Author: admin

  • Introducing FreeSocks, proxies that circumvent censorship

    Easy censorship circumvention

    We despise censorship and human (& animal) rights abuses, and it’s time to fight back. In addition to Operation Envoy, our effort to provide stable and performant anti-censorship Tor bridges and snowflake proxies, we’re launching FreeSocks. FreeSocks is a free and open proxy service that aims provide an alternative to individuals that live in or are visiting countries with a heavily censored internet. With FreeSocks proxies, people that reside in countries with oppressive governments can access the open internet freely.

    An internet free of censorship is extremely important in countries where the internet is censored heavily. It provides access to information that individuals may never find out about, for example the Tiananmen Square massacre and countless other atrocities and injustices carried out by governments around the world. It also allows people to communicate freely amongst themselves, so that they’re not afraid to show their true selves. In the modern age, governments are only getting better at restricting access to content and services they deem ‘unpalatable’. China is one government which is particularly advanced in their censorship efforts, and is constantly tweaking their Great Firewall to block more and more content and services. This is why services like FreeSocks are important.

    A screenshot of the FreeSocks website

    Our tech stack

    The underlying technology that FreeSocks provides is Outline (Shadowsocks) proxies (deployed around the world), which encrypt and obfuscate user’s internet traffic. The website guides users on how they can retrieve and use the proxy access keys that we provide to them. We make an attempt to reduce the chance for abuse by preventing people from retrieving a proxy if they are not within an especially oppressive country. At a later date, we’ll detail exactly how we provide this service and the underlying code that FreeSocks uses. We think it’s pretty cool, as the functionality of retrieving and expiring proxy access keys (via the outline-server API) lives entirely on the Cloudflare Workers serverless platform. The entire FreeSocks platform is very flexible because of this. Something awesome is that our Workers cron triggers to expire access keys at defined intervals run only in datacenters that are powered by renewable energy.

    We do all of this in a privacy respecting way, and we don’t log the IPs of active users, or who might have even requested a proxy.

    Where do we go from here?

    We need your help to maintain FreeSocks, deploy more proxies and fight the censors! If you like to support organizations like ours, please consider making a donation.

    With your help we:

    • Plan to continuously deploy new Outline proxy servers in strategic locations.
    • Plan to translate all pages on the website to different languages, so that people who can’t translate or read English can use the service.
    • Plan to provide mirrors of the site in case the main URL is inaccessible.
    • Plan to extend the expiration time of access keys (30 days at the time of launch) based on reception and use.

    We’ve worked really hard on FreeSocks, and we hope that you can get good use out of the service. Share it with your friends who might be subjected to internet censorship. If you use the service, and have any trouble – please contact us.

  • What we’re doing in response to the jabber.ru MITM attack

    As you may have heard, jabber.ru, a popular XMPP service discovered a sophisticated MITM attack against their service that may have lasted for up to 6 months. They published a great blog post, going over all the details of the attack and measures to prevent this sort of attack from happening on other services.

    From reading the post, it was apparent that the same attack could also happen on XMPP.is, and potentially other Unredacted services. We’ve confirmed in multiple ways that this attack is not currently happening on XMPP.is infrastructure. However, it’s important for us to take precautions and be alerted to this sort of attack if it were to happen in the future.

    What we’ve done

    • We have utilized CertWatch, a service by xmpp.net to alert us to the potential fact that there is an ongoing MITM attack against our XMPP service. At the time of this post, there is no ongoing MITM attack according to their service.
    What it looks like if no MITM is active when manually checking CertWatch
    • To subscribe to CertWatch alerts for XMPP.is, you can open either link in your XMPP client:
    • We have verified that our XMPP.is certificate fingerprint transparency automation is working as intended.
      • If you wish to manually check that the certificate presented to your XMPP client is valid, we have a script that has been running for many years that outputs the fingerprints from newly issued certificates. The output can be found here and is automatically updated.
    A screenshot of the current fingerprints as of this blog post
    • We have signed up for Cloudflare’s Certificate Transparency Monitoring on all important domains, so that admins can be notified when new certificates get issued for Unredacted services. This allows us to have 2 sources in which we could be notified of a potential MITM attack.
    • We have double checked and ensured that we utilize CAA records across all domains.

    What we will explore

    • We are considering automating the monitoring of default gateway MAC address changes across our dedicated hardware infrastructure. We already ingest metrics via Prometheus node_exporter that allow us to track this historically.
    • We are planning on setting up Cert Spotter, and monitoring all important domains so that we can be notified of certificate changes when they happen.
    • We plan to ensure that all existing XEPs that are mentioned in this blog post (which are supported by Prosody) get implemented on XMPP.is. This will help support channel binding and other existing SASL issues.

    Our final thoughts

    It is concerning that any attack like this can go unnoticed, and it’s unfortunately something that’s easy to miss. People think as valid certificates as automatically trustworthy. However, in cases where someone has access to your physical infrastructure a lot of things are possible, including what happened with jabber.ru (issuing Let’s Encrypt certificates from their DNS A/AAAA record IP). It’s also equally worrying that there are many certificate authority failures. When they are the root of trust, and they are not trustworthy it creates the potential for many problems with TLS on the internet.

  • Operation Envoy: Defeating Censors

    Operation background

    Accessing the uncensored Internet in some countries has never been so difficult. Internet censorship is rising across the world, and content filtering is becoming more difficult to circumvent as technology and censors evolve. Even in countries you wouldn’t expect. However the worst offenders are the ones you would typically suspect, China, Russia and countries who rank low on the World Press Freedom Index.

    The organization, OONI (Open Observatory of Network Interference) monitors internet censorship around the world and produces reports which show that censorship is on the rise. Government censors (governments who implement Internet censorship) are insatiable in their quest to restrict Internet access and keep their citizenry blind and oppressed, just how they like it.


    The question is, what are we doing about it? That’s where Operation Envoy comes in. We want to help deliver messages (network packets) to and from the Tor network. For quite a while now, we’ve been running Tor exit relays which provide valuable bandwidth and processing power to the Tor network which helps people in heavily censored countries access services and information that people in the western world take for granted. While exit relays are an integral part of the Tor network, there’s another part that is critical for accessing it in many countries. Tor bridges and snowflake proxies are the first entry point into the Tor network for many people. What are they you might be wondering? Well, many countries block access to Tor and they’re very good at it, which makes Tor hard to access. That’s where Tor bridges and snowflake proxies step in, and so do we. Bridges and snowflake proxies allow Tor users to access the network via an obfuscated and seemingly normal-looking connection to the bridge or proxy. That bridge or proxy then acts as a literal bridge to the Tor network.

    Censors have even gotten so audacious that they’ve identified specific signatures of user to snowflake proxy traffic and blocked it. Thanks to the anti-censorship team at Tor, they are hyperaware of these issues and always trying to be a step ahead of the censors.

    Where the operation stands

    So, that’s where we’ve been focusing most of our censorship evasion efforts. The Tor network has plenty of bandwidth, but it has problems with accessibility and bridges/snowflake proxies help with that. At the time of writing we’ve ramped up to 29 high-bandwidth servers around the world that run Tor snowflake proxies 24/7/365. We have 34 CPU cores and 58GB of RAM at our disposal. Some servers are in strategic locations that help users within censored countries access the proxies themselves.

    Over the past 30 days, we’ve pushed over 93TB of symmetrical traffic on our bridges & proxies.

    See our stats

    The future of Operation Envoy

    Our goal with this operation is to run as many high quality dedicated bridges and snowflake proxies as possible, and become one of the largest operators. We believe Operation Envoy is essential, as many of the snowflake proxies are run via home networks which typically do not provide high upload and download speeds.

    To scale our growing bridge and snowflake proxy server infrastructure, we use automation software called Ansible and have started writing our own Ansible role to help with that. This allows us to update and maintain our Tor bridge and proxy fleet.

    To succeed in our mission, we ask for your help via donation. With your help, we can deploy more and more censorship evasion servers around the world. In an effort to fund our operations, if you make a recurring donation of $10/mo or more after reading this post, be sure to contact us and let us know – we will deploy a Tor bridge or snowflake proxy in your name!

    We plan to release updates on our operation as it expands, so stay tuned.

    Thanks for your support,
    Zach

  • What we’re doing in response to the invasion of Ukraine

    https://blog.torproject.org/tor-and-the-humans-who-use-it/

    The situation in Ukraine is unsettling, and requires the world to step in and help on every front. Whether you do your part and help with donations, use your cybersecurity skills or attending & staging protests, anything helps.

    In response to the invasion of Ukraine by the Russian military, we have expanded our operations on the Tor network.

    What exactly does this do, and how does it help, you might ask?

    Tor is a network of virtual tunnels that allows you to improve your privacy and security on the Internet. Tor works by sending your traffic through three random servers (also known as relays) in the Tor network. The last relay in the circuit (the exit relay) then sends the traffic out onto the public Internet.

    Source: https://tb-manual.torproject.org/about/

    This makes Tor critical infrastructure to those living in oppressive countries. Without Tor, they can’t access many sites and services that provide views that their governments don’t want them to see.

