Snowflake uses domain fronting[1] for rendezvous. It is the digital equivalent of a spy having their secret meetings inside an unsuspecting friends house, and it always eventually it goes bad for that friend.
The technique is heavily used by bad actors and is being blocked by default[2] by some cloud providers. AWS went as far as sending a nastygram to Signal[3] when they tried to roll it out on a wide basis for fear that countries like Iran and China would just block all of AWS.
I ran a Snowflake server at home for a while. I shut it off because it used too much CPU for my liking, but I haven't seen any kind of negative impact whatsoever.
Domain fronting is not exactly a holy grail. Signal and Tor ran into issues when cloud providers blocked domain fronting (or rather, stopped supporting a feature that never was meant to work anyway) but I don't think that was intended to interrupt anything. "Load balancers are written to make sure they serve the correct certificates for their configured domains" isn't exactly a problematic feature on its own.
Domain fronting is trivial, all you need is a call to openssl and an nginx server. It's also trivial to bust, all you need to do is actually validate the certificate. These certificates are either self signed or are part of a random CA chain that no real system would ever trust.
It's not "a spy having their secret meetings inside an unsuspecting friend's house". It's someone putting a sign saying "white house, home of the American president, do not enter" in front of a random warehouse in Brazil.
Software that falls for domain fronting either doesn't care about the certificates and their validity, or is buggy and should get patched. Some of that software will probably be security software, but if bad actors manage to trick your security software into trusting a few readable strings, domain fronting is probably the least of your worries. I can't imagine what kind of shitty security software would possibly fall for that.
When I last looked, the intent was that eventually ECH endpoints offer the same effective service that you got with Domain Fronting, but without messing with the backend in a way which is disruptive for the cloud providers so they support it.
Why would ECH be fine when Domain Fronting isn't? The problem with Domain Fronting is that we get surprised too late with the actual request. We get what appears to be a legitimate request for this-thing.example, so we do all the work to respond to a this-thing.example request and then... swerve, sorry I changed my mind, my request is actually about hidden-service.example.
With ECH we (but not an adversary snooping the connection) know immediately that the request is for hidden-service.example and so we don't waste our time setting up for the wrong work.
> when they tried to roll it out on a wide basis for fear that countries like Iran and China would just block all of AWS
That is the whole point: make it so they have to block vast swatches of the useful internet in order to defeat it. Ideally, we should be able to make it so they have to block the entire internet to censor anything.
There must be some kind of limit to the amount of tyranny they're able to muster, right? Eventually the collateral damage will be too great and they'll give up on trying to censor anything. Alternatively, they will become such tyrannical societies that people won't accept it.
This is a relay for Tor users to be able to access Tor (when normal guard relays (first hop in a Tor circuit) are blocked), using domain fronting and webrtc.
The text is written quite confusingly, at least the German translation it served me by default. I was wondering how this could circumvent censorship, as the target needs to also support webrtc so there's no way to access any http(s) website via this in-browser proxy, this still requires another server to accept the webrtc connection and forward your traffic, but the point (which the article doesn't mention) is to be able to connect to this other server indirectly.
It even goes so far as to claim that you don't need any software to visit censored websites:
> Im Gegensatz zu VPNs musst du keine separate Anwendung installieren, um dich mit einem Snowflake-Proxy zu verbinden und die Zensur zu umgehen.
Except you do. Without Tor client, this snowflake proxy is useless. Clicking through to the technical details (link marked with a warning "this content is in English"):
> 1. User in the filtered region wishes to access the free and open internet. They open Tor Browser, selecting snowflake as the Pluggable Transport.
The article said "contrary to VPNs, you don't need to install separate software to circumvent censorship" and the technical overview says the literal opposite: you need to install a Tor client to make use of a snowflake proxy.
I can't speak to the German translation, but the point the English version is making is you don't install Snowflake, you install software that uses Snowflake (most typically, Tor Browser). It's presumably trying to clarify things for confused users trying to figure out how to install Snowflake as a proxy or VPN application, when that's not how it works.
edit to add the direct quote (which seems pretty clear to me): "Unlike VPNs, you do not need to install a separate application to connect to a Snowflake proxy and bypass censorship. It is usually a circumvention feature embedded within existing apps."
If Tor is illegal in your country, it seems pretty risky to try to use it. Since anyone can run a snowflake proxy, it would be a trivial exercise to just log connecting IP addresses. Then it's a gamble with vanishing odds of staying safe each time you connect.
They could block Snowflakes with IPs from networks in unsafe countries, but that is trivially bypassed by the attacker just buying VPSs (or botnet nodes) in a freer country.
Skimming the Technical Overview[0], I don't see anything about mitigating the risks you mention.
The purpose of Snowflake seems to be to circumvent blocking of Tor, not to prevent detection of using Tor. It takes advantage of "Domain Fronting" and WebRTC to accomplish this.
In most places where Snowflake is useful, connecting to Tor is either legal or the laws against it aren't enforced. It's usually the creators/contributors of anti-censorship tools that face repercussions. That said, Tor Project pretty consistently emphasizes that all plugable transports are for AC purposes, not steganographic purposes, and while they're difficult to block, they will not stop the network operator from being able to tell you're connecting to Tor, and that it ultimately falls on the user to decide whether that's acceptable.
"Just" don't connect from an IP that can be tied back to you, use black market sim in a separate phone, connect from places you don't go, turn it off when not in use... It gets expensive fast...
> If you switch on the Snowflake below and leave the browser tab open, a user can connect through your new proxy!
I am not even sure, if I am getting this right. If I embed an iframe in my website, traffic from Tor users will get tunneled through my user visitor's IP? How does consent works with relay.love? Does my website vistor's IP show up as TOR exit node?
It not an exit. But by default someone has to knowingly run the Snowflake applet but webmasters could modify the code to automatically essentially start a Tor guard in someones browser. Though, that would be very evil to abuse someones resources like that.
That example has the users consent before starting.
You can disable WebRTC in most decent browsers if you're afraid this will be abused. WebRTC can be used for worse things (like port scanning your internal network) and for great things (video calling with millisecond latency, Peertube).
However, it should be noted that this mechanism doesn't just allow remote sockets to be created through Javascript. It can only communicate with other servers that either use some version of WebRTC/WebSockets or plaintext services that ignore the extra protocol overhead as garbage and happily parse the rest (some IRC servers and WebSockets are a nice example).
As you can see in the technical overview, people use peer to peer technology to connect to your browser, which then uses WebSockets to communicate with a WebSocket server for a normal Tor entry point.
So, I'm reminded of the old 'store your files on youtube' thing[0] and I wonder how much bandwidth one could get using the same concept on one of the widely used voice conferencing solutions (like zoom) to further blend in. Bonus if you can do some kind of video steganography to transfer the data and have a 'real' call.
That would be amazing. If that worked regardless of network, though, I can see people setting up a node and accidentally taking it to work or some other public network by mistake. I’m not sure if that’s better or worse than using it in a persistent connection.
> Bonus if you can do some kind of video steganography to transfer the data and have a 'real' call.
What you are suggesting would bring the proposed UK Online Safety Bill (OSB) into operation, and by virtue of the encoding/stenography means that GCHQ govt code crackers will be involved in what would be classed Police matters, not govt regulator aka OfCom matters, despite the UK govt suggesting its just a function of the regulator. The OSB also reads like it will extend beyond borders, simply on the grounds that it could be used in the UK.
Not sure how new this is but very cool that users can host a node simply by toggling an iframe or installing a browser extension. I wonder if these methods have much lower bandwidth limitations than the CLI version
There is also a standalone (go) version [0] that can be deployed on a server.
