[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] How do the OBFS4 "built-in" Bridges work?
So the concerns I brought up are already addressed in an upcoming update?
> Torbrowser 8a3 added moat which I’m actually fetches new bridges, without requiring you to go to bridges.torproject.org.
> Bug 23136: Moat integration (fetch bridges for the user)
> Download the latest alpha https://dist.torproject.org/torbrowser/8.0a6/
> Remember this is an alpha and should only be used for testing purposes, moat should be included in the next major stable.
> Sent from my iPad
>> On Apr 29, 2018, at 12:41 PM, Nathaniel Suchy (Lunorian) <me@xxxxxxxxxxx> wrote:
>> Thank you for clarifying that. The obfs4 bridges you can get at
>> bridges.torproject.org also pose an interesting risk, the ports each
>> Bridge IP Address is using seem to be non-standard, I'm in the US and
>> most networks I am at do not censor although sometimes certain ports at
>> public wifi networks are blocked, could a threat actor threatening you
>> or tor users in general realize an IP Address was a Tor Bridge by
>> identifying a large amount of traffic to a non-standard port on random
>> datacenter IP Addresses?
>> You can tell Tor Browser your Firewall only allows connections to
>> certain ports which I assume when used with bridges would help further
>> hide the fact you are using Tor.
>> The fact I email here obviously shows I am a Tor user, although I'd like
>> more technical measures built into Tor Browser to obfuscate the times I
>> am using Tor.
>> Nathaniel Suchy
>>>> On 4/29/18 2:36 PM, Matthew Finkel wrote:
>>>> On Sun, Apr 29, 2018 at 02:06:49PM -0400, Nathaniel Suchy (Lunorian) wrote:
>>>> I see that Tor Browser, for users who are censored in their country,
>>>> work, or school (or have some other reason to use bridges) has a variety
>>>> of built in bridges. Once of those are the OBFS4 bridges. My first
>>>> thought would be these are hard coded, of course giving everyone the
>>>> same set of bridges is bad right?
>>> Currently this is how it works, yes. It is not ideal, and there is
>>> on-going development work for rolling out a more scalable method.
>>>> Then a bad actor could download Tor
>>>> Browser, get the list, and null route the IPs on their network(s). Also
>>>> these bridges could get quite crowded. Are the bridges being used to
>>>> fetch other bridges, or something else? How does Tor Browser handle
>>>> these risks / technical issues?
>>> Indeed "Bad actors" could block the bridges hard-coded in Tor Browser.
>>> It is also true many of those default bridges are overloaded.
>> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
>> To unsubscribe or change other settings go to
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to