Opened 4 months ago

Last modified 5 weeks ago

#30579 new defect

Add more STUN servers to the default snowflake configuration in Tor Browser

Reported by: cohosh Owned by:
Priority: Medium Milestone:
Component: Circumvention/Snowflake Version:
Severity: Normal Keywords: stun, anti-censorship-roadmap-october
Cc: cohosh, dcf, arlolra, phw Actual Points:
Parent ID: Points: 1
Reviewer: Sponsor: Sponsor30-can

Description

Right now snowflake blocking in China is happening in the client's connection to the default STUN server (which is set to Google's STUN servers). We should add more STUN servers, including ones that are popular in regions that are trying to block snowflake so that blocking this stage causes more collateral damage.

Child Tickets

Change History (8)

comment:1 Changed 4 months ago by cohosh

Cc: cohosh dcf arlolra phw added

comment:2 Changed 3 months ago by phw

Sponsor: Sponsor19Sponsor30-can

Moving from Sponsor 19 to Sponsor 30.

comment:3 Changed 2 months ago by gaba

Keywords: anti-censorship-roadmap-october added; snowflake removed

comment:4 Changed 2 months ago by phw

A friend suggested that we look into whatever gaming voice chat systems are popular in China. In the West, there's Discord and TeamSpeak but China probably has its own versions of these. The OTF summit may be a great venue to learn more about this.

comment:5 Changed 7 weeks ago by cypherpunks

Hi. There is a better idea. Lot of popular and non-blocked websites put users' visible IP addresses in cookies, custom HTTP Headers or page body. Can we exploit this?

I imagine a system crawling websites automatically, finding user's visible IP addresses in their responses, generating the data describing how to carve and parse them and putting it into a repo. Then browsers fetch the repo, select a random webpage from the list, get it and parse the HTTP response.

comment:6 Changed 7 weeks ago by arlolra

Can we exploit this?

From my limited understanding, no. It's not enough to just know the external ip. The client needs to make an outgoing request in order for the NAT to add a mapping entry in its table between external ip:port pair and the client. That pair, returned in the response from the STUN server, is then communicated to the peer via some signalling method so that packets it sends to the external ip are translated to the client.

See https://en.wikipedia.org/wiki/STUN#Limitations and https://en.wikipedia.org/wiki/Network_address_translation#Methods_of_translation

comment:7 in reply to:  6 Changed 7 weeks ago by cohosh

Replying to arlolra:

Can we exploit this?

From my limited understanding, no. It's not enough to just know the external ip. The client needs to make an outgoing request in order for the NAT to add a mapping entry in its table between external ip:port pair and the client. That pair, returned in the response from the STUN server, is then communicated to the peer via some signalling method so that packets it sends to the external ip are translated to the client.

Yep, it's not just the ip address but also the port that needs to be discovered, and set aside by the client for the purpose of the WebRTC connection.

Although, if there are popular P2P applications in areas that block Tor that aren't using STUN, but using something else for NAT traversal, it would be good to know and we might be able to modify the WebRTC library to use that (not sure if such a thing exists).

Since the STUN server (or other protocol server) that the client uses doesn't need to implement any custom code from us, and doesn't even need to know that it's being used for censorship circumvention, I think our best bet here is to use specific servers/protocols that are already popular for unblocked P2P applications instead of trying to roll our own thing.

comment:8 Changed 5 weeks ago by cypherpunks

It is worthless and may backfire. Censors would just contact the developers and say "implement measures preventing using your service for censorship circumvention or we will block your service too". This may include eliminating peer-to-peer calls entirely, streaming them through own servers and also implement recording and analysis of calls for surveillance and marketing needs.

Note: See TracTickets for help on using tickets.