[tor-dev] Stopping the censoring of tor users (via exit bridges / proxies / OpenVPNs)
grarpamp
grarpamp at gmail.com
Mon Feb 29 09:06:22 UTC 2016
On 2/25/16, blacklight . <pandakaasftw at gmail.com> wrote:
> hello there! i don't know if this mailing list works but i thought of
> giving it a try.
>
> i was lately reading an article (
> http://www.pcworld.com/article/3037180/security/tor-users-increasingly-treated-like-second-class-web-citizens.html
> )
> and it was about tor users getting blocked from accessing alot of website.
> but after giving this some thought i think i came up with a possible
> solution to the problem :there is a thing called bridges, they are used to
> access the tor network without your isp knowing that you use tor, but if
> you can use those proxies to enter the network, it might also be possible
> to exit the network with them. But then we face a second challenge, the
> exit nodes have to be configured in such a way that it will relay traffic
> to such a bridge, so the exit node owners also need to know the ip of the
> bridge. While this doesn't seem difficult to do, it can become difficult.
> You see if the bridges are published on a public list(like normal bridges
> are) then the blocking sites in question will be able to block those
> address too. While this also posses a problem, a possible solution could be
> found in something called flashproxies, flashproxies are bridges with a
> really short life span, they are created and destroyed fairly swiftly, when
> this is done in a rapid pace, they become really hard to block because the
> ip changes all the time. So if the exit nodes can be configured to make use
> of such flash proxies, then the problem could be solved. I Must admit that
> not an expert on this or anything, and it needs alot of more thought, but
> it could work. so i was wondering if there are any experts who could help
> me with thinking out this subject and maybe confirm if this idea could
> work.
Skipping that whoever wants to enumerate, test, block, and share
lists of the IP of your final hop will find a way to do so...
"flashproxies"
- are essentially illegal to use as the operator got stupid, and
didn't gave permission.
- are unstable as were never intentionally provisioned, and the
operators get smart when abuse reports and shut them off.
- proxy lists are going to be a pain for you to scrape and maintain
Options
- run your own volunteer network of last hop "proxies" / bridges
- buy them from AWS or wherever "meek" style
- partner with or plug into already existing networks of those
- get tor relays or bridges to do this
I previously wrote in archives that exit relays could bind OpenVPN
to extra IP's they configure on their exit relay boxes. Tor daemon
has nothing to do with those IP so they never appear in tor's easily
blacklistable consensus. Users then OpenVPN over tor to those via
use of the relay fingerprint to reach vpn terminator IP over relay
localhost to save bandwidth, and on out to clearnet.
You can OpenVPN to some list of onions if you don't feel like listing
the relay fingerprints / extra input IP's on wikis. But it's not going
to stop dedicated blacklisters, and onion doubles bandwidth use.
However it could also be used by non-exits that for whatever reason
didn't want to be a tor-exit but did want to offer exit via some
remote third party vpn service. And strictly social sharing on
forums etc could happen for distribution.
There are already some exits that for various reasons, intentional
or other, do not exit from their OR IP. That is a feature that some
tor users do now find and use. And relays don't offer OpenVPN yet
which would also give users more than just IPv4-TCP exit scheme.
Though it is integrated somewhat, I2P has this manual sort of exit
offering model with false.i2p and a few other nodes.
[Doesn't seem to require daemon dev work, updated subject, continuing
thread reply to relays and talk.]
More information about the tor-dev
mailing list