    While Tor is accessible in Ukraine (despite internet outages), and not being actively blocked, it is not the same in Russia. There are many Russians who do not agree with the decision to invade Ukraine, and they have been staging protests across Russia. As such, it’s very important that Russian protestors have a way to access the uncensored internet. For many years, Roskomnadzor, a Russian agency focused on censoring and controlling the media Russian’s consume, has been cutting Russians off from websites and services they deem unpalatable. Right now, Tor is blocked in Russia, and we want to help unblock it through anti-censorship Tor bridges. Everyone should have access to an uncensored internet.

    How specifically are we helping combat this now?

    Well, since the start of the invasion we’ve deployed 5 additional Tor bridges (our focus), and 4 exit relays. Our Tor bridges were deployed in strategic locations, close to but outside of Russia, for optimal latency.

    What exactly are Tor bridges?

    Tor bridges are the first hop onto the Tor network for many users in countries enforcing internet censorship. They use obfuscation to disguise Tor traffic to and from a user, & make it look unsuspicious to would-be snoopers looking to block connections to the Tor network.

    Since the deployment of our Tor bridges, we’ve seen high usage across the board. This doesn’t surprise us, as Tor usage has been spiking in Ukraine, and bridge usage is up in Russia.

    Source

    Since the invasion of Ukraine on February 24th to now (Feb 27th), our own metrics show that we have pushed over 100 TB of symmetrical traffic to and from the Tor network via all of our Tor relays and bridges.

    Source

    How can you help?

    You might be wondering, how can I help this effort to provide uncensored internet access. Well, it’s quite simple actually, and you don’t need to be tech-savvy at all. You can install Tor’s Snowflake browser add-on which helps censored users access the Tor network.

    https://snowflake.torproject.org/

    Additionally, you can donate to Unredacted. We will use any funds during the conflict to spin up new Tor bridges and expand our Tor footprint to help those experiencing internet censorship.

    Donate here: unredacted.org/donate

    You can also see the real world impact of your funding here (although Tor bridges produce much less traffic than other relay types): https://grafana.unredacted.net/d/ce-tor-bridges/unredacted-tor-bridge-metrics?orgId=1

    We wish the best for the people of Ukraine and Russia alike.

    Найкращі побажання
    Zach

  • Running your own Tor relays

    As many of you may know, Tor relays are quite important to the Tor network. They allow Tor users to access .onion sites and regular internet. While hidden services (.onion sites) are great, the fact is that a lot of the internet can not be found within the Tor network. Exit relays, being one of the most essential relay types, facilitate the bridge between Tor, and the regular WWW (World Wide Web), allowing for true internet freedom.

    For a good portion of 2021, we ran (and currently run) a set of Tor exit relays on dedicated servers with unmetered bandwidth. This is something that we haven’t attempted before, and typically ran guard and middle relays exclusively to not have to deal with abuse reports. Many people fear running exit relays because of legal issues some have experienced, which is completely understandable. You may also have a hard time finding a hosting provider that allows exit relays (see more below for suggestions). In this post, we will go through some of the things we’ve found to be beneficial in our endeavor to provide fast and secure infrastructure to the Tor network.

    Network network network

    The most important thing we’ve found is operating your own network when running exit relays.

    1. Having your own ASN (autonomous system number) is a great thing to have. It allows you to have a great deal of flexibility in what you can do with your network. Having your own ASN such as ours allows us to advertise our IPv4 and v6 prefixes on our servers or routers directly to our upstream (hosting) provider. We have more control over the routing, and our network looks unique when peering into our setup. We even have the option to establish our own private or public peering with other networks, allowing us to have direct connections to other networks (for speed and free bandwidth).
    2. Having your own IP prefixes (rented or owned) gives you autonomy. With your own IPs, you directly handle abuse complaints, as your email can be listed on the abuse contact of the IPs. With this, you do not need to be at the mercy of your hosting provider, who may or may not penalize you for every abuse complaint they receive for your exit relay. Abuse complaints nowadays are generally automated, making life challenging with many coming in per day. As we do, you can simply set up an auto-responder to reply to incoming complaints and ask that another email be reached if the complaint is serious and needs direct attention.

    Hosting

    This part is really up to you, but we recommend several things here.

    • A hosting or upstream provider that allows Tor relays (especially exit relays). We’ve tested a few providers, and can recommend them for Tor usage (as of 01/24/22).

