[tor-relays] Do less-secure pluggable transports on bridges render more-secure types useless?
Rick Huebner
rhuebner at radiks.net
Sun Jan 17 19:34:48 UTC 2016
I've read that obfs4 and scramblesuit are very resistant ("immune" is so
optimistic) to such things as active probes performed by the Great
Firewall, which can quickly probe and detect older transports (and of
course vanilla ORports), plus the older transports and ORports are
subject to relatively quick detection through deep packet inspection
once a user connects from there.
Does it make sense to offer older more vulnerable transports along with
newer more secure ones? If my bridge offers both obfs3 and obfs4, does
that just mean that as soon as someone in China uses obfs3 it's detected
and my IP address is blocked, making the obfs4 port unusable from there
as well even though it would have avoided detection on its own? More
fundamentally, does the bridge address server also publish vanilla
ORports for those bridges which offer obfs4, and does a Chinese user
accessing my bridge's ORport doom my entire bridge to immediate blockage
from there?
I can't imagine the GFW would be so kind as to only block the ORport's
specific port number, I assume it blocks the entire bridge IP address,
making all transports useless if any single one of them is detected.
Would it be better to only offer obfs4 to avoid detection and blockage
via older transports?
More information about the tor-relays
mailing list