Opened 8 months ago

Last modified 8 months ago

#25966 new project

Report on Tor in the UAE (and question about Snowflake)

Reported by: mwolfe Owned by: dcf
Priority: Very Low Milestone:
Component: Obfuscation/Censorship analysis Version:
Severity: Trivial Keywords: snowflake
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Early in '17, Tor stopped working. Turned out, they'd turned on blocking, but obfs4 worked. Then obfs4 stopped, and someone suggested I try Snowflake, which worked back then. But Snowflake stopped working one day, and I learned it was alpha, and not well supported, so I switched to meek. Now I can't get Snowflake to work at all (Tor doesn't even load), but obfs4 is working again, and seems to work much better than meek.

Child Tickets

Change History (10)

comment:1 Changed 8 months ago by dcf

Keywords: snowflake added

Snowflake stopped working because Google blocked domain fronting to App Engine, which Snowflake uses for rendezvous: #25804.

You can work around it by using the alternative domain fronts from #22782.

See also #25594 about alternative rendezvous methods.

comment:2 in reply to:  1 Changed 8 months ago by cypherpunks

Replying to dcf:

You can work around it by using the alternative domain fronts from #22782.

Small tutorial on how to do that in case you don't know: (although someone should confirm if I didn't make any mistake)

  1. Go to your Tor Browser directory. Then go the folder Browser then TorBrowser then Data then Tor.
  2. Open the torrc-defaults using a text editor and change the snowflake line from
    ClientTransportPlugin snowflake exec ./TorBrowser/Tor/PluggableTransports/snowflake-client -url https://snowflake-reg-test.appspot.com/ -front www.google.com -ice stun:stun.l.google.com:19302
    

to

ClientTransportPlugin snowflake exec ./TorBrowser/Tor/PluggableTransports/snowflake-client -url https://d3prdmp6d0elsl.cloudfront.net/ -front a0.awsstatic.com -ice stun:stun.l.google.com:19302
  1. Save, and enjoy!

Also by obfs4 you mean you got them from the BridgeDB or you used the default ones (in the dropdown menu when they ask which pluggable transport to use)?

comment:3 Changed 8 months ago by cypherpunks

The Citizen Lab Research

We found that Netsweeper technology is being used to block access in these ten countries to a wide range of digital content protected by international legal frameworks, including religious content in Bahrain, political campaigns in the United Arab Emirates, and media websites in Yemen

Section 2- Country Case Studies

We found three IP addresses in the UAE that were part of Netsweeper installations
ISP du
AS Name Emirates Integrated Telecommunications Company PJSC (EITC-DU)
Blocking was implemented through an HTTP 302 redirect.
The blockpage contains du branding, contains a link to the UAE Telecommunications Regulatory Authority’s “Internet Access Management Regulatory Policy,” and links to a form that allows a user to flag a website believed to be blocked in error.

comment:4 Changed 8 months ago by mwolfe

If I click 'request a bridge', nothing happens. Bridges used to be obvious on the Tor website, but I couldn't find a link when I looked, so I just click 'Select a built-in bridge', and this works fine here. After obsf4 stopped working, I'd click 'Select a built-in bridge' and choose meek, then when meek got slow, I tried obfs4, and it worked and was faster than meek.

Thanks for the link to the new snowflake. I'll try it and report later.

comment:5 Changed 8 months ago by mwolfe

The UAE has at least two ISPs. I see ads for Virgin, but I'm not sure if it's another ISP, or just a tool for one or both of the two I know. The two are du, which was used for your tests, and the other is Etisalat, eim.ae or etisalat.ae (that's the one I use).

All the info about blocks was related to du, but the blocks would be the same for both (both du and Etisalat must run everything through the Telecommunications Regulatory Agency, or TRA). When du started, about 15 years ago, it was only in Free Zones, and so didn't have any blocks, but then pressure to have two nationwide ISPs got du to offer Internet and phone services all over, and it got the same blocks Etisalat has always had.

I'm glad someone was able to run the tests safely from a .ca account.

comment:6 in reply to:  4 Changed 8 months ago by cypherpunks

Replying to mwolfe:

If I click 'request a bridge', nothing happens.

That's because moat is broken too due to Google deprecating domain fronting. It will be fixed though in a next release(s).

Bridges used to be obvious on the Tor website, but I couldn't find a link when I looked, so I just click 'Select a built-in bridge', and this works fine here. After obsf4 stopped working, I'd click 'Select a built-in bridge' and choose meek, then when meek got slow, I tried obfs4, and it worked and was faster than meek.

I'd recommend not using default built-in obfs4 bridges since they're public, you can however try out non-public obfs4 bridges by using meek first then going to https://bridges.torproject.org/bridges?transport=obfs4 and doing the process to get obfs4 ones.

comment:7 Changed 8 months ago by cypherpunks

@mwolfe: meek-amazon will also stop working since Amazon will deprecate domain fronting, so you should move to meek-azure and for snowflake replace the line with this latest one (from #22782):

ClientTransportPlugin snowflake exec ./TorBrowser/Tor/PluggableTransports/snowflake-client -url https://snowflake-broker.azureedge.net/ -front ajax.aspnetcdn.com -ice stun:stun.l.google.com:19302

Many thanks again to dcf for keeping up with this! :)

comment:8 Changed 8 months ago by mwolfe

Got the new snowflake line.

The snowflake line didn't work until I modified it to

ClientTransportPlugin snowflake exec PluggableTransports
/snowflake-client -url https://snowflake-broker.azureedge.net/ -front
ajax.aspnetcdn.com -ice stun:stun.l.google.com:19302

That's the way the original was, no ./TorBrowser/Tor/ at the beginning.

*

Tried the bridges from bridges.torproject.org, six of them (i.e., since one gets 3 at a time, I downloaded twice), but could not connect. The built-in bridges for obfs4 work fine, but the ones from the database didn't. The captcha is very hard for me to read. With the letters and numbers overlapping, it's hard for me to be sure what it's asking for, and it usually takes me 3 or 5 tries. Not sure why the bridges aren't working. I downloaded some a few months ago, and they worked, but not today.

comment:9 in reply to:  8 Changed 8 months ago by cypherpunks

Replying to mwolfe:

That's the way the original was, no ./TorBrowser/Tor/ at the beginning.

Yeah I'm not a Mac OS user (Debian here), sorry about that and glad you sorted it out yourself!

comment:10 Changed 8 months ago by mikeperry

Component: - Select a componentObfuscation/Censorship analysis
Owner: set to dcf

(Triage: Giving this ticket the censorship analysis component: I hope it's right)

Note: See TracTickets for help on using tickets.