[guardian-dev] Your comments on a draft paper about Snowflake
David Fifield
david at bamsoftware.com
Tue Oct 3 20:00:57 EDT 2023
I and my coauthors Cecylia Bocovich, Arlo Breault, Serene, and Xiaokang
Wang are writing a paper about Snowflake. We have listed Guardian
Project in the acknowledgements, and Orbot is referenced in several
places. We are writing in the hope that you can double-check what we
have written about work you are involved in. Any other comments are
welcome.
Here is a draft. If you have any comments in the next 5 weeks, we can
try to take them into account.
https://www.bamsoftware.com/papers/snowflake/snowflake.20231003.e6e1c30d.pdf
Some specific points we want to call your attention to:
Figure 5 shows the number of Snowflake proxies by type. iPtProxy is in
second place, behind the browser extension.
https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/figures/proxies/proxy-type.pdf
We list 16.4.0 and 16.4.1 as the first releases to support Snowflake as
a client, and a proxy respectively. I've previously asked about these
version numbers, so I'm pretty sure they're correct.
https://lists.mayfirst.org/pipermail/guardian-dev/2023-July/005704.html
https://lists.mayfirst.org/pipermail/guardian-dev/2023-July/005708.html
https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/snowflake.tex#L1509
Snowflake's growth began in earnest when it became part of
default installations. Orbot, a mobile app that provides a
VPN-like Tor proxy, added a Snowflake client in version 16.4.0
on 2021-01-12.
https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/snowflake.tex#L1937
Orbot's Snowflake proxy feature was added in version 16.4.1 in
February 2021.
Here we've said Orbot's ability to act as a proxy is called "kindness
mode". Our understanding is that this label is only used in v17+.
https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/snowflake.tex#L1867
Finally, Orbot, a mobile app for accessing Tor, besides being
able to \emph{use} Snowflake for circumvention, can also
\emph{provide} Snowflake proxy service to others, a feature
called ``kindness mode.''
% Only so called in Orbot v17+, which should be current by the
% time the paper is submitted.
Regarding the TLS fingerprint blocking that happened in Iran in 2019, we
write about how Orbot was more affected than Tor Browser, because
different versions of Go crypto/tls led to slightly different TLS
fingerprints.
https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/snowflake.tex#L2588
As it happens, it was mainly Orbot that was affected, because at
the time it used a Snowflake client compiled with Go 1.17, and
it runs on mobile platforms that are less likely to have AES
acceleration. Tor Browser was relatively unaffected, because it
either ran on desktops with AES acceleration, or on mobile
platforms with the newer version of the Go standard library
whose TLS fingerprint was not being matched. But evidently Orbot
is more used in Iran than Tor Browser, because the decline was
so drastic.
Regarding Orbot 17, I'm still unclear on the degree to which that has
been released. F-Droid has it, but the Google Play site says "Updated on
Nov 1, 2022" and has 16.6.3-RC-1-tor.0.4.7.10. We have a couple of todo
notes to make updates when Orbot 17 is released, because of anticipated
changes to DTLS fingerprints and multi-bridge support. Is there anything
to add on these points?
https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/snowflake.tex#L1600
Another DTLS blocking signature was reported on 2022-06-20; we
did not get to fixing it until Tor Browser 12.0.3 on
2023-02-15.\todo{And Orbot 17 on\ldots}
https://github.com/turfed/snowflake-paper/blob/e6e1c30dde6716dc5e54a32f2134f19068a7f395/snowflake.tex#L1677
The second bridge was made available to users in Tor Browser
12.0 on 2022-12-07. By July, the second bridge supported about
18% of Snowflake users.\todo{Revisit this when Orbot~17 hits the
Play Store.}
More information about the guardian-dev
mailing list