[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #23958 [Metrics/Onionoo]: Onionoo not fetching the bridge descriptor correctly?



#23958: Onionoo not fetching the bridge descriptor correctly?
-----------------------------+------------------------------
 Reporter:  dgoulet          |          Owner:  metrics-team
     Type:  defect           |         Status:  closed
 Priority:  Very High        |      Milestone:
Component:  Metrics/Onionoo  |        Version:
 Severity:  Normal           |     Resolution:  not a bug
 Keywords:                   |  Actual Points:
Parent ID:                   |         Points:
 Reviewer:                   |        Sponsor:
-----------------------------+------------------------------

Comment (by isis):

 Replying to [comment:10 dcf]:
 > Replying to [comment:9 dcf]:
 > > I'm pretty sure that this is the case for all the Tor Browser default
 bridges, and it's because we ask the bridge operators to block their
 ORPort from outside access. This is to prevent reachability tests from
 succeeding, and so keep the default bridges out of BridgeDB.
 >
 > See for instance this thread about the addition of zipfelmuetze and
 griinchux:
 >   https://lists.torproject.org/pipermail/tor-
 project/2017-August/001369.html
 >   In addition, it is best if you use a firewall to block the bridge's
 regular ORPort (while leaving the obfs4 port unblocked). Blocking the
 bridge's ORPort is a hack to prevent the bridge from being included in
 BridgeDB, which eliminates a couple of ways a censor might discover and
 block the bridge: 1) by enumerating BridgeDB, and 2) by fingerprinting
 plain-Tor connections to the bridge's IP address (made by users who
 discovered the plain-Tor port through BridgeDB).

 FWIW, this hack is no longer be needed (for that purpose), since #18329,
 #21177, and #23957 have been merged (and backported where necessary.
 Moving forward, TB default bridges (once on a new enough tor version) may
 put `BridgeDistribution none` in their torrc.  It's still a good idea for
 TB default bridges to firewall off their ORPort, however, to protect
 against discoverability, since really only the PTs are useful.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23958#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs