[tor-dev] Pluggable Transport Browser Bundle FTE Integration
David Fifield
david at bamsoftware.com
Mon Sep 2 05:41:37 UTC 2013
On Sun, Sep 01, 2013 at 01:32:23PM +0300, George Kadianakis wrote:
> Kevin P Dyer <kpdyer at gmail.com> writes:
> > === How do we invoke PTs?
> > I had this discussion with Roger, but I don't see any open tickets or clear
> > discussion on this already. If we have N>1 PTs and at least one bridge per
> > PT, how do we select which PT (and which bridge associated with that PT) to
> > use? Determinism is bad because then only one PT is used. Booting up all
> > PTs is bad, especially if (say) the PTs make network connections prior to
> > any incoming SOCKS connections. Selecting a random PT is potentially bad,
> > too, depending upon how hostile and persistent and stateful the adversary
> > is.
>
> That's an interesting question. I'm not sure if the process of Tor
> picking bridges is deterministic or not. I should test it out. David
> might know.
>
> (A good scenario would be that Tor treats bridges like guards and
> selects some at random to build circuits.)
I don't know how Tor decides which PT bridges to use. I would guess that
it treats them like any other Bridge lines in torrc.
You should see this ticket and blog post:
"Config option to declare whether you're using bridges for
reachability or for security"
https://trac.torproject.org/projects/tor/ticket/4624
https://blog.torproject.org/blog/different-ways-use-bridge
The idea behind it is that some users want covertness (I need to hide
the fact that I am using Tor), and some users want reachability (I need
some way to circumvent the firewall). The way I see it, the unstated
policy of the PT bundles is to optimize for reachability. By default we
launch all the transports we know about, so for example if three
transports are blocked and one gets through, that is a success. This
doesn't work for the first kind of user, for whom a blocked transport
means they have been detected.
This first kind of user is likely to have to take some extraordinary
steps while using Tor in any case. I don't think we have a plan for how
to make a bundle that, in its default configuration, is safe to use for
all such users. However we can make a bundle that does reachability with
no special configuration, so that's what we're doing.
The new 3.0 series bundles ask you, on startup, whether you are able to
connect directly to Tor or whether you have to do your own manual
configuration (like adding bridges). The option to launch only one
specific safe transport could in principle be added to such a UI.
David Fifield
More information about the tor-dev
mailing list