snowflake (software)

Snowflake is a software package for assisting others in circumventing internet censorship by relaying data requests. Snowflake proxy nodes are meant to be created by people in countries where Tor and Snowflake are not blocked. People under censorship then use a Snowflake client (packaged with the Tor Browser an
Onion Browser
to access the Tor network, using Snowflake relays as proxy servers. Access to the Tor network can in turn give access to other blocked services (like blocked websites). A Snowflake proxy can be created by either installing a browser extension, installing a stand-alone program or browsing a webpage with an embedded Snowflake proxy. The proxy runs after the user has voluntarily enabled it and the browser or program is connected to the internet.

In contrast to regular VPNs and proxy services, launching a Snowflake proxy does not require port forwarding or having a dedicated IP address. Simply installing the browser extension is enough most of the time. The simplicity of launching a proxy warrants their numerosity, which makes it hard for the censors to block proxies by simply blocking their IP addresses.Alt URL
/ref>

As of 2024, Snowflake proxies are hosted on about 140 000 IP unique addresses concurrently. The average number of users that use Snowflake to connect to Tor is 35 000 and 29 TB of their traffic is relayed by Snowflake proxies daily.

History

Snowflake was originated by Serene, a hacker and former Google engineer and concert pianist. It was inspired by Flash proxy, a similar censorship circumvention system. The name "Snowflake" was coined as her metaphor for a large number of ephemeral proxies in relation to "ICE Negotiation". Three programmers published the first version in January 2016. In 2019, it became available as a browser extension for Firefox and Chrome. It can also be run on derived browsers, such as Brave and Microsoft Edge. In February 2023 a thoroughly upgraded, stand-alone version dubbed ''Snowstorm'' was released; written in Rust and funded by the Open Tech Fund, beta testing is by invitation.

Function

Normal internet data packages come labelled with the original source and the final recipient of the data. For example, a package containing the encrypted text of this article would be labelled with the destination (the IP address of the reader's computer), and the source (the IP address of a Wikipedia server). This means that even if the actual content is encrypted, a censor can block all packages from certain sources (for instance, banning any package that comes from Wikipedia).

Tor network can be used to access such blocked sites by acting as a proxy, covering the real destination address of the user's request. This is why censors usually try to block the Tor network as well. It is fairly easy for censors to block direct access to Tor because all regular Tor relays are public.

Snowflake provides covert, indirect access to Tor. A Snowflake client is provided with the IP address of a currently-active Snowflake proxy by asking a broker server, which in turn uses domain fronting to pretend to be a major website. The client then talks directly to the Snowflake proxy, which relays into the Tor network. The traffic looks like ordinary peer-to-peer traffic, such as that used by many videoconferencing apps.

A Snowflake proxy runs whenever the browser or program is connected to the internet. If the proxy host has a dynamic IP, the proxy will change its IP address over time. See also ad hoc network.

Snowflake proxies are thus used as Tor entry nodes, not as exit nodes. Exit nodes are the other end of the chain. They are the Tor nodes that know what content was requested, though they do not know who requested it (for instance, they would know that ''someone'' was contacting a Wikipedia server, but they would not know the IP address of the user). Exit nodes might face legal action in the country in which they are hosted if they relay content that is illegal in that country (so they are usually run in countries with little internet censorship). It is unlikely that Snowflake proxy hosts could face such liability, since they do not know what content they are relaying. There are, however, countries where using Tor for any purpose is illegal, such as Russia and Iran.

Technical

Snowflake uses WebRTC to allow browsers to communicate directly with one another. Either installing a browser extension, or keeping a tab open to a webpage with the right embedded code, causes one's browser to act as a proxy. Embedding a Snowflake badge in a website allows visitors to make their browser into a proxy, exactly as installing the extension does, but by clicking a button on the website rather than by installing software. Snowflake can also be run as a stand-alone program in a Docker container.

Proxying traffic increases the proxy host's bandwidth usage, which may be a problem for those with bandwidth limits on their internet plans. In practice, hosting a Snowflake proxy does not seem to appreciably slow one's internet connection or disrupt browsing.

A detailed technical description is published on GitLab.

Countermeasures

Countermeasures believed to be currently in use against Snowflake from Russia include browser fingerprinting Snowflake hosts and then blocking them. Censors may also install and use Tor, then block all the IP addresses offered as Snowflake servers. Both of these techniques are weakened when there are larger numbers of servers.

Censors may attempt to block the broker's IP address. To circumvent this, the Snowflake client utilizes domain fronting. This makes it infeasible for the censor to block a single website without blocking all the other websites hosted on the same cloud service. Google Cloud Platform and Amazon's AWS are examples of such services. They host hundreds of thousands of websites. Blocking all the servers of one of these major hosts has disruptive side effects. However, the cloud provider can and often does block domain fronting.

If overseas connections from data centers are allowed, but residential and mobile services are restricted to local connections, then Tor bridges may be secretly and illegally set up in local data centers. This has obvious dangers.

When a country shuts down access to foreign internet connections altogether, essentially cutting the country off from the global internet, Snowflake becomes useless. This has been repeatedly done in Iran and some other countries; it is, however, bad for business (in Iran in 2022, the cost was estimated at $37 million US a day), so it is usually only done for short periods.

Comparison to VPNs

A simple proxy, like a virtual private network (VPN), has only a single relay. This means that the server address of the VPN has to be known to every user, making them easier to block. For instance, at the beginning of October 2022, during Internet disruptions related to the Mahsa Amini protests, VPNs in Iran would drop connections every few minutes. The VPN itself also knows which end-users requested which pages, allowing VPNs to engage in surveillance. In some countries, such as Iran, VPNs are illegal.

Uses

Snowflake came to be widely discussed online in the first week of October 2022, as a way of combating internet restrictions in Iran during the Mahsa Amini protests, and a guide in Persian was released.

In 2022, the Russian government increased efforts to block access to Tor through technical and political means, and the Tor network reported an increase in traffic from Russia using Snowflake.

Snowflake is integrated into the Tor network. Usage of the Tor network is becoming more common in Russia, Belarus, and Iran, , as internet censorship in these countries has become more strict.

See also

* Psiphon uses a variety of anticensorship techniques
* Smartphone ad hoc network, a peer-to-peer system that can be used when the conventional Internet infrastructure is entirely shut down
** Briar (software) uses Tor
* Sneakernet, a technique widely used in countries with little internet access.
* Toosheh uses satellite television receiving equipment to download (but not upload) files, which are then sometimes sneakernetted.
* Flash proxy is a similar project, which Snowflake was inspired by.

References

External links

Live graph of user numbers
filterable by country of origin and transports (of which Snowflake is one)

{{Authority control

Tor (anonymity network)
2016 software