[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Block directory authorities, is it possible?



> http://tor.eff.org/svn/trunk/doc/design-paper/blocking.pdf

It seems to me that the most difficult things are 1) to ensure that a user
in a blocked country always has access to a bridge, and 2) proving that
bridges are useful.

1) It seems a user needs to know at least two working bridges in order
to not have their connection permanently disrupted (and require
re-bootstrapping). If only one bridge is known, if that bridge moves or
goes offline, bootstrapping is required. However, if two bridges are
known, the first bridge can be used for an active connection, and the
status of the second bridge can be maintained (and confirmed with the
bridge authority periodically), so if the active bridge moves, the
backup bridge can be used to connect to Tor and use the bridge authority
to check the status of the now-inactive or moved bridge. Clearly this
only protects against bridge moves, since if the first bridge has gone
offline, the user is now left with only one.

2) Determining whether a bridge is "useful" may be impossible without
allowing an adversary to enumerate a bridge. Any adversary that blocks a
bridge from their jurisdiction can set up a connection through that
bridge to make it seem like the bridge is actively being used. 
There is no easy way for the bridge authority or users to learn that a bridge 
has been blocked. While users in a given country may know they can't connect
to a bridge, they have no easy way to notify the bridge authority.
First, the user is not authoritative: we can't trust what a given user says, 
since that user may be working for the "government" (for arbitrary values of
"government") and may be attempting to disable bridges by bad-mouthing
(saying they are already blocked). Second, the user needs to have access
to the Tor network in the first place to notify the bridge authority
that a bridge is blocked. This is perhaps a lesser problem than the
first one.
I'm not sure this item CAN have a workable solution...

Thoughts?

Thanks,
Eugene

-- 
Eugene Y. Vasserman
http://www.cs.umn.edu/~eyv/