[tor-relays] Do less-secure pluggable transports on bridges render more-secure types useless?

Rick Huebner rhuebner at radiks.net
Sun Jan 17 19:34:48 UTC 2016


I've read that obfs4 and scramblesuit are very resistant ("immune" is so 
optimistic) to such things as active probes performed by the Great 
Firewall, which can quickly probe and detect older transports (and of 
course vanilla ORports), plus the older transports and ORports are 
subject to relatively quick detection through deep packet inspection 
once a user connects from there.

Does it make sense to offer older more vulnerable transports along with 
newer more secure ones? If my bridge offers both obfs3 and obfs4, does 
that just mean that as soon as someone in China uses obfs3 it's detected 
and my IP address is blocked, making the obfs4 port unusable from there 
as well even though it would have avoided detection on its own? More 
fundamentally, does the bridge address server also publish vanilla 
ORports for those bridges which offer obfs4, and does a Chinese user 
accessing my bridge's ORport doom my entire bridge to immediate blockage 
from there?

I can't imagine the GFW would be so kind as to only block the ORport's 
specific port number, I assume it blocks the entire bridge IP address, 
making all transports useless if any single one of them is detected. 
Would it be better to only offer obfs4 to avoid detection and blockage 
via older transports?



More information about the tor-relays mailing list