15:59:27 <meskio> #startmeeting tor anti-censorship meeting
15:59:27 <MeetBot> Meeting started Thu Dec 16 15:59:27 2021 UTC.  The chair is meskio. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:59:27 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:59:33 <meskio> hello everybody!
15:59:38 <shelikhoo> Hi~
15:59:40 <meskio> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
15:59:52 <meskio> feel free to add what you've been working on and put items on the agenda
16:01:14 <meskio> there is not much in the agenda
16:01:41 <meskio> I kept the point about the status in russia from last week
16:01:54 <anadahz> o/
16:02:02 <ggus> o/
16:02:26 <meskio> Bridgedb now is only distributing working bridges over moat in russia (for now)
16:02:55 <meskio> and the telegram bot had needed to rotate bridges as the ones distributed to fresh accounts well all blocked except one
16:03:12 <meskio> this is all I know from my side, anything else? or something to discuss about it?
16:04:01 <meskio> someone has asked if meek-azure does work now
16:04:03 <ggus> hackerncoder mirror is going to be blocked soon in russia, so we will need new mirrors
16:04:10 <meskio> I have read soemthing about it, but I don't know
16:04:29 <meskio> ggus: is that a mirror of torproject.org?
16:04:37 <anadahz> The blocking still occurs via IP blocking?
16:04:46 <dcf1> The snowflake bridge approx. doubled its number of clients in the 2 days since 11.5a1 was released https://metrics.torproject.org/rs.html#details/5481936581E23D2D178105D44DB6915AB06BFB7F
16:04:50 <ggus> yes, all *.torproject.org
16:04:57 <dcf1> I take that as an indication the DTLS fingerprint change is working, for now
16:05:17 <meskio> dcf1: nice \o/
16:05:21 <dcf1> We might need to talk about upscaling the bridge at some point, as its load is increasing
16:05:33 <meskio> anadahz: I have no idea, I didn't investigate, maybe shelikhoo knows more
16:06:09 <dcf1> https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/47#note_2766608
16:06:46 <shelikhoo> I didn't investigate this, but according to tor-dev chat, meek-azure is partially working if returned IP is not blocked.
16:07:02 <shelikhoo> Azure change IP address assigned to the blocked site from time to time
16:07:10 <dcf1> https://ntc.party/t/ooni-reports-of-tor-blocking-in-certain-isps-since-2021-12-01/1477/79 "meek-azure works fine. They’ve unblocked ajax.aspnetcdn.com."
16:07:11 <ggus> more updates: the new default bridge 'deusexmachina' was blocked this week. i've asked the operator to rotate the ip address, but i didn't hear from them yet.
16:07:29 <dcf1> Yeah I'm not sure if it was unblocked, or whether Microsoft changed the IP address of the domain.
16:07:36 <shelikhoo> but censorship device's deny list did not update
16:09:20 <anadahz> Is also Tor IPv6 traffic blocked?
16:09:35 <shelikhoo> Anyway, the current way of meek's domain fronting seems to have insufficient colloidal damage
16:09:56 <shelikhoo> for determined adversary that is willing to take some loss
16:10:04 <meskio> anadahz: I read some reports in ntc.party that IPv6 default bridges worked, but I haven't tested it
16:10:31 <shelikhoo> In China, that IPv6 bridge is partially blocked
16:10:44 <ggus> meskio: i could bootstrap ipv4 and ipv6 vanilla tor bridges in russia
16:11:34 <anadahz> shelikhoo: "that bridge" you mention [2a01:4ff:f0:214d::1]:55882 ?
16:12:21 <dcf1> ggus: how is it known that a specific website mirror will be blocked? was it another of those emails from Roskomnadzor?
16:12:25 <ggus> since the censorship in russia, we've answered +400 tickets on frontdesk@tpo from russian users
16:12:50 <meskio> wow
16:12:57 <ggus> dcf1: yes, hackerncoder received a notification and pinged us on #tor-project oday.
16:13:04 <shelikhoo> anadahz: No It's 2a0c:4d80:42:702::1
16:13:20 <ggus> *today
16:13:42 <hackerncoder> My hosting provider got a simelar email as the Tor Project from roscomandzor
16:14:24 <dcf1> there's a list of existing mirrors at https://2019.www.torproject.org/getinvolved/mirrors.html.en
16:14:38 <dcf1> though likely any single one that's promoted will also eventually be blocked
16:15:04 <ggus> dcf1: but, this list is only for wwww.tpo
16:15:34 <dcf1> I see. But some of them also have /dist/, is that what's required?
16:16:34 <hackerncoder> Mine includs many subdomains, support community blog 2019 tb-manual
16:17:41 <ggus> dcf1: yes, all these mirrors have /dist/
16:18:18 <anadahz> IIUC Roscomandzor send mails to Tor relays email contact and/or hosting ISP abuse email address?
16:18:46 <dcf1> anadahz: not to relay operators as far as I know
16:18:47 <ggus> afaik, i didn't hear anything about that
16:19:35 <meskio> dcf1: do I recall that scaling the snowflake bridge will require changes in the code? should we start prioritizing those changes?
16:19:42 <meskio> I guess is that one: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/28651
16:19:49 <meskio> I see is already in 'next'...
16:20:20 <shelikhoo> The easiest way to do this is setup another broker, and bridge
16:20:39 <shelikhoo> so there will be a separate proxy pool
16:20:42 <dcf1> meskio: I mean, eventually, but two easier steps before redesigning any code are: 1. deploy on bigger hardware 2. profile and optimize the snowflake-bridge code.
16:21:03 <meskio> I see
16:21:27 <ggus> another thing wrt russia: valdikss shared this article about a pro-gov organization asking Apple and Google Play to block Tor apps - https://m.gazeta.ru/social/news/2021/12/14/n_17011309.shtml
16:21:35 <meskio> I hope it can wait until january so we don't need to rush over the vacations to do it
16:22:04 <dcf1> meskio: I don't think there's any rush.
16:22:14 <meskio> :)
16:23:03 <shelikhoo> I think Apple have already deplatformed all Proxy Apps from China's App Store
16:23:08 <dcf1> we already upgraded the hardware once 6 months ago https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40051
16:24:28 <dcf1> I also have a feeling that a few hours spent profiling the snowflake server PT would reduce its CPU usage a lot
16:24:32 <anadahz> shelikhoo: Indeed, that was some time ago.
16:25:03 <dcf1> currently using about 2 CPUs for snowflake-server, about 1 CPU for tor + proxy-go instances.
16:25:39 <shelikhoo> It is usually impossible for users to create an apple account in a country they does not live in without the help of a VPN
16:26:07 <shelikhoo> unless they have a payment method in that country
16:26:18 <meskio> dcf1: I see
16:26:37 <dcf1> Maybe the app stores can purge all the fake tor browsers from the app stores while they're at it
16:26:47 <ggus> hehe
16:26:52 <meskio> that will be nice :D
16:27:28 <ggus> wow, we have 3k snowflake users in Russia
16:27:56 <meskio> nice
16:28:22 <ggus> winter is coming :P
16:28:37 <gaba> :)
16:28:46 <ggus> https://metrics.torproject.org/userstats-bridge-combined.html?start=2021-09-17&end=2021-12-16&country=ru
16:29:06 <arlolra> is anyone working on implementing the alpn extension for pion dtls?
16:30:02 <shelikhoo> https://github.com/pion/dtls/issues/408
16:30:10 <shelikhoo> Context ^
16:30:26 <dcf1> for that matter, I'm not sure if we upgraded the standalone bridges that we operate
16:31:01 <anadahz> FWIW OnionBrowser seems to be still available on Apple Store: https://applecensorship.com/app-store-monitor/test/519296448?l=
16:31:36 <dcf1> I guess we did not upgrade our proxy-go yet, judging by the modification date of the binary. I will do that.
16:32:38 <ggus> dcf1: after that, should we ask volunteers to upgrade their snowflake standalone proxy?
16:33:16 <dcf1> maybe. I'm not sure how important it is.
16:33:59 <shelikhoo> This could improve connection time for impacted users lives in Russia
16:34:12 <shelikhoo> Since the client will retry connection
16:34:28 <shelikhoo> after waiting a while
16:34:53 <shelikhoo> so if the proxy does not update its version, the connection may be blocked
16:35:11 <shelikhoo> the client will need to try another proxy
16:35:15 <meskio> we should rebuild the docker image of the standalone proxy if we want to ask people to upgrade
16:35:22 <dcf1> yes, I understand. what I'm saying is I don't have a way to wauntify how important that effect actually is in practice
16:35:42 <dcf1> to know whether it's worth the trouble
16:35:54 <dcf1> rebuilding the docker image is a good idea in any case
16:36:06 <meskio> I'll do that tomorrow
16:36:24 * meskio remembers that needs to give a push to the debian package too
16:36:43 <ggus> and then ask egypcio to update the freebsd port
16:37:40 <shelikhoo> debian is quite slow when it comes to updating packages....
16:38:46 <meskio> the package is in debian sid, it will not even get to testing as I need to fix things tehre
16:38:54 <meskio> so no hurry
16:39:01 <shelikhoo> Yes....
16:39:29 <anadahz> (also Tor Browser is available on Google Play in Russia: https://play.google.com/store/apps/details?id=org.torproject.torbrowser&gl=RU)
16:39:36 <ggus> btw, we will have a user support person that speaks russian very soon.
16:39:52 <meskio> nice
16:39:56 <ggus> thanks everyone how helped us on this!
16:40:59 <meskio> anything more about russia?
16:41:34 <meskio> I see a point about fingerprint fixes in the agenda, I guess is what we just discussed, anything else to add there?
16:41:49 <dcf1> that's what we just discussed
16:42:03 <meskio> good
16:42:03 <dcf1> I don't think arlolra got an answer, so I suppose that means no one is working on it now
16:42:19 <meskio> yes, I guess that is the answer
16:42:33 <meskio> maybe cohosh knows more, but she is AFK today
16:43:12 <meskio> I added a point about the next meeting, not sure how you have done the holiday season last years
16:43:29 <meskio> from Dec 22 to Jan 5 TPI employees are in holiday
16:43:39 <meskio> so I guess our next meeting will be Jan 6
16:43:53 * meskio might take that day off, but I hope others will be around
16:44:39 <meskio> I guess nothing to discuss there
16:44:47 <meskio> anything else for today?
16:45:12 <ggus> just to add that we have now 2k bridges - https://metrics.torproject.org/networksize.html?start=2017-09-17&end=2021-12-16
16:45:24 <meskio> amazing
16:45:34 <shelikhoo> great!
16:45:59 <ggus> 2018 was the bridge authority migration
16:46:09 <anadahz> impressive!
16:47:33 <meskio> I'll give it one more minute to see if someone has something else to talk and if not I'll close the meeting
16:48:35 <meskio> #endmeeting