Anti-censorship team report: July 2020
Tor's anti-censorship team writes monthly reports to keep the world updated on its progress. This blog post summarizes the anti-censorship work we got done in July 2020. Let us know if you have any questions or feedback!
Snowflake
-
Rolled out a feature to match up Snowflake proxies and clients based on their NAT type. This will drastically improve performance for Snowflake clients behind restrictive NATs.
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/34129 -
Added more STUN servers to default configuration in Tor Browser. This solves two issues: it allows clients to perform NAT type discovery to be matched up with more compatible proxies, and it unblocks Snowflake in areas that block access to Google's STUN servers.
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/30579 -
Adapted Snowflake CI to the new GitLab instance.
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40003 -
Investigated proxy-go timeouts.
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/30498 -
Fixed a small bug that could cause infinite hangs in Snowflake proxies and clients.
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40005 -
Worked on a docker container for easy deployment of Snowflake proxies.
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40002 -
Moved forward with our Android app UI.
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-mobile/-/issues/11
BridgeDB
-
Fixed a critical bug that prevented BridgeDB from reloading bridge descriptors every 30 minutes, as it's supposed to. This bug significantly delayed the time until a new bridge was handed out to users. Hopefully, the patch will result in bridge operators seeing more users.
https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/40001 -
We are spending an increasing amount of time planning and experimenting with a reimplementation of BridgeDB. The reimplementation will make it easier to integrate new components like bridgestrap and new distributors like Salmon.
https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/32900 -
Added internal metrics to BridgeDB's metrics. You can find the latest internal metrics here:
https://collector.torproject.org/recent/bridgedb-metrics/
https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/31422 -
Wrote a patch that helps BridgeDB take into account bridge reachability measurements from wolpertinger.
https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/34260 -
Fixed incorrect and missing parts in BridgeDB's metrics specification.
https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/40003 -
Fixed a broken link in BridgeDB's README and ported BridgeDB's "make pylint" target to Python 3.
https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/33647 -
Fixed a bug that would confuse BridgeDB when it dealt with Gmail's quoted responses.
https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/33835 -
Made progress on creating a research plan for understanding the issues that users run into when interacting with BridgeDB.
https://gitlab.torproject.org/tpo/ux/research/-/issues/4
Miscellaneous
-
Simplified bridgestrap's code base and fixed a bug in its caching system.
https://gitlab.torproject.org/tpo/anti-censorship/bridgestrap/ -
Merged a volunteer-provided bridge setup guide for Windows.
https://community.torproject.org/relay/setup/bridge/windows/
Comments
Please note that the comment area below has been archived.
caching* Speaking of…
caching*
Speaking of censorship. Where are all the new comments on the other posts at? Been 2 weeks. Other than that, great work, though I feel dissociated.
Thanks, fixed.
Thanks, fixed.
Thanks for posting this!…
Thanks for posting this! Hope you keep updating us about anti-censorship team's progress.
Some questions about snowflake: Does the broker still hand out proxy-go instances more than the WebExt ones? I feel like snowflake got way too slow in the last months, I don't know if I mostly get WebExt ones or proxy-go instances but it seems that whenever I connect to a snowflake my connection to one snowflake gets cut off way too quickly with some while for others it stays for a long time (and I'm not from a censored country AFAICT).
> Added more STUN servers to default configuration in Tor Browser.
Can I just go and edit my torrc to this new one or I must have the new `snowflake-proxy`? Looking at the code I believe one must choose a single random one if one doesn't have the new `snowflake-proxy`.
> This will drastically improve performance for Snowflake clients behind restrictive NATs.
Very good news, looking forward to testing it! When's the next Tor Browser alpha coming with the new `snowflake-proxy`?
This change will be…
This change will be automatically available in the next Tor Browser alpha release (which should be next week for desktop alphas, but we're unsure about mobile). In the meantime, you can manually edit your torrc file. See here for the changes we made to the snowflake configuration: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merg…
> Does the broker still…
> Does the broker still hand out proxy-go instances more than the WebExt ones? I feel like snowflake got way too slow in the last months, I don't know if I mostly get WebExt ones or proxy-go instances but it seems that whenever I connect to a snowflake my connection to one snowflake gets cut off way too quickly with some while for others it stays for a long time (and I'm not from a censored country AFAICT).
Thanks for the feedback! It does still hand out proxy-go instances more frequently. It might've gotten slower because we now have a large influx of webextension proxies. We do have some ongoing work to improve performance next on our roadmap (like https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/…).
I'm using your Debian …
I'm using your Debian (Buster) repository. Why don't I get any updates anymore for armhf?
Are any other updates…
Are any other updates failing? Are the updates being downloaded but not installed? Have you checked your configuration of apt and the fingerprint of your copy of the repository's key? Have you opened the repository in a browser and checked if the repository's files are correct? The most recent instructions for configuring apt are here: https://support.torproject.org/apt/
The most recent packages for armhf are listed in the Packages file: https://deb.torproject.org/torproject.org/dists/buster/main/binary-armh… As of today, it lists tor version 0.4.2.7-1~d10.buster+1, and that version's deb file for armhf
tor_0.4.2.7-1~d10.buster+1_armhf.deb
exists in this directory: https://deb.torproject.org/torproject.org/pool/main/t/tor/It is possible for you to do the steps to update without apt, starting by exporting your copy of the key from apt-key into GPG to verify the Release file's signature in this directory: https://deb.torproject.org/torproject.org/dists/buster/
Yes, I have version 0.4.2.7…
Yes, I have version 0.4.2.7-1. But on other platforms 0.4.3.6-1 is available for quite some time.
In Packages for armhf: …
In Packages for armhf: "Maintainer: Peter Palfrader [weasel@debian.org]"
I tried to post a question…
I tried to post a question about GFC changes in another thread but I think it was censored.
My question is: it seems CN recently changed GFC to ban outright a later version of SSL (or TLS?). This occurred a few weeks before a DEF CON talk showing how that version can be used to deploy a new form of domain fronting, which sounds (to my inexpert ear) like it might be very useful in protecting and growing the Tor network. Do you know whether CN watchers think the change to GFC was intended as a stopgap measure to thwart the new version of domain fronting?
Are you referring to the…
Are you referring to the blocking of ESNI?
https://geneva.cs.umd.edu/posts/china-censors-esni/esni/
ESNI is a useful privacy feature of TLS 1.3. Unlike prior TLS versions, it protects the hostname of the website you're connecting to. For Internet censors, this is bad news because ESNI significantly reduces the visibility that censors have in your communication.
I'm having problems with the…
I'm having problems with the browser Tor, to enter a twitter account and it temporarily blocks me, ensuring that I'm robot. It ask me to do a google captcha over and over again. How can I solve this problem ?
Ask questions about Tor…
Ask questions about Tor Browser in the most recent post about Tor Browser. This post is not about Tor Browser, but the ones in the following link are. At the time of writing this, the latest standard release (not alpha/development) is 9.5.3.
https://blog.torproject.org/category/tags/tbb
Some answers to your question may be found in Support linked at the top of the purple pages of torproject.org.
When a site blocks you, you could also try to create a "New Tor Circuit for this Site": Is there a way to change the IP address that Tor Browser assigns me for a particular site?
Personally, I've quit services that reject Tor. A good alternative to Twitter is Mastodon, an open-source decentralized/federated network of microblog servers on the fediverse. Here is Tor Project's Mastodon account for example and where you can choose an instance:
https://mastodon.social/@torproject/
https://duckduckgo.com/?q=mastodon+instances
Make an internal advertiser…
Make an internal advertiser inside Tor Browser
What's an internal…
What's an internal advertiser? Can you elaborate on that?
I'm no expert, but couldn't…
I'm no expert, but couldn't a middle relay find all the bridges as a passive observer by logging which incoming relays are not in the public list?
Yes, that's correct. See…
Yes, that's correct. See point #2 in https://blog.torproject.org/research-problems-ten-ways-discover-tor-bri…
I am wondering if anyone has…
I am wondering if anyone has any insight on how does China's GFW blocks Tor traffic?
Based on my understanding of TorProject, GFW needs to know Tor relay nodes in order to block Tor traffics. Is this correct?
Thanks
The GFW uses several methods…
The GFW uses several methods:
* Block *.torproject.org using DNS poisoning.
* Block the IP addresses of Tor relays and bridges.
* Use deep packet inspection to detect Tor on the wire.
* Use a crawler to get bridges from bridges.torproject.org.