GSoC 2020: Snowflake Proxy on Mobile

This blog post is about the project I worked on and my experience with Tor under GSoC 2020. After spending a lot of time understanding organizational goals, writing a proposal that aligns with these goals, I eagerly awaited the result of GSoC’s application – a nerve-wracking experience. I’m sure every student who submitted a proposal can relate to this experience. Getting selected to work on the proposal was a fantastic feeling, and knowing that I was going to work for a big and exciting organization like Tor added to the thrill.

The Project

I am very fortunate to have worked with the Tor Project’s anti-censorship team this summer; I worked on Snowflake Proxy on Mobile. The Wiki gives an elaborate sketch about the project; The gist is that this project allows users to run a Snowflake proxy on Android, which helps users in censored countries access Tor. The project is not yet ready for release; some UI/UX work and testing remain to be done, and we hope to wrap up this work over the next few months. If anyone wants to try it out, the URLs point to the local testing environment (Snowbox) for development. It will work if you change the URL to the right broker; they can be changed using the app’s settings, eliminating the need to tweak the code.

The project is the proxy component of the Snowflake circumvention system. This pluggable transport has been under development by Tor for quite some time now. Snowflake’s idea is for volunteers to spin up short-lived proxies that Tor users use to circumvent censorship. There already is a large set of volunteer proxies, and this mobile version further adds to this blizzard of Snowflakes.

Feel free to provide feedback, report issues, and voice ideas using the project’s issues page.

My Experience with the Tor Project

Tor’s community is very welcoming; all the Tor core developers are down to earth, humble, and easy to approach for any technical difficulty. Any interested person can barge into their IRC channels and ask any question, and either the developers or the fellow folks in the community would answer our questions.

The anti-censorship team often hosts a reading group to discuss research papers. This is an excellent and exciting opportunity for a student to learn some great topics related to security, which I enjoyed a great deal. Additionally, the team schedules meetings every week, using an anti-censorship team pad that contains reading group schedules, meeting schedules, and updates. Other teams at Tor have similar pads. It’s good to see what all developers are working on, and if there is any chance I could get involved, I will find it there.

Whenever there is a possibility, I got involved in any other project developments at Tor, mainly anti-censorship projects. The developers answered all my queries. It can be tiresome to explain a project to a newbie. Still, they did, with elaborate mails, that would get me started in the development process. 

What’s Next?

I am certainly planning on sticking around to get involved in development whenever I can, and I will continue to work on the GSoC project. In my opinion, every student should be encouraged to work on open source projects by which they learn from the best developers with years of experience, and when one makes a merge request, the community will do a code review allowing the student to improve their code in the future. Additionally, it promotes open source work. 

A huge thanks to Google for making this possible and for encouraging students and projects. My mentors Cecylia (cohosh) and Philipp (phw) were immensely helpful while working on the project and got me involved in other projects at Tor. Finally, thanks to the Tor Project and the Digital Impact Alliance (umbrella organization in GSoC) as a whole for choosing me and making this a significant milestone in my career.

Anonymous

September 09, 2020

Permalink

As a user myself, thank you very much! I wish sponsors (Google) weren't in the business of tracking, but, hashikd, thank you for contributing to Tor!

Anonymous

September 09, 2020

Permalink

Honestly, i'm excited for the introduction of snowflake to tor in general. Thing is though, i wish that it could be released already, but i'm sure that the people at the tor project have gotten that request a ton, but it's nice to know that running a snowflake server via the snowflake extension and getting no connections from bridge users will change soon!

Anonymous

September 10, 2020

Permalink

cohosh, I have a suggestion, in the Snowflake addon instead of # of users in the last 24 hours it would be better to have # of users that used your proxy and whenever there's an increase in the last 24 hours there would be a small tag next to it or below it like:

> # of ...... 23
> [+1 today]

Anonymous

September 11, 2020

Permalink

Is there much organic webRTC traffic to non-domestic IPs in the real world? Collateral damage would be minimal for GFW if not.

Anonymous

September 11, 2020

Permalink

Please don't get me wrong. I love the tor but I think I'm not going to be able to run Snowflake without a serious effort on my part.

I'm guessing it's as open source as tor, which would be great if I could understand those few tens of thousands of lines of code that made up tor.

But as a slightly paranoid user I just have a hard time feeling safe when I see lots of network traffic coming out of my computer.

The thing that worries me most is running tor/Tor Browser/Snowflake as the user I'm logged in as, which for the most part is my personal account I have my data in.

Any security problem with tor/Tor Browser/Snowflake that allows shell access is going to have access to my data. A major no-no. It doesn't matter that I run my main account in lowly user, non-Administrative, mode.

What's the recommendation? Create another account just to run tor/Tor Browser/Snowflake in case of security problems it won't have as much access to my data as if I was running it under my own account? But then what about most (or at least mine) unix-like OS that runs a umask that seems to give every other account on my system some sort of access in my ~ ?

Anonymous

September 12, 2020

Permalink

How easy it is to get recent versions of TOR (that support Snowflake) in countries which block this website? GitHub and GitLab only contain outdated versions, and they are hard to find using search. Can you get recent versions of Tor in China using APT or SnapCraft? The Tor Browser Louncher available on FlatHub probably won't work in China, because it tries to connect to this website.

