Changes between Initial Version and Version 1 of org/meetings/2016WinterDevMeeting/Notes/Snowflake


Ignore:
Timestamp:
Mar 18, 2016, 10:31:13 PM (3 years ago)
Author:
isabela
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • org/meetings/2016WinterDevMeeting/Notes/Snowflake

    v1 v1  
     1[https://trac.torproject.org/projects/tor/wiki/org/meetings/2016WinterDevMeeting/Notes BACK TO 2016 WINTER DEV MEETING NOTES PAGE]
     2
     3'''Snowflake session at !TorDev'''[[BR]][[BR]]Similar to Flashproxy[[BR]]Written mostly in Go[[BR]]Uses WebRTC library[[BR]][[BR]]To  run a server, embed Javascript in a page. Visitors to that page then  become a temporary bridge. Flashproxy also did this, but there were NAT  traversal issues using Websockets peer-to-peer. WebRTC comes with NAT  traversal. No popup in the browser when opening a server. However, the  Snowflake library will include an opt-out UI.[[BR]][[BR]]Serene shows a Snowflake demo. The demo actually works despite the fact that demos always break. Everyone is very impressed.[[BR]][[BR]]David says the Go wrapper for libwebrtc was the game changer for Snowflake.[[BR]][[BR]]Uses a “broker” for signaling to set up P2P connection.[[BR]][[BR]]What are the remaining tasks to deploy Snowflake in TBB?[[BR]][[BR]]Snowflake  needs to be audited. OTF is a possible source of funding for this  audit. Serene has applied, but has not yet heard back.[[BR]][[BR]]What  happens if someone closes the browser tab? It closes the WebRTC  connection, which will kill the proxied Tor connection. Serene is  working on a more robust system. In flashproxy, the client would connect  to multiple flashproxy servers and rollover when one was closed,  although it would still close the Tor circuit.[[BR]][[BR]]There is a server-side PT implementation as well as the Javascript in-browser server.[[BR]][[BR]]Seren has talked to Griffin about making a Cupcake version of Snowflake.[[BR]][[BR]]A  possible UI change is to pop up a confirmation dialog when someone  closes the browser tab. Although, would that annoy users and discourage  them from adding the Javascript badge to their web pages? Perhaps if  you’ve already asked them for permission then they won’t mind being ask  if they really want to quit. For flashproxy, there was no user  permission, although people complained when David gave talks about it.  David says it didn’t really matter since there were no users, but  perhaps opt-in only would be a better idea. [[BR]][[BR]]Does many  short-lived proxies lead to a bad UX? Flashproxy would not enable a  proxy server until it had been on for a while in order to eliminate  churn, but there is still a problem with long-lived but slow server  connections.[[BR]][[BR]]A persistent transport layer would be nice to use  multiple short-lived connections, but is an engineering challenge. SCTP  would be useful for this. WebRTC uses SCTP and it seems like work well.  meek also does something like this.[[BR]][[BR]]Snowflake relies on domain  fronting for signaling. meek uses domain fronting and is paying $1k-2k  per month in domain fronting costs. Snowflake is a possibly less  expensive alternative since it only uses domain fronting for signaling.[[BR]][[BR]]Upgrading Javascript is easier to do than updating bridges.[[BR]][[BR]]The Javascript [[BR]][[BR]]Snowflake is a separate PT implementation and does not sue obfs4proxy code. It uses goptlib for implementing the PT protocol.[[BR]][[BR]]How  soon can we get Snowflake into TBB? What is the onboarding process?  What is the binary size? Currently 15MB-28MB stripped of debug symbols.  Compression is available for Go binaries by merging multiple executables  into one (“busybox style”). However, the libwebrtc library is large. It  might be possible to make it smaller by eliminating unused parts of the  library. Compression may also help as libwebrtc is included in Firefox  as well and therefore in TBB.[[BR]][[BR]]Who runs the STUN and TURN servers?  Currently the Google ones are the default. Ximin has a list of open  servers. We need to choose a TURN server that won’t make the PT  trivially fingerprintable. ICE negotiation: STUN is the first fallback  which works for most users. TURN is only used if P2P using STUN fails.  TURN servers only necessary for certain NAT configurations, when both  peers are behind symmetric NAT.[[BR]][[BR]]Development work: reproducible  builds, finishing stability, and connection recovery when the server  goes down. Estimated date of alpha release is sometime in March.  Auditing will also take about a month.[[BR]][[BR]]Lunar’s suggested release plan: alpha release, user testing, bug fixes, and then audit.[[BR]][[BR]]Would it be possible to run a TURN server in the browser?[[BR]][[BR]]Are  there any big websites that would be willing to put the Snowflake badge  on their page? David offers to convert all flashproxy badges to  Snowflake badges.[[BR]][[BR]]For Debian packaging, the only difficult part is packaging the libwebrtc library.[[BR]][[BR]]Reproducible builds has not yet been tested.[[BR]][[BR]]How  do PT usage metrics work? The stats will be messed up because the they  will be counting browser proxies and not actual users. The extended OR  port can be used on the bridge side to change the country to Unknown so  that it will at least not mess up country-specific stats. We would like  better PT stats and also privacy-preserving stats collection.[[BR]][[BR]]How does the broker decide what WebRTC peer you should connect to? Just whichever one is next in the queue of registered peers.