn_2EKLle6QxICj2g
== Reading group ==
\* We will discuss "IRBlock: A Large\-Scale Measurement Study of the Great Firewall of Iran" on September 11
\* https://www.petsymposium.org/foci/2025/foci-2025-0016.pdf
\* Questions to ask and goals to have:
\* What aspects of the paper are questionable?
\* Are there immediate actions we can take based on this work?
\* Are there long\-term actions we can take based on this work?
\* Is there future work that we want to call out in hopes that others will pick it up?
== Updates ==
Name:
This week:
- What you worked on this week.
Next week:
- What you are planning to work on next week.
Help with:
- Something you need help with.
cecylia (cohosh): 2025-08-21
Last week:
- lots of reviewing MRs
- deployed a new version of the broker:
- fixes a bug in prometheus snowflake_proxy_total stats
- fixes a bug in snowflake metrics proxy unique IP counts
- adds country stats to client-ampcache-ips
- worked on data races in our safeprom library and snowflake broker
- ptutil!6
- snowflake!617
- fixed some issues with the CI pipeline
Next week:
- follow up on snowflake rendezvous failures
- take a look at potential snowflake orbot bug
- [BUG] 20% CPU overhead in kindness mode · Issue #1183 · guardianproject/orbot-android · GitHub
dcf: 2025-08-21
Last week:
- opened a refactoring merge request in the snowflake broker (thanks cohosh) Refactor displayCountryStats (!608) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
- fixed a slight information leak in snowflake broker country stats (thanks cohosh) Bin country stats before sorting, not after (!609) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
Next week:
- open issue to have snowflake-client log whenever KCPInErrors is nonzero Deploy snowflake-server for QueuePacketConn buffer reuse fix (#40260) (#40262) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
- parent: Improve bug discovery process (#40267) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab
Help with:
meskio: 2024-08-21
Last week:
- restore /bridges in telegram distributor (team#146)
- work with TPA to improve prometheus anti-censorship alerts
- many merge reviews
Next week:
- AFK
Shelikhoo: 2024-08-21
Last Week:
- [Testing] Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (cont.)( Draft: Unreliable+unordered WebRTC data channel transport for Snowflake rev2 (!315) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab ) testing environment setup/research
- [Merge Request] Create new webtunnel release(STALLED BY ISSUE BELOW)(Draft: Generate Release v0.0.3 (!30) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / WebTunnel · GitLab)
- Unexpected Gitlab Runner Failure from Rate Limiting (Unexpected Gitlab Runner Failure from Rate Limiting (#42245) · Issues · The Tor Project / TPA / TPA team · GitLab)
- Merge request reviews
- [Review Reworked] Draft: Feature / SNI spoofing functionality for WebTunnel PT (Feature / SNI spoofing functionality for WebTunnel PT (!124) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / lyrebird · GitLab)
Next (working) Week/TODO:
- Merge request reviews
- Support the Testing of domain fronting sites ( Support the Testing of domain fronting sites (#6) · Issues · The Tor Project / Anti-censorship / Connectivity Measurement / logcollector · GitLab ) (cont.)
- [Deploy] Add Domain Fronting Test Support to probeobserver
- Create webtunnel release v0.0.3(stalled)
- [Merge Request]Draft: Feature / SNI spoofing functionality for WebTunnel PT
onyinyang: 2025-08-21
Last week(s):
- Deployed fix for: Bridge testing gives timeout (#249) · Issues · The Tor Project / Anti-censorship / rdsys · GitLab
Fix + Logs to pinpoint #249 bug (!562) · Merge requests · The Tor Project / Anti-censorship / rdsys · GitLab
- Started looking into and implemented (partial?) fix for uneven bridge distribution issue:
Bridges website hitting a error while fetching bridges with WebTunnel pluggable transport (#262) · Issues · The Tor Project / Anti-censorship / rdsys · GitLab
Next week:
- Deploy !562 and look further into uneven bridge distribution issue: Bridges website hitting a error while fetching bridges with WebTunnel pluggable transport (#262) · Issues · The Tor Project / Anti-censorship / rdsys · GitLab
- Visualizations for flickering bridges
- Lox still seems to be filling up the disk on the rdsys-test server despite changes made to delete old entries, look into what's going wrong
Switch back to some of these:
As time allows:
Blog post for conjure: Set up a more permanent Conjure bridge (#46) · Issues · The Tor Project / Anti-censorship / Pluggable Transports / conjure · GitLab
- review Tor browser Lox integration Bug 43096: Move to Rust for the Lox integration (!1300) · Merge requests · The Tor Project / Applications / Tor Browser · GitLab
- add TTL cache to lox MR for duplicate responses:
Enable repeat responses to successful Lox requests (!305) · Merge requests · The Tor Project / Anti-censorship / lox · GitLab
\- Work on outstanding milestone issues:
\- key rotation automation
Later:
pending decision on abandoning lox wasm in favour of some kind of FFI? https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43096):
\- add pref to handle timing for pubkey checks in Tor browser
\- add trusted invitation logic to tor browser integration:
- improve metrics collection/think about how to show Lox is working/valuable
- sketch out Lox blog post/usage notes for forum
\(long term things were discussed at the meeting\!\):
\- brainstorming grouping strategies for Lox buckets \(of bridges\) and gathering context on how types of bridges are distributed/use in practice
Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people?
1\. Are there some obvious grouping strategies that we can already consider?
e\.g\., by PT, by bandwidth \(lower bandwidth bridges sacrificed to open\-invitation buckets?\), by locale \(to be matched with a requesting user's geoip or something?\)
2\. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges \(and untrusted users have access to 1\)? More? Less?
theodorsm: 2025-06-12
Last weeks:
- Applying for funding from NLnet to implement DTLS 1.3 in Pion. Got through the first round.
- Writing paper for FOCI: continuation of master thesis about reducing distinguishability of DTLS in Snowflake by implementing covert-dtls, further analysis of collected browser fingerprint and stability test of covert-dtls in snowflake proxies. Draft: https://theodorsm.net/FOCI25
- Key takeaways:
* covert-dtls is stable when mimicking DTLS 1.2 handshakes, while the randomization approach— though more resistant to fingerprinting — tends to be less stable.
* Chrome webextensions are more unstable than standalone proxies
* covert-dtls should be integrated in Snowflake proxies as they produce the ClientHello messages during the DTLS handshake.
* Chrome randomizes the order of extension list.
* Firefox uses DTLS 1.3 by default in WebRTC.
* A prompt adoption of DTLS 1.3 in both Snowflake and our fingerprint-resistant library is needed to keep up with browsers
* The evolution of browsers’ fingerprints had no noticeable effect on Snowflake’s number of daily users over the last year.
* Even with a sharp drop in the amount of proxies, it does not seem to affect the number of Snowflake users.
* Browser extensions make Snowflake resistant to ClientHello fingerprinting.
* Standalone proxies can serve more Snowflake clients per volunteer than webextensions.
* We need metrics on which types of proxies are actually being matched and successfully used by clients.
Next weeks:
- Getting paper camera ready.
- Fix merge conflicts in MR (Add covert-dtls to proxy and client (!448) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake · GitLab).
Help with:
- Should we do user testing of covert-dtls?
Facilitator Queue:
meskio onyinyang shelikhoo
1. First available staff in the Facilitator Queue will be the facilitator for the meeting
2. After facilitating the meeting, the facilitator will be moved to the tail of the queue