[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #12673 [Pluggable transport]: New fte bridges
#12673: New fte bridges
-------------------------------------+------------------------------
Reporter: kpdyer | Owner: asn
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Pluggable transport | Version:
Resolution: fixed | Keywords: MikePerry201407R
Actual Points: | Parent ID:
Points: |
-------------------------------------+------------------------------
Comment (by mikeperry):
Replying to [comment:9 kpdyer]:
> Replying to [comment:8 mikeperry]:
> > Replying to [comment:7 kpdyer]:
> > > Hi Mike,
> > >
> > > - If we can't use DNS, we'll need to remove the IPv6 bridge for now.
That was using DNS load balancing on AWS, and there's no guarantee that
the IPv6 address will stay the same.
> >
> > Hrmm. If there is no way to get a fixed IPv6 IP, then we'll have to
remove the lines. This is a shame, though, because IPv6 is pretty much
completely uncensored everywhere, afaik.
>
> I could find another provider that can host an IPv6 fte bridge. How much
time do I have before the next tag+release?
I will merge an IPv6 bridge as soon as you have it. Who knows when our
next release will be, though. Anywhere between 1 day and 5 weeks from now.
> > > - Can you remind me why we shouldn't use DNS names in the bridge
lines?
> >
> > Because the DNS resolution happens outside of Tor before it has a
circuit. This means that it is both a blocking point for the adversary
(who might even be able to use their existing IPv4 DNS censorship
infrastructure to block the resolution, depending on how DNS is configured
on the client), as well as a clear signal that Tor is in use by that
client, since it is cleartext.
>
> It's not clear to me why this is worse, if we have DNS bridges in
addition to hard-coded bridges.
From my POV, DNS doesn't add anything, and seems to introduce new risks
and blocking points, especially for IPv6.
> Do you mind if I bring this discussion to tor-dev?
Sure, go ahead. It might be useful to get a second opinion on this,
especially if you believe that DNS improves our blocking resistance
somehow (which I also do not see how it would).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12673#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs