[tor-project] Many obfs4 bridges with similar nicknames and characteristics

David Fifield david at bamsoftware.com
Tue Dec 13 18:41:36 UTC 2016


On Mon, Nov 28, 2016 at 07:23:16PM -0800, David Fifield wrote:
> There are many bridges in Onionoo that seem to follow a common naming
> convention: two dictionary words concatentated, then truncated to 16
> characters. That, plus the fact that many of them run on the same
> platform, run only the obfs4 transport, and have related last_restarted
> times, makes me think they are somehow related and perhaps malicious. In
> a sample of 200 Onionoo bridges, 19% followed the convention. I noticed
> this by accident and I'm not planning to look into it more, so I'm
> dropping notes here.

I managed to get one of these bridges (nickname "thirsterworthwhi",
hashed_fingerprint 6FA21996A631A9E51A53E4867E887F95BDD1145D) from
BridgeDB. It is running in AS 14061, "DIGITALOCEAN-ASN - Digital Ocean,
Inc., US".


More information about the tor-project mailing list