Snowflake, a censorship circumvention system
using temporary WebRTC proxies

Authors are listed in alphabetical order.

USENIX Security 2024

Paper home page: https://www.bamsoftware.com/papers/snowflake/
This talk: https://www.bamsoftware.com/talks/snowflake-usenix2024/

Précis

Snowflake is a censorship circumvention system—a way of enabling communication between network endpoints despite the interference of an intermediary censor. (Censors may do things like block IP addresses, send forged TCP RST packets, or falsify DNS responses.)

Snowflake uses a large pool of ultra-lightweight, temporary proxies ("snowflakes") that communicate using WebRTC protocols.

How does Snowflake resist address-based blocking?
Its pool of temporary proxies is large (on the order of 100 K), and varies over time.
How does Snowflake resist content-based blocking?
Transporting traffic in an encrypted WebRTC container.

Snowflake has been in serious deployment for 3+ years. It is a built-in circumvention option in Tor Browser, and serves a few tens of thousands of users at any time.

https://snowflake.torproject.org/

or WebExtension proxy, Orbot kindness mode
Screenshot of the Snowflake WebExtension running in Firefox. The purple Snowflake toolbar is activated. The popup says: Your Snowflake is ready to help users circumvention censorship. Enabled: ✓. Learn more. Screenshot of Orbot 17.2.1-RC-2-tor.0.4.8.7 "Kindness" tab. Orbot. Help others connect to Tor. Kindness mode allows your device to be a bridge for others. It helps people use Tor in places where it is blocked. It will not drain your battery. It will not slow down your internet. It can run only over wifi. It can be turned off anytime. "Activate" button.

Snowflake system components

Rendezvous

Zoom on the rendezvous part of the system components diagram.

The client sends its request for service through a secure rendezvous channel. Rendezvous is modular, and independent of the main WebRTC-based system.

Currently deployed rendezvous methods:

See "Communication Breakdown: Modularizing Application Tunneling for Signaling Around Censorship" (PETS 2024) for the rendezvous problem in general.

Session persistence

Zoom on the data transfer part of the system components diagram.

When an in-use proxy goes away, the client does another rendezvous and resumes the session on a new proxy.

This process uses end-to-end session state stored at the client and the bridge (a Turbo Tunnel design). Temporary Snowflake proxies are just pipes.

See "SpotProxy: Rediscovering the Cloud for Censorship Circumvention" (USENIX Security 2024) for an active migration that avoids the need for a repeated rendezvous.

Users and bandwidth

Two line graphs with a shared horizontal time axis. The upper graph, “Average concurrent clients,” ranges from 0 to 100,000. The lower graph, “Gbit/s,” ranges from 0 to 4. The time axis goes from July 2021 to August 2024. Events from the text are marked. 2021-07-06: Tor Browser 10.5 includes Snowflake; 2021-12-01: Onset of Tor blocking in Russia; 2021-12-14: & 2021-12-20: Tor Browser 11.5a1 and 11.0.3 alter DTLS fingerprint; 2022-02-24: Russian invasion of Ukraine; 2022-07-14: Tor Browser 11.5 automatic configuration; 2022-09-20: Protests in Iran; 2022-10-04: TLS fingerprint blocking in Iran; 2022-10-27 & 2022-11-01: Tor Browser 11.5.6 and Orbot 16.6.3 fix TLS fingerprint; 2023-01-16 – 2023-01-24: Domain fronting rendezvous temporarily blocked in Iran; 2024-02-09: Release of Orbot 17; 2024-03-01: Second malfunction in domain fronting rendezvous.
Snowflake users (daily average concurrent) and bandwidth (daily average).

More information in the paper

Home page with documentation & source code
https://snowflake.torproject.org/
Paper home page
https://www.bamsoftware.com/papers/snowflake/
This talk
https://www.bamsoftware.com/talks/snowflake-usenix2024/
Donations for bridge hosting
"Snowflake Daily Operations" on OpenCollective

David Fifield <david@bamsoftware.com>