Legal question for the Tor team (disclaimer, I love Tor and use it in BrowserBox):
- Does Tor need an OFAC license to supply to Russian and Iranian (and other sanctioned entities)? What's your approach to stay compliant and globally helpful? I know 50% of your funding comes from US government (or did a few years back, still?), does this give you extra pathways to engage those regions?
I'm wondering because the system would seem to fall under ITAR due to its encryption, and even if non-ITAR is still a cyber product and these countries are heavily OFAC listed rn.
This is relevant for me right now as I was recetnyl contact by a significant entity in a sanctioned region with a massive deal for BrowserBox. Applying for an OFAC license to see if it's possible to serve them (but we have to make final determination on ethics/legal even if license is approved, I guess). My feeling is that broad sanctions don't hurt the things they are meant to but punish people in all countries from forming transnational links that might actually help to prevent conflicts and build relations however small. Idk, just my reflections after encountring this situation.
The section on conjure is fascinating. For those who haven't followed the refraction networking space, the idea of leveraging unused address space at the ISP level is something academic papers have proposed for years [1]. Seeing it deployed in the wild is huge. The hardest part of this has always been non-technical by the way. Convincing ISPs to cooperate. If the Tor project has managed to get ISPs to route traffic destined for unallocated IPs to a station that handles the handshake, it completely breaks the censor's standard playbook of IP enumeration. You can't just block a specific subnet without risking blocking future legitimate allocations.
I'd be curious to know if these are smaller, sympathetic ISPs or if they managed to partner with larger backbone providers. I'm interested to hear more about this.
Considering the staggering number of arrest for online/offensive communications in England & Wales, we should add Britain to the list of Russia and Iran
Are you proposing we ignore communications threatening violence or inciting harm? For instance Lucy Connolly's tweet urging people to set fire to mosques?
Why has Europe gone nutso ? They were the ones who kept lecturing us (Global South) about "freedom of speech and media is critical to democracy", yadda-yadda at every global conference. Now many of their laws are even worse than much of the third world and people are getting arrested for saying banal stuff online.
Imagine being at the legal mercy of terminally online reddit mods who can deploy police to arrest you, and the police strategy is to roll up on you between 1 and 5 AM at night, to catch you vulnerable and off-guard.
If they don't like a comment you make, or if your face isn't sufficiently supportive in a picture taken of you, or if you downvote the wrong post, all someone has to do is claim they are offended, and you can get taken to jail.
Oi! You gotta loicense for that smirk?
They're still in the civilized phase of this, with people being politely disturbed but still playing along with authority. I can't imagine this ends well, however - I think they're gonna get riots in Guy Fawkes masks, widespread mayhem, and murder before it's over.
Do they have official instructions on how to setup (which URLs for STUN, etc - there are a couple required) TOR via Snowflake on desktop (bc on Android it all seems to be bundled inside Orbot)?
Why is Tor making it so difficult to change the region/ExitNode then? Geo-Blocking is by far the most prevalent form of online censorship and while Tor can work around it, it requires fiddling with config files and restarting the service instead of clicking a button.
The "Mimicry" Angle (Best for technical discussion)
The shift from "obfuscation" to "mimicry" is the real story here. In 2025, "random-looking" traffic is itself a signature for DPI. Tools like WebTunnel that mimic standard HTTPS/SNI and Conjure that hides in unused ISP space force censors into a "collateral damage" dilemma: they can't block Tor without breaking their own web.
I think we could have a more thoughtful discussion if people didn't start off with an assumption that the way the US manages free speech is unquestionably better than the rest of the world. Take a breath and think before you write.
It seems to me that what you are allowed to say in the US is very dependent on how much the person you are saying it about is able to spend on lawyers, for instance.
Russia was already complicated two years ago, most of-the-shelf VPNs blocked, and with Intel/Microsoft websites blocking themselves due to sanctions it was rather difficult to set up a fresh laptop - it couldn't download drivers, and obvious channels were all blocked.
This year they've blocked almost all of the VPNs and additionally calls in all messenger apps and FaceTime. The only thing that works is Outline - but one has to set up the server somehow, and if you're in Russia without a western credit card it might be difficult to do. For some reason the iOS app for Outline is still in the Russian App Store.
"As the severity of censorship in Russia has increased, WebTunnel has also received several fixes, such as SNI imitation and safe non-WebPKI certificate support with certificate-chain pinning to ensure it can withstand more kinds of censorship, including SNI allowlisting and the rapid blocking of distributed bridges."
"SNI imitation" and "non-WebPKI certificate support" sounds like it could be useful for purposes other than evading censorship in any particular country
Discerning web users around the globe might also be interesting evading data collection, surveillance and ads by so-called "tech" companies, for example
29 comments
[ 6.5 ms ] story [ 58.5 ms ] threadDoes basically all network leaving China still get ratelimited at a few megabytes per second?
- Does Tor need an OFAC license to supply to Russian and Iranian (and other sanctioned entities)? What's your approach to stay compliant and globally helpful? I know 50% of your funding comes from US government (or did a few years back, still?), does this give you extra pathways to engage those regions?
I'm wondering because the system would seem to fall under ITAR due to its encryption, and even if non-ITAR is still a cyber product and these countries are heavily OFAC listed rn.
This is relevant for me right now as I was recetnyl contact by a significant entity in a sanctioned region with a massive deal for BrowserBox. Applying for an OFAC license to see if it's possible to serve them (but we have to make final determination on ethics/legal even if license is approved, I guess). My feeling is that broad sanctions don't hurt the things they are meant to but punish people in all countries from forming transnational links that might actually help to prevent conflicts and build relations however small. Idk, just my reflections after encountring this situation.
I'd be curious to know if these are smaller, sympathetic ISPs or if they managed to partner with larger backbone providers. I'm interested to hear more about this.
[1] look up tapdance
> No mention of "age verification"
> No mention of people arrested for Twitter posts in the UK and the EU
What did they mean by this?
2017: ~5,500 arrests
2019: ~7,734 arrests
2023: ~12,183 arrests
Why did this happen ? What changed ?
If they don't like a comment you make, or if your face isn't sufficiently supportive in a picture taken of you, or if you downvote the wrong post, all someone has to do is claim they are offended, and you can get taken to jail.
Oi! You gotta loicense for that smirk?
They're still in the civilized phase of this, with people being politely disturbed but still playing along with authority. I can't imagine this ends well, however - I think they're gonna get riots in Guy Fawkes masks, widespread mayhem, and murder before it's over.
It seems to me that what you are allowed to say in the US is very dependent on how much the person you are saying it about is able to spend on lawyers, for instance.
This year they've blocked almost all of the VPNs and additionally calls in all messenger apps and FaceTime. The only thing that works is Outline - but one has to set up the server somehow, and if you're in Russia without a western credit card it might be difficult to do. For some reason the iOS app for Outline is still in the Russian App Store.
"SNI imitation" and "non-WebPKI certificate support" sounds like it could be useful for purposes other than evading censorship in any particular country
Discerning web users around the globe might also be interesting evading data collection, surveillance and ads by so-called "tech" companies, for example
https://blog.torproject.org/introducing-webtunnel-evading-ce...