[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Re: problem with bridges and a suggestion
- To: "or-talk" <or-talk@xxxxxxxxxxxxx>, "or-talk" <or-talk@xxxxxxxxxxxxx>
- Subject: Re: Re: problem with bridges and a suggestion
- From: "frank" <for.tor.bridge@xxxxxxxxx>
- Date: Wed, 26 May 2010 16:11:05 +0800
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Wed, 26 May 2010 04:12:07 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:references :subject:message-id:x-mailer:disposition-notification-to :mime-version:content-type:content-transfer-encoding; bh=66I+eARsX+l1w8d3hoydrnC7GsdwEgMiPt08G1gV0Hw=; b=fd2tymeccHr8enXPA2pmj6eQ1PotSCUkVbwrXB86nz7fthX0U5F7Bc8hjQI92ma0JW 1ofsSJEg94UEMo8G1FajPFt+DHkLmixinPzGLhoACy+IvzIlCFzxeF1V9yjEflo73lHb C4QbAoYNKDUQ5SSHxBmnuPCPl+D9pxWqOvUgU=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:references:subject:message-id:x-mailer :disposition-notification-to:mime-version:content-type :content-transfer-encoding; b=gYKqAE0qzuKgEwaGTR+pJhcvf3y8hN0T+JOYjifWWy78LjZOHYi8a5TbsZ6k6bP8Cd hCjcVCEwMJG9dCTPjAYcSMV+wTX5rMiAQw2sqdIMswiVuNsiaL/yZgvHf22Jf7zhNW9b jwEhNwu6g6N7g6qC+3CdqYM1Q68EiZIvJoxxc=
- References: <AANLkTikYO539sKtVyD98-9aizdz1yVl42H85yBx5gKv-@xxxxxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
dear andrew,
I tried to reach directory server with the following config:
#use a https proxy to reach directory server
HttpProxy IP:port
but it doesn't work, does not the directory server support https proxy?
my suggestion:
1.
let the directory server support https proxy, so that tor clients could reach it through a hidden https proxy;
2.
the directory server tests the reachability from some relays to the requesting tor clients,
then sends back to tor clients a merely enough number of relays reachable by the requesting tor clients;
3.
in order to accomplish step 2, you have to set up some mechanics for relays to actively test reachability from them to tor clients.
hope I can help.
sincerely,
frank
2010-05-26
-------------------------------------------------------------
åääïandrew
åéææï2010-05-25 19:52:05
æääïor-talk
æéï
äéïRe: problem with bridges and a suggestion
On Tue, May 25, 2010 at 05:18:44PM +0800, for.tor.bridge@xxxxxxxxx wrote 1.3K bytes in 36 lines about:
: china is blockingÂTORÂ more and more strict,
: I can'tÂestablish a TOR circuitÂeven IÂupdated bridges in config file
: of torrc with info retrievedÂfrom https://bridges.torproject.orgÂand
: email replies from bridges@xxxxxxxxxxxxxxx
Correct. We are aware of this.
: this morning,ÂI got some new bridges through a hidden https proxy and
: established a TOR circuit, but after some time, I lost the connection
: and couldn't establish a TOR circuit any more.
Can you send debug logs to tor-assistants@xxxxxxxxxxxxxx with what
happens when your client tries to connect to the bridges?
: from my knowledge to china's blocking methods, I believe they found my
: newly got bridges through network traffic protocol analysis, and
: blocked them.
This is unlikely. In our experience, they are merely blocking IP:Port
combinations.
: use a general protocol for TOR clients to interact with bridges, so
: that they can't distinguish the traffic between TOR clients and
: bridges,
: so that they can't find new bridges got through private ways.
Tor traffic through bridges vs. public relays is the same. There is not
a special "bridge connection". See
https://www.torproject.org/faq#RelayOrBridge, also that text needs to be
updated to reflect China's uniqueness in filtering Tor public relays.
: the general protocol could be https which is encryption protected;
It is already. What may be unique is we start the connection with a TLS
renegotiation. This is probably starting to stand out as unique now
that OpenSSL decided to everyone used renegotiation incorrectly and
almost all operating systems have erroneously disabled this
functionality by default. See
https://www.torproject.org/faq#KeyManagement
: the general protocol could be plain http, if you can encode its
: content dynamically and privately, and don't make it display any
: fingerprints.
Then someone can read your traffic. Hiding in plain sight sounds good
on paper, but doesn't stand up to academic research, so far. See
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#YoushouldusesteganographytohideTortraffic.
--
Andrew Lewman
The Tor Project
pgp 0x31B0974B
Website: https://www.torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/