"one of the main advantages of standalone Snowflake proxies is that they can be installed on servers and offer a higher bandwidth and more reliable option for users behind restrictive NATs and firewalls."
You're just lucky YOU aren't affected yet. Try telling that norwegian poker player who is unable to wire legal poker earnings from a tournament abroad to his bank home. Or to any of the people who made money on crypto who they want to use as security for an appartment loan. Or to someone trying to wire gains from legal online casinos abroad. Or to someone trying to access a web site that the norwegian authorities do not like who are DNS blocked (yes, easy to circumvent for tech people). Goverment and politicians abusing authority and limiting individual freedom is already here and growing. When it starts affecting "most people" it is usually a lot harder to reverse. The norwegian goverment already passed a law that allow mass electronic surveilance. And they want to limit the public's access to goverment records. It's a very slippery slope, left side "social democrazy" (spelled "beuracratic dictatorship") like most of EU. People need to open their eyes and fight goverment overreach now.
We block every Tor IP we can find because we don't have the time nor patience to deal with the 99% burpsuite spam originating from these servers. Very cheap and effective solution.
What's the inentive?? Try the ALL NEW TORBUX!! A new ERC20 token with only an 80% pre-mine used to incentivise the participation in the Tor network! Now instead of giving back to a community you derive benefit from, you can pervert the relationship with monetary rewards that benefit an elite class who are planning on disappearing to the Cayman Islands after extracting enough wealth from you and your peers!
mike_d|2 years ago
The technique is heavily used by bad actors and is being blocked by default[2] by some cloud providers. AWS went as far as sending a nastygram to Signal[3] when they tried to roll it out on a wide basis for fear that countries like Iran and China would just block all of AWS.
1. https://en.wikipedia.org/wiki/Domain_fronting 2. https://azure.microsoft.com/en-us/updates/generally-availabl... 3. https://signal.org/blog/looking-back-on-the-front/
jeroenhd|2 years ago
Domain fronting is not exactly a holy grail. Signal and Tor ran into issues when cloud providers blocked domain fronting (or rather, stopped supporting a feature that never was meant to work anyway) but I don't think that was intended to interrupt anything. "Load balancers are written to make sure they serve the correct certificates for their configured domains" isn't exactly a problematic feature on its own.
Domain fronting is trivial, all you need is a call to openssl and an nginx server. It's also trivial to bust, all you need to do is actually validate the certificate. These certificates are either self signed or are part of a random CA chain that no real system would ever trust.
It's not "a spy having their secret meetings inside an unsuspecting friend's house". It's someone putting a sign saying "white house, home of the American president, do not enter" in front of a random warehouse in Brazil.
Software that falls for domain fronting either doesn't care about the certificates and their validity, or is buggy and should get patched. Some of that software will probably be security software, but if bad actors manage to trick your security software into trusting a few readable strings, domain fronting is probably the least of your worries. I can't imagine what kind of shitty security software would possibly fall for that.
tialaramex|2 years ago
Encrypted Client Hello is the in-progress work to have even the client's initial contact to an HTTPS server be encrypted. https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
Why would ECH be fine when Domain Fronting isn't? The problem with Domain Fronting is that we get surprised too late with the actual request. We get what appears to be a legitimate request for this-thing.example, so we do all the work to respond to a this-thing.example request and then... swerve, sorry I changed my mind, my request is actually about hidden-service.example.
With ECH we (but not an adversary snooping the connection) know immediately that the request is for hidden-service.example and so we don't waste our time setting up for the wrong work.
matheusmoreira|2 years ago
That is the whole point: make it so they have to block vast swatches of the useful internet in order to defeat it. Ideally, we should be able to make it so they have to block the entire internet to censor anything.
There must be some kind of limit to the amount of tyranny they're able to muster, right? Eventually the collateral damage will be too great and they'll give up on trying to censor anything. Alternatively, they will become such tyrannical societies that people won't accept it.
cubefox|2 years ago
Evidence?
