Run Snowflake Proxies and Strengthen Internet Freedom

From TCU Wiki
Run Snowflake Proxies.png
  • Date: Tuesday, November 29, 2022
  • Time: 9am - 10:30am EST / 2pm - 3pm UTC (What time is it in my city?)
  • Who: Gustavo Gus, Community Team Lead, Tor Project
  • Location: TBA


Editing Run Snowflake Proxies and Strengthen Internet Freedom (Workshop)

Have you considered helping users from censored regions to access the free and open internet? Snowflake is a new pluggable transport that allows people from all over the world to access the open internet. In this workshop, you will learn what Snowflake is, and how to set up a proxy and help censored users bypass internet censorship.

Bio: Gustavo Gus joined the Tor Project in 2018 and is the Community Team Lead. Since 2007, Gus has worked as a FOSS and security consultant and digital security trainer for activists and human rights defenders in the Global South. At Tor, he organizes digital security training, facilitates Tor relay operator meetups, coordinates the user support team, and helps the Tor Anti-Censorship team on investigations when Tor is blocked.

Notes and Resources

Run Snowflake Proxies and Strengthen Internet Freedom Slides - Feel free to download and edit, update, remix this presentation!

At the end of 2021, Tor got more bridges because of Russian censorship.

Tor and users are in a constant “cat and mouse” race with censors.

Important Reminder: "The user is anonymous, but the Tor network is not"

Tor Bridges

  • Moat is the most popular bridge
  • Most people using bridges are using obfs4 bridges, despite bridge censorship.
  • But, bridges do need to be improved.
  • The usability issues include how individuals need to request new bridges once one is blocked. The process is not seamless and quick.

Snowflake is a pluggable transport (PT)

Bridges don’t have public IPs; Snowflake adds a layer of obfuscation and encryption on top of the not publicly listed IP.

It combines domain fronting with other anti-censorship techniques.

  • Domain fronting (meek): You visit a site on the Amazon cloud, but you are actually connecting to the Tor network or another app that is blocked.
    • This led to govt’s blocking several cloud providers.
  • Ephemeral proxies (flashproxy)

Snowflake engages three parties:

  • Users
  • Broker
  • Proxy

What is the difference between a bridge and a snowflake proxy?

Snowflake is also more affordable than funding traditional domain fronting which requires much more funds being invested in cloud providers.

All Snowflake proxies connect through one Tor Bridge.

Note about Tor Metrics:
The numbers for bridge and snowflake users are conservative, undercounts.


  • Do not run a Snowflake proxy while using a VPN
  • Do not run a Tor Bridge and Snowflake proxy at the same time.

Tor Browser Testing:
Tor Browser needs Alpha testers who are not at-risk users.


How to request one through https?

  • When you visit (this is the https distributor)
  • This website is likely blocked in a country that blocks tor

Do you have any information about the performance tax incurred when hopping through snowflakes?

  • There is only one bridge that all snowflakes run through and results in the server being overloaded. The issue is with the bridge.

Is the snowflake hop acting like another layer in the onion, in that it is equally 'blind' to the actual contents?

  • The Snowflake proxy doesnt’ know what you are doing on the internet.

Proxy will connect you to the bridge and will connect you to the tor network. The proxy has no visibility into what you are doing.

How much of the internet would break if they blocked WebRTC? Has any government done that?

  • That would break all modern communication like video conferencing applications (Zoom, Jitsi etc.)
  • Some governments can do this, but not sure if any has done so so far.

Can a network probe find if a user is running Snowflake? (e.g. send a packet of some kind, and expect a given response that is only given by the Snowflake client)

  • Doesn’t think so, but not sure.
  • This is one difference between obfs4 and other PTs. If a certificate is not presented, someone cannot connect to obfs4. But not sure if this is the case with Snowflake as well.