Snowflake (opens in new tab)

(snowflake.torproject.org)

308 pointsbcg3612y ago54 comments

54 comments

Snowflake uses domain fronting[1] for rendezvous. It is the digital equivalent of a spy having their secret meetings inside an unsuspecting friends house, and it always eventually it goes bad for that friend.

The technique is heavily used by bad actors and is being blocked by default[2] by some cloud providers. AWS went as far as sending a nastygram to Signal[3] when they tried to roll it out on a wide basis for fear that countries like Iran and China would just block all of AWS.

1. https://en.wikipedia.org/wiki/Domain_fronting 2. https://azure.microsoft.com/en-us/updates/generally-availabl... 3. https://signal.org/blog/looking-back-on-the-front/

jeroenhd2y ago

I ran a Snowflake server at home for a while. I shut it off because it used too much CPU for my liking, but I haven't seen any kind of negative impact whatsoever.

Domain fronting is not exactly a holy grail. Signal and Tor ran into issues when cloud providers blocked domain fronting (or rather, stopped supporting a feature that never was meant to work anyway) but I don't think that was intended to interrupt anything. "Load balancers are written to make sure they serve the correct certificates for their configured domains" isn't exactly a problematic feature on its own.

Domain fronting is trivial, all you need is a call to openssl and an nginx server. It's also trivial to bust, all you need to do is actually validate the certificate. These certificates are either self signed or are part of a random CA chain that no real system would ever trust.

It's not "a spy having their secret meetings inside an unsuspecting friend's house". It's someone putting a sign saying "white house, home of the American president, do not enter" in front of a random warehouse in Brazil.

Software that falls for domain fronting either doesn't care about the certificates and their validity, or is buggy and should get patched. Some of that software will probably be security software, but if bad actors manage to trick your security software into trusting a few readable strings, domain fronting is probably the least of your worries. I can't imagine what kind of shitty security software would possibly fall for that.

dmix2y ago

Thanks for contributing to anti-cesnsorship, I respect anyone who puts that effort it.

tialaramex2y ago

When I last looked, the intent was that eventually ECH endpoints offer the same effective service that you got with Domain Fronting, but without messing with the backend in a way which is disruptive for the cloud providers so they support it.

Encrypted Client Hello is the in-progress work to have even the client's initial contact to an HTTPS server be encrypted. https://datatracker.ietf.org/doc/draft-ietf-tls-esni/

Why would ECH be fine when Domain Fronting isn't? The problem with Domain Fronting is that we get surprised too late with the actual request. We get what appears to be a legitimate request for this-thing.example, so we do all the work to respond to a this-thing.example request and then... swerve, sorry I changed my mind, my request is actually about hidden-service.example.

With ECH we (but not an adversary snooping the connection) know immediately that the request is for hidden-service.example and so we don't waste our time setting up for the wrong work.

whiatp2y ago

I think the primary problem with domain fronting that ECH would solve is that ECH doesn't involve using a third party's domain name, potentially dragging a single third party into the censorship muck. My read of the support email signal shared is that AWS was unhappy that a domain they owned would likely become entangled. While ECH will still increase everyone else's risk that is sharing the same load balancer as a censorship target, it is at least a fully distributed risk, rather than requiring the client pick a specific domain or set of domains to pull into their fight.

mike_d2y ago

ECH is a good idea on paper but will never work in the real world.

Oppressive regimes just drop any connection lacking a plain text SNI. The browser will either retry without ECH, or the user will retry with a browser that does not support ECH.

I think people in the Western world don't exactly understand how internet censorship works. They don't give a shit about blocking large legitimate sites or breaking connectivity for large swaths of users if it helps them avoid losing power.

1 more reply

matheusmoreira2y ago

> when they tried to roll it out on a wide basis for fear that countries like Iran and China would just block all of AWS

That is the whole point: make it so they have to block vast swatches of the useful internet in order to defeat it. Ideally, we should be able to make it so they have to block the entire internet to censor anything.

There must be some kind of limit to the amount of tyranny they're able to muster, right? Eventually the collateral damage will be too great and they'll give up on trying to censor anything. Alternatively, they will become such tyrannical societies that people won't accept it.

cubefox2y ago

> The technique is heavily used by bad actors

Evidence?

broupannoiffuto2y ago

It's in the OSEP course. :)

2 more replies

mike_d2y ago

https://attack.mitre.org/techniques/T1090/004/

Aachen2y ago

This is a relay for Tor users to be able to access Tor (when normal guard relays (first hop in a Tor circuit) are blocked), using domain fronting and webrtc.

The text is written quite confusingly, at least the German translation it served me by default. I was wondering how this could circumvent censorship, as the target needs to also support webrtc so there's no way to access any http(s) website via this in-browser proxy, this still requires another server to accept the webrtc connection and forward your traffic, but the point (which the article doesn't mention) is to be able to connect to this other server indirectly.