GetTor only serves Tor Browser stable but you can get an alpha by using one of our mirrors:
https://2019.www.torproject.org/getinvolved/mirrors.html.en

Here are alpha downloads on one of the mirrors:
https://mirror.oldsql.cc/tor/download/alpha/

(By the way, GetTor is the discovery mechanism for copies on GitHub and GitLab: Send an email to gettor@torproject.org and add your operating system (windows, linux, osx) to the email's body. You aren't supposed to find these copies over search.)

Anonymous

September 14, 2020

Permalink

> The anti-censorship team often hosts a reading group to discuss research papers. This is an excellent and exciting opportunity for a student to learn some great topics related to security, which I enjoyed a great deal.

That is very important, especially for young researchers/engineers. I would like to suggest that in future summers, TP consider including at least one seminar each on

o specific revelations from the Snowden leaks of technical capabilities of NSA (perhaps based upon EFF's NSA primary sources repository),

o survey of surveillance technology generally (but AFAIK no-one website even begins to adequately cover this, so someone might have to do some serious work here).

I am optimistic that one day, perhaps sooner than anyone thinks, someone associated with TP will suddenly see an unexpected opportunity to do "something completely different" (thank you Monty Python), which becomes the breakout application which makes Tor privacy-promoting technology part of every household all over the world.

Confusion to our enemies!

Anonymous

September 14, 2020

Permalink

> big

Tor Project is big?

> The gist is that this project allows users to run a Snowflake proxy on Android, which helps users in censored countries access Tor.

One thing which really bothers me about GSoC and this project in particular is that Google is not doing this because they care about privacy or censorship. (That would make no sense whatever, because their entire business model is about denials of privacy and massaging search results!) Rather, GSoc appears to be a rather cynical program to sneakily lock activists around the world into using Android rather than IoS. My fear is that Google will be happy to turn around and sell sensitive data on the most endangered mobile phone users to the worst governments in the world, for example to enable surveillance using NSO Group or Cellebrite malware, which would place these vulnerable people in real danger.

I hope everyone who shares this fear will make a point of sending a grassroots contribution to Tor Project, because the goal of turning TP into a user funded NGO similar to EFF, rather than an NGO dependent upon handouts from our natural enemies (USIC tied USG agencies and companies like Google).

All that said, many thanks for your interest in combatting censorship, and best wishes for your future career in an industry our world needs almost as much as it needs "green power": a genuine privacy industry which sells products to consumers which are effective in small ways or large to genuinely enhance the privacy and cybersecurity and access to information of ordinary people all over the world.

Tor Project is big?

It isn't? I suppose it boils down to a personal definition of big,
As big as Amazon, MS, Google, Apple, etc.? No.
Big, relative to the opensource world? Yes.

GSoC appears to be a rather cynical program to sneakily lock activists around the world into using Android rather than IoS

I hate to say. This statement is wrong on many levels; I disagree entirely. Please feel free to head over to the GSoC page; there are tons of projects and a broad spectrum of technologies. Not just Android, there are even iOS projects. In fact, Very few projects are Android-based.

I believe we have to credit where credit is due; GSoC brought nothing but good to the opensource community. The proof being all the projects it helped over the years, please head over to their website check out the projects yourself. It might change your view.

Hi Hashik, thanks for your reply!

> Please feel free to head over to the GSoC page; there are tons of projects and a broad spectrum of technologies. Not just Android, there are even iOS projects. In fact, Very few projects are Android-based.

You have my attention, but can you give a link to the specific page you had in mind? (I did a search of this webpage using the built-in Firefox search function but did not find what looked like a like to GSoc projects generally.)

Sure! The link[1] at the time of writing is updated until 2019 projects 2020 is yet[2] to the archive. Every year GSoC accepts a bunch of organizations, which you can see when you click on a specific year. Of which, organizations are free to choose the projects they deem useful to them, and students are free to choose from those listed ideas by orgs or propose something new that would benefit the org. Google has little to no say in this process of selecting projects.

I'm sure you would change your mind after looking at the orgs and projects.

[1] https://summerofcode.withgoogle.com/archive/
[2] https://summerofcode.withgoogle.com/organizations/

Thanks much--- I have recorded the links and am heading over there now.

I'd appreciate any light anyone can shed on what exactly is the business model of Team Cymru and what are their USG contracts. I believe some employees are current or former USSS so I am having a hard time understading why no-one has ever been willing to answer my questions about Team Cymru.

Thank you very much for the links.

Unfortunately, when I followed them I found that these websites do not work with Tor Browser!

Specifically, I tried to surf there using TB in Tails 4.10, with the security slider on "safest", which I judge to be appropriate when interacting with sites such as Google or FBI.gov. But no content was displayed.

It seems reasonable to guess that the problem is that Google has constructed the pages to collect personal information about visitors, and if the visitor does not want to give up whatever canvas fingerprinting reveals (lots), Google in effect tells us "f off!".

Might I suggest some reading also? Two important books:

Julia Angwin, Dragnet Nation

Shoshana Zuboff, Surveillance Capitalism

I think these books may change how you view Google (no pun intended).

> One thing which really bothers me about GSoC and this project in particular is that Google is not doing this because they care about privacy or censorship. (That would make no sense whatever, because their entire business model is about denials of privacy and massaging search results!)

My other favorite NGO, EFF, just launched an Atlas of Surveillance:

ttps://atlasofsurveillance.org

That is good.

But it uses ArcGIS (a company which has many contracts with USIC and Pentagon, including some of the earliest Find/Fix/Finish contracts), and it requires javascript and is not viewable at any setting of Tor Browser which I tried.

That is bad.

Sigh...

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

3 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.