[tor-relays] failed setup of obfs4 on relay

Roger Dingledine arma at mit.edu
Fri Mar 30 20:52:23 UTC 2018


On Sat, Mar 31, 2018 at 07:40:48AM +1100, teor wrote:
> > Which is different from the bridge line I used by hand, i.e. has FINGERPRINT, has cert=? and iat-mode=?.  
> > These extra bits made all the difference, but why?
> 
> Tor can't connect to an obfs4 bridge without its certificate.
> The encryption just won't work.

Right. The longer answer is because obfs4 protects against what are
called "active probing" attacks:
https://www.freehaven.net/anonbib/#foci12-winter
where the censor sees a connection that their Deep Packet Inspection
(DPI) system can't classify for sure, so they do a follow-up connection
talking the protocol they think it might be.

If you connect to an obfs2 bridge from within China, it will trigger an
"active probe" followup, which talks obfs2 + tor to the destination,
and when the bridge talks obfs2 + tor back, that address gets banned.

For obfs4, the active prober doesn't know the secret "cert" parameter,
and without that the obfs4 bridge won't act like an obfs4 bridge, making
it hard for the censor to decide for certain that it should be banned.

Hope that helps,
--Roger



More information about the tor-relays mailing list