[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] (meek|flashproxy)+(obfs3|fte|scramblesuit|...)



On Sat, 26 Jul 2014 15:08:38 +0100
Kevin P Dyer <kpdyer@xxxxxxxxx> wrote:

> Are there any roadblocks that prevent us from doing the following?
> 
> 1. Remove the hard-coded bridge_prefs.js in the TBB.

Ok.

> 2. Set meek as the default pluggable transport in the TBB.

Sure that's also fairly easy.

> 3. Use meek to acquire an up-to-date bridge_prefs.js from, say,
> torproject.org.

Whowa, what?  I get (from other parts of the thread) that there are
compelling reasons for this, but I can think of at least two reasons
why I would be massively against this.

a) Who is going to pay for this?  The amount of data transferred will
grow to be non-trivial rather quickly because each user that ends up
doing this will do the full bootstrap.  Granted, this will be a one
time thing per bundle release (and a one time thing over the lifespan
of the client in some magical world where TBB has an update
mechanism), so the economic side in the future isn't quite as dire, but
still.

b) Giving anyone a list of a subset of our users (and a particularly
vulnerable subset at that, since they need to use PTs), seems dangerous
at best.  Going from "all meek users need to trust $CDN" to "the
default behavior is to give $CDN a list of anyone trying to use PTs" at
first glance seems like something that will only end badly.

> 4. Use the information from the acquired bridge_prefs.js to connect
> to Tor as normal.

No clue as to how hard this is.

> Ostensibly, this doesn't do a better job of hiding bridge addresses.
> However, it allows us to modify bridge addresses without releasing a
> new TBB.

I don't see that as being a sufficiently compelling reason to give a
third party the ability to enumerate (a unknown fraction of) the PT user
base (while making them rich at the same time).

Regards,

-- 
Yawning Angel

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev