Latest RIPE Atlas measurements (sort by “majority” and watch for timeouts)
Is the block on ajax.aspnetcdn.com
still present? In the OONI web connectivity test, I see anomalies between 2021-12-01 and 2021-12-08, but the most recent anomaly is 2021-12-08 13:07, and there are many “accessible” measurements since then.
Yes, it is still getting blocked, but only on some ISP. Not accessible in Moscow from Beeline, Tele2, Yota, but people report from other cities that ajax.aspnetcdn.com
works but Tor relays do not.
Patched snowflake-client builds for testing
@cohosh from the Tor anti-censorship team has made updated Snowflake packages to remove the DTLS fingerprint distinguisher found by @ValdikSS. The change is already merged into Tor Browser and will be available in the next release. But you can test the modified snowflake-client now. If any problems are discovered, there is still a short time to make changes for the next Tor Browser release.
The tests require a moderate level of technical ability—you need to replace a file in the Tor Browser folder, or run a command from the command line. Less technical users, it is better to wait for the next release.
Testing with Tor Browser
Download the .tar.gz file for your platform and extract it. Open your Tor Browser directory and find the snowflake-client binary:
platform | location |
---|---|
linux | TorBrowser/Tor/PluggableTransports/snowflake-client |
osx | Contents/MacOS/Tor/PluggableTransports/snowflake-client |
windows | TorBrowser/Tor/PluggableTransports/snowflake-client.exe |
Rename the existing binary to snowflake-client.backup, and copy the binary from the .tar.gz file into its old location.
Start Tor Browser and choose Snowflake from Tor Network Settings.
Testing from the command line
Download the .tar.gz file for your platform and extract it. Go into the directory containing the snowflake-client binary and create a file called torrc.snowflake
:
SocksPort auto
UseBridges 1
Bridge snowflake 192.0.2.3:1 2B280B23E1107BB62ABFC40DDCC8824814F80A72
ClientTransportPlugin snowflake exec ./snowflake-client -log snowflake-client.log -url https://snowflake-broker.torproject.net.global.prod.fastly.net/ -front cdn.sstatic.net -ice stun:stun.l.google.com:19302,stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478
Now run tor using that configuration file:
$ tor -f torrc.snowflake
You will know it is working as soon as you see:
new bridge descriptor 'flakey' (fresh): $2B280B23E1107BB62ABFC40DDCC8824814F80A72~flakey at 192.0.2.3
You can also try using the Tor SOCKS proxy port shown in the log:
Opened Socks listener on 127.0.0.1:XXXX
For example,
$ curl --proxy socks5h://127.0.0.1:XXXX/ https://check.torproject.org/ | head
<html lang="en_US">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>
Congratulations. This browser is configured to use Tor.
If it does not work, there are logs in the file snowflake-client.log. Logs like the following are a sign of a working connection:
WebRTC: DataChannel.OnOpen
---- Handler: snowflake assigned ----
Traffic Bytes (in|out): 6806 | 134462 -- (19 OnMessages, 138 Sends)
Traffic Bytes (in|out): 1051010 | 33510 -- (854 OnMessages, 169 Sends)
WebRTC: At capacity [1/1] Retrying...
Traffic Bytes (in|out): 72898 | 10833 -- (85 OnMessages, 29 Sends)
Traffic Bytes (in|out): 3972 | 2363 -- (9 OnMessages, 7 Sends)
Tor Browser for Android with replaced snowflake: tor-browser-10.5.10-android-armv7-multi-aligned-debugSigned.apk
Psiphon capture dumps of failed connections.
psiphon-ru-tele2-09dec2021.7z (332.6 KB)
Many psiphon vpn regions work fine, but some do not. Automatic region selection connects successfully.
The Psiphon Data Engine has a region-specific search:
https://psix.ca/d/nyi8gE6Zk/regional-overview?orgId=2&var-region=RU
Public results only go back 14 days, so take a screenshot if you want to make a record. I don’t see any notable change in the graph that ends 2021-12-08.
Updates on Tor obfs4:
- Bridges newly added to BridgeDB/Moat are not yet blocked. So it’s possible that Moat will become more usable again as new bridges come online, if the censor does not renew its list.
- There’s a new Telegram bot by @meskio for distributing obfs4 bridges. To use it, send
/bridges
to @GetBridgesBot. - Tor Browser 11.0.2 was released yesterday. It contains a new default obfs4 bridge, which is not blocked yet.
Release candidate builds of Tor Browser with the patched Snowflake are available. These builds also have a new default obfs4 bridge. If no problems are discovered during testing, these builds will become release 11.5a1.
ISP “tiera” from Saint-Petersburg with TSPU. Tor is blocked
Yes. This new relay is not accessible from these ISP.
So if I am reading this thread correctly, the situation today is:
Blocked
- Tor project website
- Unobfuscated relays
- Widely publicized obfs4 bridges
Open for now
- Tor project website mirrors
- Snowflake alpha with newest patch
- Newly added obfs4 bridges
- Meek-azure ?
Last resorts
- Private obfs4 bridges
- Private pre-proxy (V2Ray or Shadowsocks)
The “last resorts” are limited to those who have the resources to set up a private server, which they could possibly share with trusted contacts.
Not all of them. I requested some public bridges and they worked
Also, i use tunelled ipv6 and its not filtered
This in torrc worked :
ClientUseIPv4 0
ClientUseIPv6 1
I don’t know whether TSPU equipped ISPs with ipv6 also block ipv6 tor entry ips
Only a few ISPs in Russia have ipv6
ER-Telecom — IPv6 bridges are working fine and all IPv4 bridges are blocked. YOTA — all blocked.
There are three main bridge distribution methods:
-
https
(the Tor Project website) -
moat
(inside Tor Browser) -
email
(send request from Gmail or Riseup email address)
If the Tor Project website is blocked, then so is https
. That leaves only moat
or email
.
It would be interesting to know which method censors are using to discover bridge IP addresses to block. Then volunteers setting up new bridges could use the opposite method.