lots of changes

opsec/tor/bridge/index.html

@@ -61,14 +61,10 @@
 			<div class="row">
 				<div class="col-lg-8 col-lg-offset-2">
   				<a href="../../index.html">Previous Page</a></br></br>	<p><img src="../../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist - 01 / 02 / 2024</ba></p>
-					<h1>TOR Bridge (June 2023 update)</h1>
+					<h1>TOR Bridge (November 2024 update)</h1>
 					<img src="../logo.png" class="imgRz">
                     <p> Before we start, you will need a Debian VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your Debian server. </p>
-<p>Now regarding the choice of location for the server, in order to make sure that Tor remains decentralised,  make sure that you are picking a country that doesn't have many tor nodes (see the <a href="https://metrics.torproject.org/bubbles.html#country">bubbles graph</a>):</p>
-<img src="../relay/country.png" class="imgRz">
-<p><u>Disclaimer:</u> <b>Do not host your Tor node in Germany, Netherlands or in the US, as there are already too many nodes in those countries.</b> Try to run your own Tor nodes in countries that have the least nodes preferably, as this will help keeping the Tor network decentralized.</p>
-
- 
+          
 	       </div>
 			</div><!-- /row -->
 	    </div> <!-- /container -->
@@ -224,11 +220,87 @@ Bridge obfs4 134.209.26.190:8042 829165B21621041E7A9CDF7192AFFC51CA640B0E  cert=
 <p>Then we check if it is working on <a href="https://check.torproject.org/">check.torproject.org</a>:</p>
 <img src="11.png" class="imgRz">
 <p>And that's it! we have been able to use our own VPS-hosted tor bridge!</p>
+<p>If you want to use the bridge from torrc you can do as follows:</p>
+<pre><code class="nim">
+nihilist@mainpc: ~$ vim /etc/tor/torrc
+nihilist@mainpc: ~$ cat /etc/tor/torrc
+
+UseBridges 1
+ClientTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy managed
+Bridge obfs4 134.209.26.190:8042 829165B21621041E7A9CDF7192AFFC51CA640B0E  cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0
+
+nihilist@mainpc: ~$ systemctl restart tor@default
+
+</pre></code>
+<p>Now keep in mind that obfs4 traffic simply looks like random data on the outside, it doesn't look like legit https traffic when doing deep-packet inspection. Therefore for heavily-censored countries, we recommend you use snowflake bridges:</p>
 </div>
 			</div><!-- /row -->
 	    </div> <!-- /container -->
 	</div><!-- /white -->
 