It even goes so far as to claim that you don't need any software to visit censored websites:

> Im Gegensatz zu VPNs musst du keine separate Anwendung installieren, um dich mit einem Snowflake-Proxy zu verbinden und die Zensur zu umgehen.

Except you do. Without Tor client, this snowflake proxy is useless. Clicking through to the technical details (link marked with a warning "this content is in English"):

> 1. User in the filtered region wishes to access the free and open internet. They open Tor Browser, selecting snowflake as the Pluggable Transport.

The article said "contrary to VPNs, you don't need to install separate software to circumvent censorship" and the technical overview says the literal opposite: you need to install a Tor client to make use of a snowflake proxy.

tga_d2y ago

I can't speak to the German translation, but the point the English version is making is you don't install Snowflake, you install software that uses Snowflake (most typically, Tor Browser). It's presumably trying to clarify things for confused users trying to figure out how to install Snowflake as a proxy or VPN application, when that's not how it works.

edit to add the direct quote (which seems pretty clear to me): "Unlike VPNs, you do not need to install a separate application to connect to a Snowflake proxy and bypass censorship. It is usually a circumvention feature embedded within existing apps."

batch122y ago

If Tor is illegal in your country, it seems pretty risky to try to use it. Since anyone can run a snowflake proxy, it would be a trivial exercise to just log connecting IP addresses. Then it's a gamble with vanishing odds of staying safe each time you connect.

gary_02y ago

They could block Snowflakes with IPs from networks in unsafe countries, but that is trivially bypassed by the attacker just buying VPSs (or botnet nodes) in a freer country.

Skimming the Technical Overview[0], I don't see anything about mitigating the risks you mention.

The purpose of Snowflake seems to be to circumvent blocking of Tor, not to prevent detection of using Tor. It takes advantage of "Domain Fronting" and WebRTC to accomplish this.

[0] https://gitlab.torproject.org/tpo/anti-censorship/pluggable-...

heresie-dabord2y ago

> that is trivially bypassed by the attacker just buying VPSs (or botnet nodes) in a freer country

A.K.A. "living off the economic land"

tga_d2y ago

In most places where Snowflake is useful, connecting to Tor is either legal or the laws against it aren't enforced. It's usually the creators/contributors of anti-censorship tools that face repercussions. That said, Tor Project pretty consistently emphasizes that all plugable transports are for AC purposes, not steganographic purposes, and while they're difficult to block, they will not stop the network operator from being able to tell you're connecting to Tor, and that it ultimately falls on the user to decide whether that's acceptable.

throwaway2902y ago

"Just" don't connect from an IP that can be tied back to you, use black market sim in a separate phone, connect from places you don't go, turn it off when not in use... It gets expensive fast...

petesergeant2y ago

> use black market sim in a separate phone

In most countries this takes you from “may have committed a crime” to “have actually committed a crime”

1 more reply

anyfactor2y ago

> If you switch on the Snowflake below and leave the browser tab open, a user can connect through your new proxy!

I am not even sure, if I am getting this right. If I embed an iframe in my website, traffic from Tor users will get tunneled through my user visitor's IP? How does consent works with relay.love? Does my website vistor's IP show up as TOR exit node?

worldofmatthew2y ago

It not an exit. But by default someone has to knowingly run the Snowflake applet but webmasters could modify the code to automatically essentially start a Tor guard in someones browser. Though, that would be very evil to abuse someones resources like that.

That example has the users consent before starting.

KRAKRISMOTT2y ago

That's already how many shady VPN software work. Remember if a VPN is "free", you are the product. Web scraping companies pay $$$$ for residential and mobile IPs.

3 more replies

jeroenhd2y ago

You can disable WebRTC in most decent browsers if you're afraid this will be abused. WebRTC can be used for worse things (like port scanning your internal network) and for great things (video calling with millisecond latency, Peertube).

However, it should be noted that this mechanism doesn't just allow remote sockets to be created through Javascript. It can only communicate with other servers that either use some version of WebRTC/WebSockets or plaintext services that ignore the extra protocol overhead as garbage and happily parse the rest (some IRC servers and WebSockets are a nice example).

As you can see in the technical overview, people use peer to peer technology to connect to your browser, which then uses WebSockets to communicate with a WebSocket server for a normal Tor entry point.

ec1096852y ago

What a strange thing not to require browser consent for.

notRobot2y ago

It asks for the user's consent.

1 more reply

batch122y ago

So, I'm reminded of the old 'store your files on youtube' thing[0] and I wonder how much bandwidth one could get using the same concept on one of the widely used voice conferencing solutions (like zoom) to further blend in. Bonus if you can do some kind of video steganography to transfer the data and have a 'real' call.