      Terrahost (exits & guard/middle allowed)
      – Locations: Norway
      – Service: Dedicated & virtual servers, misc others

      BuyVM/Frantech[aff link] (exits & guard/middle allowed)
      – Locations: Las Vegas, New York, Miami & Luxembourg
      – Services: Virtual servers, misc others

      Less preferred/highly used hosts:

      Hetzner (dedicated & cloud [aff link]) (guard/middle allowed)
      – Locations: Finland, and various locations in Germany
      – Services: Dedicated & cloud servers

      OVH / SoYouStart (guard/middle allowed)
      – Locations: Global network in various countries (mainly Europe)
      – Services: Dedicated, cloud, virtual and various other services

      More info:

      Want to know how to run a relay? Check Run A Relay out.
      If you are familiar with Ansible, be sure to use ansible-relayor.
    • Dedicated hardware, with high GHz CPU cores and an unmetered network port, is the most important for Tor relays. Obviously, with the vast amount of traffic that transits the Tor network you are going to need powerful hardware, as Tor is quite resource intensive with all the encrypting and decrypting being done on the fly. You absolutely do not want noisy neighbors, commonly seen on VPS/VM providers.

      Hardware specifics to look for:
      – 3GHz+ CPU cores with at least 1 core per relay.
      – 2 GB+ of DDR3 (or higher) RAM per relay.
      – A dedicated network uplink to your provider. Bonus points for an unmetered port where you are not charged for overages.
    • Look for a stable network. Look for a provider with a stable network, that doesn’t commonly experience congestion. Congestion, and packet loss can provide a horrible experience for users on the Tor network, resulting in a slow browsing experience with timeouts.

      Network specifics to look for:
      – A well peered hosting provider with multiple public/private peerings and public transit upstreams (think; Cogent, GTT, Telia, Lumen, etc), so that you can reach Tor network users and other relays at a low latency (which improves overall Tor network performance)
      – A provider that experiences a lower level of network congestion, which results in your ability to use your full port speed most of the time. As the Tor network uses the protocol; TCP, it is important to have a consistent good and reliable network to prevent excess TCP re-transmissions, which increases latency.

    Legal

    Legality is important, so make sure you are following laws in your country to stay within the law.

    1. Operate your own LLC, non-profit, company, or corporation. This allows you to part yourself from your Tor exit relays. While you are obviously running them, a legally formed organization will provide you with some legal protections depending on where you live.
    2. Always follow up with serious abuse complaints or subpoenas from law enforcement. This is important, and allows you to continue operating your network as a legitimate netizen. Do take abuse complaints seriously, and try to provide advice to the reporter about the Tor network and how they can circumvent future abuse. If needed, you can also disallow users from utilizing various network ports (such as port 22 used for SSH, a common source of abuse complaints) on your exit relays.

    As our journey is ever evolving, we will attempt to add to this list when we discover more along the way. If you have a suggestion, feel free to contact us, and we’ll consider adding it as well.

    G’day,
    Zach

  • Our vision of the Tor network

    Internet usage has sky rocketed with COVID-19, and the internet is expanding, so are we. As you may have noticed, we have been putting a lot of work in to expand our Tor relay & bridge network. As of writing we have over 27 nodes which reside on a diverse set of networks. Today I would like to show you what our vision is for our segment of the Tor network and the network as a whole.

    Some of our statistics

    Tor is amazing, it provides a scalable and simple way to protect and anonymize your internet traffic. Whether it be purely layer 4 (e.g. TCP/UDP) or layer 7 (e.g. HTTP), the Tor network can route it. Tor does many things, but on a daily basis, it protects good people in censored and oppressed situations, providing a way for them to safely access the internet, and all for free with open source software. Because Tor is so great, it requires dedicated volunteers, relay and bridge operators to provide that bandwidth, CPU and RAM capacity. What’s so great is that we have so many individuals already donating their time and money to do this. However, I think we can do better. We should continue to expand the Tor network by providing more bandwidth and more reliable infrastructure for optimal routing with low latency and high throughput. Not only that, we should focus on diversifying the network and providing more relays and bridges running on top of diverse networks. That’s what we’d like to accomplish, and with everyone who loves what Tor does.