+	<div id="anon2">
+	    <div class="container">
+			<div class="row">
+				<div class="col-lg-8 col-lg-offset-2">
+          <h2><b>Snowflake bridge theory</b></h2> </br> </br>
+<p>As time goes to 2024 censorship becomes more advanced, and sometimes snowflake protocol works better than obfs4. We will go through theories and setup about snowflake bridge</p>
+<p>For a normal tor connection without bridge, you will:</p>
+<p>1.Talk to central directory</p>
+<p>2.Get network information</p>
+<p>3.Connect to your gurad nodes, and form tor circuits</p>
+<img src="snowflake-migrate/normal_tor_connection.png" class="imgRz" style="width: 700px">
+<p>If tor network is blocked, you cannot talk to central directory or any tor node ip, then you need a <b>bridge</b></p>
+<p>All of your communication goes through the bridge, including your initial talk to central directory, and your bridge automatically becomes your first tor node</p>
+<img src="snowflake-migrate/bridge.png" class="imgRz" style="width: 600px">
+<p>Bridges are usually not publicly announced for censorship resistance, since once a bridge ip get known by censoring firewall it can simply drop all the packets to that ip</p>
+<p>This is the weakness for traditional tor bridges, not matter how hard you try to obfuscate your traffic, the <b>bridge ip </b>always have to be semi-public because you want people to use it, but this means people who work for censorship can also find bridge ip</p>
+<p>To end this cat and mouse game, snowflake is introduced</p>
+
+<img src="snowflake-migrate/snowflake-schematic.png" class="imgRz" style="width: 700px">
+<p>This is a picture of how snowflake works from tor official</p>
+<p>First you have volunteers over the world who install snowflake plugin in their browsers, they act as bridges for you to connect to tor network. Because this is mostly run by amateurs, and people turn on and off their devices all the time, which makes many ephemeral bridges, and this is why it is called snowflake</p>
+<p>There is also a server called broker that knows all the information about snowflakes</p>
+<img src="snowflake-migrate/snowflakes.png" class="imgRz" style="width: 600px">
+<p>Then you will use a technique called domain fronting, which makes you seems connecting to a legit service like azure cloud or google cloud, but your actual connection goes to the broker.</p>
+<img src="snowflake-migrate/domain-fronting.png" class="imgRz" style="width: 600px">
+<p>Then the broker server introduce you to the snowflake proxy, then you establish a webrtc connection, which is a connection allows two app to have direct connection for video call or file transmission. Then your traffic goes to the snowflake proxy, and connects to the rest of tor network</p>
+<img src="snowflake-migrate/WebRTC.png" class="imgRz" style="width: 600px">
+<p>Then you connect to tor network!</p>
+
+          <h2><b>Snowflake bridge in practice</b></h2> </br> </br>
+<p>Now in practice, all you need to do to run a snowflake bridge is to have a webpage that runs the following HTML code:</p>
+<iframe src="https://snowflake.torproject.org/embed.html" width="320" height="240" frameborder="0" scrolling="no"></iframe>
+<p>Whoever wants to run a snowflake bridge simply has to click the "enabled" slider to run a snowflake bridge. Or you can also run <a href="https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/">the snowflake firefox extension</a> to run a snowflake bridge whenever you are starting a webpage:</p>
+<img src="15.png" class="imgRz">
+<img src="16.png" class="imgRz">
+<img src="17.png" class="imgRz">
+<img src="18.png" class="imgRz">
+<img src="19.png" class="imgRz">
+<p> and then you can simply wait for someone to use it. Someone that needs to evade censorship somewhere in the world will start to use it when torproject will give them the snowflake bridgelike so: </p>
+<img src="12.png" class="imgRz">
+<img src="13.png" class="imgRz">
+<img src="14.png" class="imgRz">
+<p>If you want to use the snowflake bridge from torrc you can do as follows:</p>
+<pre><code class="nim">
+nihilist@mainpc: ~$ vim /etc/tor/torrc
+nihilist@mainpc: ~$ cat /etc/tor/torrc
+
+UseBridges 1
+ClientTransportPlugin snowflake exec ./client -log snowflake.log
+
+Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://snowflake-broker.torproject.net.global.prod.fastly.net/ fronts=foursquare.com,github.githubassets.com ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
+
+Bridge snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://1098762253.rsc.cdn77.org/ fronts=www.cdn77.com,www.phpmyadmin.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
+
+Bridge snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://1098762253.rsc.cdn77.org/ fronts=www.cdn77.com,www.phpmyadmin.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
+
+nihilist@mainpc: ~$ systemctl restart tor@default
+
+</pre></code>
+				</div>
+			</div><!-- /row -->
+	    </div> <!-- /container -->
+	</div><!-- /white -->
 	<!-- +++++ Footer Section +++++ -->
 
 	<div id="anonb">
@@ -237,7 +309,7 @@ Bridge obfs4 134.209.26.190:8042 829165B21621041E7A9CDF7192AFFC51CA640B0E  cert=
 				<div class="col-lg-4">
 					<h4>Nihilism</h4>
           <p>
-						Until there is Nothing left.</p></br></br><p>Creative Commons Zero: <a href="../../../../opsec/runtheblog/index.html">No Rights Reserved</a></br><img src="\CC0.png">
+						Until there is Nothing left.</p></br></br><p>Creative Commons Zero: No Rights Reserved</br><img src="\CC0.png">
 						
 					</p>
 				</div><!-- /col-lg-4 -->