[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How do the OBFS4 "built-in" Bridges work?

On Sun, Apr 29, 2018 at 03:41:47PM -0400, Nathaniel Suchy (Lunorian) wrote:
> Thank you for clarifying that. The obfs4 bridges you can get at
> bridges.torproject.org also pose an interesting risk, the ports each
> Bridge IP Address is using seem to be non-standard, I'm in the US and
> most networks I am at do not censor although sometimes certain ports at
> public wifi networks are blocked, could a threat actor threatening you
> or tor users in general realize an IP Address was a Tor Bridge by
> identifying a large amount of traffic to a non-standard port on random
> datacenter IP Addresses?

Yes, it is possible. There's nothing magical about how Tor sends the
traffic and none of the currently-deployed pluggable transports
significantly modify a users traffic pattern. A network operator could
observe strange traffic from a client, where the destination is a rarely
used IP address and the port number is non-standard. This could be a Tor
connection or it could be a brand-new up-and-coming app which could
revolutionalize the world. What does the network operator do? Do they
block the traffic because it *could* be a connection into the Tor

Of course, there is the next step the network operator could take -
active probing. If they suspect a connection is into a Tor bridge, then
they can try connecting to it, and if it responds like a Tor relay then
they can classify it as "Tor". The obfs4 pluggable transport includes
active probing protection where the client must have the bridge's
non-public second identity key as requirement for establishing a
connection with the bridge. If the client does not have this identity
key, then the initial obfs4 connection will fail and the server will
not leak the fact there is a Tor bridge underneath it.

> You can tell Tor Browser your Firewall only allows connections to
> certain ports which I assume when used with bridges would help further
> hide the fact you are using Tor.

Not necessarily. That option only tells Tor "don't choose a relay as my
first-hop (guard/entry relay) if I know it will be blocked". This simply
avoids choosing a relay listening on port 9999 when we already know the
network firewall only allows ports 443 and 80.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to