[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Please Remove Tor bridge and... from Censorship countries.



I think that I should rephrase myself a little so I don’t cause any confusion. 

"Undetectable" is perhaps an overstatement. Usage of bridges like meek are 
especially difficult to identify by just being a firewall/router admin 
sniffing bypassing traffic.

But some adversaries (we know China does it, see 
https://blog.torproject.org/blog/learning-more-about-gfws-active-probing-system) 
also do active probing where they have servers connecting to the destination server 
of a connection (i.e. the suspected bridge) and try to establish a Tor 
connection. Meek is espacially powerful against that kind of attack because 
you only connect to a CDN of either Amazon or Microsoft, looking like a web 
browser visiting some regular website. Without careful studying of traffic 
patterns etc., a "man in the middle" can not tell if you’re using Tor or just 
vising a website.

Of course, as we all know, there’s another government which might have some 
insight into networks of US-based companies. But if you’re primarily worried 
about third-world country states hosting your bridge, meek might be your 
preffered choice.

On Tue, Nov 08, 2016 at 12:36:23PM +0000, Jason Long wrote:
> How can I find a good list of secure Bridge? 
> 
>     On Tuesday, November 8, 2016 1:38 PM, Jonathan Marquardt <mail@xxxxxxxxxxxx> wrote:
>  
> 
>  One thing should be clear:
> 
> If one is not using a bridge, it is trivial for any network observer 
> (University firewall admin, Iran ISP) to see if one is using Tor. However, 
> with the right bridge setup such a detection can ultimately be prevented. I 
> guess meek is the best candidate for an undetectable bridge.
> 
> On Mon, Nov 07, 2016 at 09:56:01AM -0800, Seth David Schoen wrote:
> > Jason Long writes:
> > 
> > > To be honest, I guess that I must stop using Tor!!!! It is not secure.I can remember that in torproject.org the Tor speaking about some peole that use Tor. For example, reporters, Military soldiers and...But I guess all of them are ads. Consider a soldier in a country that want send a secret letter to his government and he want to use Tor but the country that he is in there can sniff his traffic :( 
> > 
> > That soldier has a potential problem if the government is aggressively
> > monitoring Internet traffic, because they can look at the time that the
> > message was received and ask "who was using Tor in our country at that
> > time?".  This happened in 2013 when someone sent a bomb threat using
> > Tor on his university campus.  Apparently he was the only person using
> > Tor on campus at the time the threat was sent.
> > 
> > http://www.dailydot.com/crime/tor-harvard-bomb-suspect/
> > 
> > The ability to do this doesn't require the government to operate any of
> > the nodes and doesn't require them to be operated in the same country.
> > For instance, Harvard University was able to identify this person even
> > though he was using only Tor nodes that were outside of the university's
> > network.  (It might have been much harder if he had been using a bridge
> > that the university didn't know about, or if he had sent the threat
> > from somewhere outside of the campus network.)
> > 
> > If there are ways of sending the letter that introduce a delay, then it
> > might be harder for the government to identify the soldier because then
> > there is some amount of Tor use at a time that's not obviously related
> > to the sending of the letter.  There might still be a concern that the
> > amount of data that the soldier transmitted over the Tor network is
> > very similar to the size of the letter, which may be a unique profile.
> > (That's a concern for systems like SecureDrop because people upload
> > large documents with a unique size; the number of people who transmitted
> > that exact amount of information on a Tor connection in a particular
> > time frame will be very small.)
> > 
> > There's lots to think about and a good reminder that the Tor technology
> > isn't perfect.  But I wouldn't agree with the idea that there's no point
> > in using Tor.  Lots of people are getting an anonymity benefit from
> > using it all of the time.
> > 
> > -- 
> > Seth Schoen  <schoen@xxxxxxx>
> > Senior Staff Technologist                      https://www.eff.org/
> > Electronic Frontier Foundation                  https://www.eff.org/join
> > 815 Eddy Street, San Francisco, CA  94109      +1 415 436 9333 x107
> > -- 
> > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> -- 
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 
> 
>    
> -- 
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Attachment: signature.asc
Description: Digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk