[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How do the OBFS4 "built-in" Bridges work?



Torbrowser 8a3 added moat which I’m actually fetches new bridges, without requiring you to go to bridges.torproject.org.

Bug 23136: Moat integration (fetch bridges for the user)
Download the latest alpha https://dist.torproject.org/torbrowser/8.0a6/
Remember this is an alpha and should only be used for testing purposes, moat should be included in the next major stable.
Sent from my iPad

> On Apr 29, 2018, at 12:41 PM, Nathaniel Suchy (Lunorian) <me@xxxxxxxxxxx> wrote:
> 
> Thank you for clarifying that. The obfs4 bridges you can get at
> bridges.torproject.org also pose an interesting risk, the ports each
> Bridge IP Address is using seem to be non-standard, I'm in the US and
> most networks I am at do not censor although sometimes certain ports at
> public wifi networks are blocked, could a threat actor threatening you
> or tor users in general realize an IP Address was a Tor Bridge by
> identifying a large amount of traffic to a non-standard port on random
> datacenter IP Addresses?
> 
> You can tell Tor Browser your Firewall only allows connections to
> certain ports which I assume when used with bridges would help further
> hide the fact you are using Tor.
> 
> The fact I email here obviously shows I am a Tor user, although I'd like
> more technical measures built into Tor Browser to obfuscate the times I
> am using Tor.
> 
> Cheers,
> Nathaniel Suchy
> 
>>> On 4/29/18 2:36 PM, Matthew Finkel wrote:
>>> On Sun, Apr 29, 2018 at 02:06:49PM -0400, Nathaniel Suchy (Lunorian) wrote:
>>> I see that Tor Browser, for users who are censored in their country,
>>> work, or school (or have some other reason to use bridges) has a variety
>>> of built in bridges. Once of those are the OBFS4 bridges. My first
>>> thought would be these are hard coded, of course giving everyone the
>>> same set of bridges is bad right?
>> 
>> Currently this is how it works, yes. It is not ideal, and there is
>> on-going development work for rolling out a more scalable method.
>> 
>>> Then a bad actor could download Tor
>>> Browser, get the list, and null route the IPs on their network(s). Also
>>> these bridges could get quite crowded. Are the bridges being used to
>>> fetch other bridges, or something else? How does Tor Browser handle
>>> these risks / technical issues?
>> 
>> Indeed "Bad actors" could block the bridges hard-coded in Tor Browser.
>> It is also true many of those default bridges are overloaded.
> 
> -- 
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk