Snowflake workshop

Goals of this workshop:

  • give an idea of how snowflake works
  • how repo is organized and components
  • most important components

Action Items are new tickets: marked with (*)

Snowflake diagram is on snowflake trac page Bridge(s): works similar to other bridges in tor Broker: uses domain fronting to allow clients to connect, keeps track of ids (for WebRTC) of available proxies. Proxies (i.e., Snowflakes): right now there is a go implementation, or participants can visit a site in browser (js implementation).

  • Future possibilities: web extension, or headless browser mode to avoid fingerprinting
  • proxies can reach broker and bridges

client: in area where WebRTC isn't blocked, and can reach broker (currently domain-fronted)

1) Clients connect to broker to get proxy webRTC info

2) Snowflakes are polling broker to say they're available

3) Client connections to snowflake

4) After connection from client, proxy makes WebSocket connection to bridges that are available and from there clients access the Tor network


  • code right now hardcodes 1 bridge and 1 broker
  • could implement this in Tor vs. PT bridge: this would give proxies access to all guards instead of one bridge.
    • would require modifications
  • Roger and David think it's okay if there's only one broker at this point in time. Number of bridges is fine if it's a low number (10).
  • Note: meek is right now running with one bridge
  • Snowflakes can only support 1 client at a time
  • Load balancing
    • broker needs to give client snowflake that isn't used (snowflakes can only support 1 client at a time)
    • possible load balancing if we have multiple bridges


  • Bad snowflake detection
    • if snowflake doesn't work, client will simply try to find another
    • Currently no bad snowflake detection at broker
  • nothing right now to identify that snowflake proxy is in censored area
  • how DDoS-able is this if we can't measure bad snowflakes? If there are 1,000 bad snowflakes in china and only 10 volunteer ones that's bad
  • snowflakes don't say what type of snowflake they are (flags for whether they are js/go/web extension, stability, version, etc.). It's worth supplying type to know whether one type stops working
  • if js version is running we should collect stats now (there's a ticket for stats at broker)
  • anna's (metrics) project will measure snowflake performance for average snowflake users (not individual snowflakes)
  • if we already have participants in cupcake we could measure to see if it's possible to throw out short lived connections and only serve longer term ones once we get snowflake users


  • communication with broker does long polling. snowflake connects and says they are read. Broker waits 10s during which it will return id if there's a client request. After those 10s, proxy has to re-poll
  • every snowflake has an open connection to broker
  • possibility: connection between snowflake and broker could be WebSocket connection sending data back and forth


  • how is this better than obfs4 + bridgeDB
    • meek but cheap
    • alternative to bridge distribution, much harder for adversaries to enumerate bridges
  • what prevents scraping the broker?
    • nothing to prevent that (blocking of all current snowflake proxies)
    • maybe rate limiting
    • collateral damage is much higher for censor to block snowflakes
  • domain fronting right now only running on azure?
    • still running on amazon as long as they keep it below bandwidth
  • possible alts: eSNI, domain fronting over queue cloud thing (Nathan's idea)
  • ticket for using DNS as a transport instead of domain fronting

Engineering things:

  • Guardian project is working on app for snowflake proxies
  • snowflake proxy right now relies on webRTC library that relies on older version of chrome
  • directory in chrome called base, problem there making builds reproducible
  • webext interesting because it's running always when people have browser open and not just when they visit specific site
  • right now snowflake uses WebRTC data channel. There are multiple channels (video/audio). Data channel is mostly used for games. Maybe encoding it in media stream data channels could be worth looking at
  • griffin running cupcake, 4,000 users that have web extension installed so web extension might encourage more proxies

Reliability of snowflakes

  • snowflakes may leave quickly (before client connection is done), snowflakes could be mobile and sever connections that way
  • web extension helps with this because the javascript version where proxies visit website may be too flaky, connection severs when users leave page
  • can partially solve resumption problem if every client holds a connection to two different snowflake bridges at a time. if client has 2 independent paths to tor network it's unlikely it will go down at the same time
  • suggestion that we not hardcode behaviour because we need to look like a regular webRTC user
  • statistics can tell if this is worth it
  • flag snowflakes as stable
  • problem: stable snowflakes are also more likely to be blocked
  • simple rule is until snowflake has polled broker for > 1 minute broker will not give it out (*)

Snowflake Proxy Experience:

  • proxied traffic everything from SSH to video streaming
    • specify what snowflakes can handle
    • maybe look into MassBrowser for specifying proxy policies (similar to Tor exit node policy) and bandwidth constraints


  • Major goal is to first get new version into Tor Browser before May
  • we'll do a session where we get it running (linux is pretty easy)
    • compile go components normally
    • JS component written in coffeeScript
  • might have to do a lot of engineering to load balance between proxies
  • persistent and stable connections are going to be a big issues

S19 stuff:

  • how flexible is funding in terms of milestones/timelines? Very flexible. have to deliver reports on state of anti-censorship and kat is doing that

How many people need to work on s19 tasks before may? mostly everybody

  • there are some things that can happen to tor to help with this
  • might want to modify tor to make it easier to connect to two bridges at the same time (maintain connection to two bridges), mostly for making resumption faster in the case that a connection goes down
  • leave room to modify tor
Last modified 21 months ago Last modified on Jan 29, 2019, 3:03:29 PM