Snowflake session at TorDev

Similar to Flashproxy
Written mostly in Go
Uses WebRTC library

To run a server, embed Javascript in a page. Visitors to that page then become a temporary bridge. Flashproxy also did this, but there were NAT traversal issues using Websockets peer-to-peer. WebRTC comes with NAT traversal. No popup in the browser when opening a server. However, the Snowflake library will include an opt-out UI.

Serene shows a Snowflake demo. The demo actually works despite the fact that demos always break. Everyone is very impressed.

David says the Go wrapper for libwebrtc was the game changer for Snowflake.

Uses a “broker” for signaling to set up P2P connection.

What are the remaining tasks to deploy Snowflake in TBB?

Snowflake needs to be audited. OTF is a possible source of funding for this audit. Serene has applied, but has not yet heard back.

What happens if someone closes the browser tab? It closes the WebRTC connection, which will kill the proxied Tor connection. Serene is working on a more robust system. In flashproxy, the client would connect to multiple flashproxy servers and rollover when one was closed, although it would still close the Tor circuit.

There is a server-side PT implementation as well as the Javascript in-browser server.

Seren has talked to Griffin about making a Cupcake version of Snowflake.

A possible UI change is to pop up a confirmation dialog when someone closes the browser tab. Although, would that annoy users and discourage them from adding the Javascript badge to their web pages? Perhaps if you’ve already asked them for permission then they won’t mind being ask if they really want to quit. For flashproxy, there was no user permission, although people complained when David gave talks about it. David says it didn’t really matter since there were no users, but perhaps opt-in only would be a better idea. 

Does many short-lived proxies lead to a bad UX? Flashproxy would not enable a proxy server until it had been on for a while in order to eliminate churn, but there is still a problem with long-lived but slow server connections.

A persistent transport layer would be nice to use multiple short-lived connections, but is an engineering challenge. SCTP would be useful for this. WebRTC uses SCTP and it seems like work well. meek also does something like this.

Snowflake relies on domain fronting for signaling. meek uses domain fronting and is paying $1k-2k per month in domain fronting costs. Snowflake is a possibly less expensive alternative since it only uses domain fronting for signaling.

Upgrading Javascript is easier to do than updating bridges.

The Javascript 

Snowflake is a separate PT implementation and does not sue obfs4proxy code. It uses goptlib for implementing the PT protocol.

How soon can we get Snowflake into TBB? What is the onboarding process? What is the binary size? Currently 15MB-28MB stripped of debug symbols. Compression is available for Go binaries by merging multiple executables into one (“busybox style”). However, the libwebrtc library is large. It might be possible to make it smaller by eliminating unused parts of the library. Compression may also help as libwebrtc is included in Firefox as well and therefore in TBB.

Who runs the STUN and TURN servers? Currently the Google ones are the default. Ximin has a list of open servers. We need to choose a TURN server that won’t make the PT trivially fingerprintable. ICE negotiation: STUN is the first fallback which works for most users. TURN is only used if P2P using STUN fails. TURN servers only necessary for certain NAT configurations, when both peers are behind symmetric NAT.

Development work: reproducible builds, finishing stability, and connection recovery when the server goes down. Estimated date of alpha release is sometime in March. Auditing will also take about a month.

Lunar’s suggested release plan: alpha release, user testing, bug fixes, and then audit.

Would it be possible to run a TURN server in the browser?

Are there any big websites that would be willing to put the Snowflake badge on their page? David offers to convert all flashproxy badges to Snowflake badges.

For Debian packaging, the only difficult part is packaging the libwebrtc library.

Reproducible builds has not yet been tested.

How do PT usage metrics work? The stats will be messed up because the they will be counting browser proxies and not actual users. The extended OR port can be used on the bridge side to change the country to Unknown so that it will at least not mess up country-specific stats. We would like better PT stats and also privacy-preserving stats collection.

How does the broker decide what WebRTC peer you should connect to? Just whichever one is next in the queue of registered peers.

Last modified 18 months ago Last modified on Mar 18, 2016, 10:31:13 PM