Aachen|2 years ago
The text is written quite confusingly, at least the German translation it served me by default. I was wondering how this could circumvent censorship, as the target needs to also support webrtc so there's no way to access any http(s) website via this in-browser proxy, this still requires another server to accept the webrtc connection and forward your traffic, but the point (which the article doesn't mention) is to be able to connect to this other server indirectly.
It even goes so far as to claim that you don't need any software to visit censored websites:
> Im Gegensatz zu VPNs musst du keine separate Anwendung installieren, um dich mit einem Snowflake-Proxy zu verbinden und die Zensur zu umgehen.
Except you do. Without Tor client, this snowflake proxy is useless. Clicking through to the technical details (link marked with a warning "this content is in English"):
> 1. User in the filtered region wishes to access the free and open internet. They open Tor Browser, selecting snowflake as the Pluggable Transport.
The article said "contrary to VPNs, you don't need to install separate software to circumvent censorship" and the technical overview says the literal opposite: you need to install a Tor client to make use of a snowflake proxy.
tga_d|2 years ago
edit to add the direct quote (which seems pretty clear to me): "Unlike VPNs, you do not need to install a separate application to connect to a Snowflake proxy and bypass censorship. It is usually a circumvention feature embedded within existing apps."
batch12|2 years ago
gary_0|2 years ago
Skimming the Technical Overview[0], I don't see anything about mitigating the risks you mention.
The purpose of Snowflake seems to be to circumvent blocking of Tor, not to prevent detection of using Tor. It takes advantage of "Domain Fronting" and WebRTC to accomplish this.
[0] https://gitlab.torproject.org/tpo/anti-censorship/pluggable-...
tga_d|2 years ago
throwaway290|2 years ago
anyfactor|2 years ago
I am not even sure, if I am getting this right. If I embed an iframe in my website, traffic from Tor users will get tunneled through my user visitor's IP? How does consent works with relay.love? Does my website vistor's IP show up as TOR exit node?
worldofmatthew|2 years ago
That example has the users consent before starting.
jeroenhd|2 years ago
However, it should be noted that this mechanism doesn't just allow remote sockets to be created through Javascript. It can only communicate with other servers that either use some version of WebRTC/WebSockets or plaintext services that ignore the extra protocol overhead as garbage and happily parse the rest (some IRC servers and WebSockets are a nice example).
As you can see in the technical overview, people use peer to peer technology to connect to your browser, which then uses WebSockets to communicate with a WebSocket server for a normal Tor entry point.
ec109685|2 years ago
batch12|2 years ago
[0] https://github.com/DvorakDwarf/Infinite-Storage-Glitch
dpkonofa|2 years ago
darkclouds|2 years ago
What you are suggesting would bring the proposed UK Online Safety Bill (OSB) into operation, and by virtue of the encoding/stenography means that GCHQ govt code crackers will be involved in what would be classed Police matters, not govt regulator aka OfCom matters, despite the UK govt suggesting its just a function of the regulator. The OSB also reads like it will extend beyond borders, simply on the grounds that it could be used in the UK.
Egrodo|2 years ago
bauruine|2 years ago
[0] https://community.torproject.org/relay/setup/snowflake/stand...
rejectfinite|2 years ago
I'm lucky to be born in Scandinavia, so there is really 0 internet censor, for now.
Kjeldahl|2 years ago
trompetenaccoun|2 years ago
[deleted]
PathfinderBot|2 years ago
VWWHFSfQ|2 years ago
bauruine|2 years ago
https://check.torproject.org/torbulkexitlist
jdthedisciple|2 years ago
orthecreedence|2 years ago
costco|2 years ago
archo|2 years ago
Tor (network) : https://en.wikipedia.org/wiki/Tor_(network)
The Tor Project : https://en.wikipedia.org/wiki/The_Tor_Project
unknown|2 years ago
[deleted]
ChrisArchitect|2 years ago