#30579: Add more STUN servers to the default snowflake configuration in Tor Browser -------------------------------------------------+------------------------- Reporter: cohosh | Owner: cohosh Type: defect | Status: | needs_information Priority: Medium | Milestone: Component: Circumvention/Snowflake | Version: Severity: Normal | Resolution: Keywords: stun, anti-censorship-roadmap- | Actual Points: .3 october | Parent ID: #31281 | Points: 1 Reviewer: | Sponsor: | Sponsor30-can -------------------------------------------------+-------------------------
Comment (by phw): Replying to [comment:13 cohosh]: > Here are some lists of public servers: > - https://gist.github.com/zziuni/3741933 > - https://gist.github.com/mondain/b0ec1cf5f60ae726202e > - https://www.voip-info.org/stun/ > - EmerCoin is some cryptocurrency/blockchain project that [https://emercoin.com/en/news/global-changes-in-emercoin-blockchain- segwit-tx-optimizer-stun-and-13-more-updates uses STUN] and they maintain their own [https://github.com/emercoin/emercoin/blob/8808770b98248b0174dc3d6f8c70965e13f17396/src/stun.cpp#L59 list]. [[br]] Thanks for compiling these lists! That's very useful. [[br]] > I suppose there's some risk here with choosing a random service. Snowflake clients leak their IP address to whichever server we choose. Perhaps a better route is to have the broker perform this step over the domain fronted connection (#25591)? [[br]] I'm afraid I don't have great answers but only more questions: Assume we're using stun.foo.bar, which is owned by a third party. How easy would it be for the operator of stun.foo.bar to tell apart snowflake clients from the preexisting user base? I suppose the way we're making STUN requests may set us apart from other STUN clients? Also, what's the worst a malicious STUN server could do? Publish a list of IP addresses of snowflake clients? Lie to the clients, so NAT traversal won't work? Anything else? As I understand it, a censor can already do all these things (assuming an active adversary) but granted, it's easier to do if the censor controls the STUN server. I think this is a good topic to discuss for next week's anti-censorship meeting. I added it to our meeting pad. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30579#comment:15> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs