The current belief is that the DTLS blocking rules from A new Snowflake blocking rule (offset of supported_groups in DTLS Client Hello) affect some, but not all, Snowflake connections. It may depend on what kind of NAT the client has, or other factors.
@Shelikhoo has made test packages that have a different DTLS fingerprint. This is to determine whether the DTLS blocking rules really are affecting many users in Russia. Please give them a try, if you can:
https://people.torproject.org/~shelikhoo/dqo8apcai4/tor-browser/
Here is some more background:
- IRC Tip about Signature used to block Snowflake in Russia, 2022-May-16 (#40030) · Issues · The Tor Project / Anti-censorship / censorship-analysis · GitLab
- UDP packets matching the pattern
^\x16\xfe[\xfd\xff].{X}\x00\x1d\x00\x17\x00\x18
are getting blocked, where X is a small number of enumerated byte offsets, and \x00\x1d\x00\x17\x00\x18 is the supported_groups extension. One of the offsets happens to match where pion/dtls places the extension in its Client Hello. - Concise description of the current situation: snowflake connections are blocked when either peer in the connection is Pion-based (e.g. snowflake-client or proxy-go) and takes the role of the DTLS client.
- Put another way, the connection is ok if: the proxy is a browser proxy (not proxy-go) and snowflake-client operates as a DTLS server, not client
- Pull request Shuffle Elliptic Curves in ClientHello to circumvent Russian censorship by ValdikSS · Pull Request #474 · pion/dtls · GitHub has the risk of creating a new, even more distinctive fingerprint
- So does altering the offset of supported_groups without changing other aspects of the fingerprint
- One idea is to make a patch or fork of pion/dtls with either pull request Shuffle Elliptic Curves in ClientHello to circumvent Russian censorship by ValdikSS · Pull Request #474 · pion/dtls · GitHub or some other change that alters the offset, then ask people to test it
- Shell will create a ticket for releasing a version of Snowflake/TorBrowser with patch applied.
- UDP packets matching the pattern
- Creating a version of Tor Browser with patched Snowflake client that includes supported_groups censorship countermeasure (#83) · Issues · The Tor Project / Anti-censorship / Team · GitLab