[guardian-dev] Your comments on a draft paper about Snowflake

David Fifield david at bamsoftware.com
Tue Oct 3 20:00:57 EDT 2023


I and my coauthors Cecylia Bocovich, Arlo Breault, Serene, and Xiaokang
Wang are writing a paper about Snowflake. We have listed Guardian
Project in the acknowledgements, and Orbot is referenced in several
places. We are writing in the hope that you can double-check what we
have written about work you are involved in. Any other comments are
welcome.

Here is a draft. If you have any comments in the next 5 weeks, we can
try to take them into account.

https://www.bamsoftware.com/papers/snowflake/snowflake.20231003.e6e1c30d.pdf

Some specific points we want to call your attention to:

Figure 5 shows the number of Snowflake proxies by type. iPtProxy is in
second place, behind the browser extension.
https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/figures/proxies/proxy-type.pdf

We list 16.4.0 and 16.4.1 as the first releases to support Snowflake as
a client, and a proxy respectively. I've previously asked about these
version numbers, so I'm pretty sure they're correct.
https://lists.mayfirst.org/pipermail/guardian-dev/2023-July/005704.html
https://lists.mayfirst.org/pipermail/guardian-dev/2023-July/005708.html

https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/snowflake.tex#L1509
	Snowflake's growth began in earnest when it became part of
	default installations. Orbot, a mobile app that provides a
	VPN-like Tor proxy, added a Snowflake client in version 16.4.0
	on 2021-01-12.
https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/snowflake.tex#L1937
	Orbot's Snowflake proxy feature was added in version 16.4.1 in
	February 2021.

Here we've said Orbot's ability to act as a proxy is called "kindness
mode". Our understanding is that this label is only used in v17+.

https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/snowflake.tex#L1867
	Finally, Orbot, a mobile app for accessing Tor, besides being
	able to \emph{use} Snowflake for circumvention, can also
	\emph{provide} Snowflake proxy service to others, a feature
	called ``kindness mode.''
	% Only so called in Orbot v17+, which should be current by the
	% time the paper is submitted.

Regarding the TLS fingerprint blocking that happened in Iran in 2019, we
write about how Orbot was more affected than Tor Browser, because
different versions of Go crypto/tls led to slightly different TLS
fingerprints.

https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/snowflake.tex#L2588
	As it happens, it was mainly Orbot that was affected, because at
	the time it used a Snowflake client compiled with Go 1.17, and
	it runs on mobile platforms that are less likely to have AES
	acceleration. Tor Browser was relatively unaffected, because it
	either ran on desktops with AES acceleration, or on mobile
	platforms with the newer version of the Go standard library
	whose TLS fingerprint was not being matched. But evidently Orbot
	is more used in Iran than Tor Browser, because the decline was
	so drastic.

Regarding Orbot 17, I'm still unclear on the degree to which that has
been released. F-Droid has it, but the Google Play site says "Updated on
Nov 1, 2022" and has 16.6.3-RC-1-tor.0.4.7.10. We have a couple of todo
notes to make updates when Orbot 17 is released, because of anticipated
changes to DTLS fingerprints and multi-bridge support. Is there anything
to add on these points?

https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/snowflake.tex#L1600
	Another DTLS blocking signature was reported on 2022-06-20; we
	did not get to fixing it until Tor Browser 12.0.3 on
	2023-02-15.\todo{And Orbot 17 on\ldots}
https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/snowflake.tex#L1677
	The second bridge was made available to users in Tor Browser
	12.0 on 2022-12-07. By July, the second bridge supported about
	18% of Snowflake users.\todo{Revisit this when Orbot~17 hits the
	Play Store.}


More information about the guardian-dev mailing list