[tor-talk] How do the OBFS4 "built-in" Bridges work?
Nathaniel Suchy (Lunorian)
me at lunorian.is
Mon Apr 30 04:21:00 UTC 2018
So the concerns I brought up are already addressed in an upcoming update?
Cheers,
Nathaniel
Jacki M:
> Torbrowser 8a3 added moat which I’m actually fetches new bridges, without requiring you to go to bridges.torproject.org.
>
> Bug 23136: Moat integration (fetch bridges for the user)
> Download the latest alpha https://dist.torproject.org/torbrowser/8.0a6/
> Remember this is an alpha and should only be used for testing purposes, moat should be included in the next major stable.
> Sent from my iPad
>
>> On Apr 29, 2018, at 12:41 PM, Nathaniel Suchy (Lunorian) <me at lunorian.is> wrote:
>>
>> Thank you for clarifying that. The obfs4 bridges you can get at
>> bridges.torproject.org also pose an interesting risk, the ports each
>> Bridge IP Address is using seem to be non-standard, I'm in the US and
>> most networks I am at do not censor although sometimes certain ports at
>> public wifi networks are blocked, could a threat actor threatening you
>> or tor users in general realize an IP Address was a Tor Bridge by
>> identifying a large amount of traffic to a non-standard port on random
>> datacenter IP Addresses?
>>
>> You can tell Tor Browser your Firewall only allows connections to
>> certain ports which I assume when used with bridges would help further
>> hide the fact you are using Tor.
>>
>> The fact I email here obviously shows I am a Tor user, although I'd like
>> more technical measures built into Tor Browser to obfuscate the times I
>> am using Tor.
>>
>> Cheers,
>> Nathaniel Suchy
>>
>>>> On 4/29/18 2:36 PM, Matthew Finkel wrote:
>>>> On Sun, Apr 29, 2018 at 02:06:49PM -0400, Nathaniel Suchy (Lunorian) wrote:
>>>> I see that Tor Browser, for users who are censored in their country,
>>>> work, or school (or have some other reason to use bridges) has a variety
>>>> of built in bridges. Once of those are the OBFS4 bridges. My first
>>>> thought would be these are hard coded, of course giving everyone the
>>>> same set of bridges is bad right?
>>>
>>> Currently this is how it works, yes. It is not ideal, and there is
>>> on-going development work for rolling out a more scalable method.
>>>
>>>> Then a bad actor could download Tor
>>>> Browser, get the list, and null route the IPs on their network(s). Also
>>>> these bridges could get quite crowded. Are the bridges being used to
>>>> fetch other bridges, or something else? How does Tor Browser handle
>>>> these risks / technical issues?
>>>
>>> Indeed "Bad actors" could block the bridges hard-coded in Tor Browser.
>>> It is also true many of those default bridges are overloaded.
>>
>> --
>> tor-talk mailing list - tor-talk at lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
More information about the tor-talk
mailing list