[0] https://github.com/DvorakDwarf/Infinite-Storage-Glitch

dpkonofa2y ago

That would be amazing. If that worked regardless of network, though, I can see people setting up a node and accidentally taking it to work or some other public network by mistake. I’m not sure if that’s better or worse than using it in a persistent connection.

darkclouds2y ago

> Bonus if you can do some kind of video steganography to transfer the data and have a 'real' call.

What you are suggesting would bring the proposed UK Online Safety Bill (OSB) into operation, and by virtue of the encoding/stenography means that GCHQ govt code crackers will be involved in what would be classed Police matters, not govt regulator aka OfCom matters, despite the UK govt suggesting its just a function of the regulator. The OSB also reads like it will extend beyond borders, simply on the grounds that it could be used in the UK.

Egrodo2y ago

Not sure how new this is but very cool that users can host a node simply by toggling an iframe or installing a browser extension. I wonder if these methods have much lower bandwidth limitations than the CLI version

bauruine2y ago

There is also a standalone (go) version [0] that can be deployed on a server. "one of the main advantages of standalone Snowflake proxies is that they can be installed on servers and offer a higher bandwidth and more reliable option for users behind restrictive NATs and firewalls."

[0] https://community.torproject.org/relay/setup/snowflake/stand...

rejectfinite2y ago

I have it installed and like seeing the number go up. NUMBER BIGGER = DOPAMINE!!

I'm lucky to be born in Scandinavia, so there is really 0 internet censor, for now.

Kjeldahl2y ago

You're just lucky YOU aren't affected yet. Try telling that norwegian poker player who is unable to wire legal poker earnings from a tournament abroad to his bank home. Or to any of the people who made money on crypto who they want to use as security for an appartment loan. Or to someone trying to wire gains from legal online casinos abroad. Or to someone trying to access a web site that the norwegian authorities do not like who are DNS blocked (yes, easy to circumvent for tech people). Goverment and politicians abusing authority and limiting individual freedom is already here and growing. When it starts affecting "most people" it is usually a lot harder to reverse. The norwegian goverment already passed a law that allow mass electronic surveilance. And they want to limit the public's access to goverment records. It's a very slippery slope, left side "social democrazy" (spelled "beuracratic dictatorship") like most of EU. People need to open their eyes and fight goverment overreach now.

rejectfinite2y ago

My 2c on your scenarios.

>Try telling that norwegian poker player who is unable to wire legal poker earnings from a tournament abroad to his bank home.

Probably blocked due to terror laws. If you can't Western Union money, there is a REALLY good reason.

Wait until you hear about how we are a cashless society and our bank app for money transfer. That you need mobile ID and bank account to use :) Max tracking. But its very handy.

>Or to any of the people who made money on crypto who they want to use as security for an appartment loan.

Good, I hate crypto shit and I want it to go away. It is all a scam. Get a real job and invest in a real bank. Crypto is all tax fraud scam shit.

>Or to someone trying to wire gains from legal online casinos abroad.

Good, I hate gambling and online casinos. If you have to gamble, do it in my country so the taxes benefit.

>Or to someone trying to access a web site that the norwegian authorities do not like who are DNS blocked (yes, easy to circumvent for tech people).

Yes THIS I agree with. I think ISP DNS blocks piratebay etc here now. Or some ISPs do. It's shit, but I already use a 3rd party DNS provider on my PC and phones.

Your point btw? I am running the Snowflake when my browser is open.

3 more replies

PathfinderBot2y ago

I'm surprised by how easy and literally one-click it was to use that. Bravo, Tor Project team.

VWWHFSfQ2y ago

We block every Tor IP we can find because we don't have the time nor patience to deal with the 99% burpsuite spam originating from these servers. Very cheap and effective solution.

bauruine2y ago

How do you "find" them? You can just download the list with all exit node IPs.

https://check.torproject.org/torbulkexitlist

jdthedisciple2y ago

What's my incentive to run a snowflake node?

orthecreedence2y ago

What's the inentive?? Try the ALL NEW TORBUX!! A new ERC20 token with only an 80% pre-mine used to incentivise the participation in the Tor network! Now instead of giving back to a community you derive benefit from, you can pervert the relationship with monetary rewards that benefit an elite class who are planning on disappearing to the Cayman Islands after extracting enough wealth from you and your peers!

costco2y ago

What’s the incentive to donate to charity? There’s no risk to you because it’s not an exit node.

jdthedisciple2y ago

The difference being that a donation is one-off.

Running a node is continuous.

1 more reply

archo2y ago

Snowflake (software) : https://en.wikipedia.org/wiki/Snowflake_(software)

Tor (network) : https://en.wikipedia.org/wiki/Tor_(network)

The Tor Project : https://en.wikipedia.org/wiki/The_Tor_Project

ChrisArchitect2y ago

Anything new here from last year?

j / k navigate · click thread line to collapse