    Sadly there are many relay operators that do not maintain their infrastructure well, falling behind on updates and doing little to no monitoring. By running stable and reliable Tor relays and bridges that vision of a better network ensues. We take into careful consideration potential ethical and security risks. The Tor Project team and community already protect against malicious operators and the network itself is diverse enough to handle that. However we should still do everything we can to protect the privacy of traffic that transits through our nodes. Our nodes run on top of various hosting providers, in various geographical locations. We favor providers that show a general respect for privacy and have a beefy network, no 100Mb/s rate limit with 1TB of bandwidth here. We also have our own ASN and IP space for exit relays: unredacted.org/about/network

    To protect our nodes from compromise we do our best to harden against commonly exploited attack surfaces. Nothing fancy here, but we do our best at the moment. This requires a consistent state across all nodes. For this, we use Ansible (an automation tool) which allows you to automate the configuration of your computers. With this, we enforce a pretty strict SSH policy, iptables rules, packages that every node should have, Prometheus exporters, wireguard mesh (Tailscale), various others and the full configuration of our Tor daemons. For Tor automation, we use an Ansible playbook called ansible-relayor. All of this allows us to automate the configuration of our 27 Tor nodes, applying updates, and rotating keys just to name a few. Without this, manual configuration of 27 nodes would be an extremely painful and arduous process to say the least. In theory, we can now automate the configuration of every OS feature.

    Protection is not the only thing, we need good monitoring too. To ensure consistent and reliable service, you just have to monitor your services. We make sure we have deep enough insight into our nodes, but without exposing any Tor user data. We do not log IPs, or analyze the netflows of our traffic. We collect basic metrics using Prometheus and node_exporter. Prometheus (+AlertManager) is configured to send notices through email for high CPU, RAM, disk, I/O load (and other things). We also have a 3rd party which notifies via email and SMS if something goes down. We hope to expand this in the future so that we can also collect route and packet loss statistics from outside sources that are looking into our network. Packet loss is a large cause of high latency, any way we can reduce that on our network would be crucial as the Tor network is typically already higher latency.

    Now, how have we been doing so far? See for yourself! We made publicly accessible graphs and data points that show the utilization of our nodes. We’d like to be as transparent as possible, so these metrics do not contain any revealing info.

    https://grafana.unredacted.net/d/ce-tor-relays/unredacted-tor-relay-metrics?orgId=1

    The past 30 days as of writing

    As you could imagine, all of this requires funding to do. We ask that you help us build a better Tor network through your support and donations, or run your own node.

    If you choose to donate, we accept many forms of payment, in addition to cryptocurrency. To donate, please visit our Donation page. Your donation will make a visible impact on the Tor network through our metrics. If you wish to be notified what your funds went to, we can give you the breakdown.

    Thanks for your time,
    Zach

  • Crypto World is now Unredacted!

    Crypto World was an organization founded in 2015 by a group of friends to advocate for privacy, cryptography and security on the internet. We had a great community and forum, although we had decided to shut it down the forum due to life events. The community unfortunately died off as well. It held several projects under its name, such as XMPP.is a free and open XMPP/Jabber server. While there has been many changes, and people have come and gone, it’s an ever-evolving creature.

    The creature still lives, and we’re breathing new life into it. That creature is now Unredacted, evolved into its new form. Unredacted is a special project that picks up from where Crypto World left off and continues its legacy in advocacy.

    We’re excited with our new name, and excited for what the future could bring. These past few years have been tough, and I think everyone can agree. It has put stress on all of us and bogged us down. Regardless, we push forward and continue working on our weaknesses and striving for our goals.

    Welcome, to Unredacted!

    Zach

  • Unredacted, a new Tor relay operator

    Unredacted is a new and special project. We’re focused on operating resilient, automated and security focused infrastructure. We’re dedicated to giving back to the community through open source and privacy focused projects. We’ve ran projects such as XMPP.is, a free and open XMPP/Jabber server and other projects under the Crypto World label for quite some time.

    We’ve maintained and operated Tor relays in the past, however, never under our own network. As an ARIN member, recently expanding our IP space we registered an ASN, AS399532. Putting it to good use, we established a BGP session with BuyVM who provides our bandwidth and connectivity. We love stability, so inbound traffic to our network is DDoS protected by Path.

    We have 3 locations in which we operate Tor relays:

    • Las Vegas, NV
    • New York, NY
    • Roost, LU

    All of which can be seen on our status page.

    As a start, we currently run 6 Tor exit relays and plan to add more: metrics.torproject.org

    • Our relays are named after whistleblowers, activists and people who uphold the values that we hold dear to our hearts.
    • For the configuration management of these Tor relays, we use Ansible, which makes it extremely flexible and easy to maintain a consistent configuration across all of our relays.
    • Along with a collection of our own custom Ansible roles and playbooks, we use a fantastic role called ansible-relayor which allows for easy config management and offline keys for our relays.
    • For monitoring we use UptimeRobot, Prometheus and AlertManager, all of which give us different levels of metrics and insight into performance and network latency.

    We hope that you enjoy our project! We’re proud to provide netizens of the world with stable and fast access to and from the Tor network through our relays.

    Til next time 🙂

    Zach

Donate