[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #34212 [Circumvention/Wolpertinger]: Set up a domain-fronted end point for wolpertinger

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #34212 [Circumvention/Wolpertinger]: Set up a domain-fronted end point for wolpertinger
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 14 May 2020 17:39:51 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 14 May 2020 13:40:00 -0400
In-reply-to: <043.22152545e0cd1ca5ba39ae8982f0fa42@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.22152545e0cd1ca5ba39ae8982f0fa42@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, blackhole@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#34212: Set up a domain-fronted end point for wolpertinger
----------------------------------------+-------------------------------
 Reporter:  phw                         |          Owner:  phw
     Type:  task                        |         Status:  assigned
 Priority:  Medium                      |      Milestone:
Component:  Circumvention/Wolpertinger  |        Version:
 Severity:  Normal                      |     Resolution:
 Keywords:                              |  Actual Points:
Parent ID:  #32740                      |         Points:  1
 Reviewer:                              |        Sponsor:  Sponsor30-can
----------------------------------------+-------------------------------

Comment (by dcf):

 Replying to [ticket:34212 phw]:
 > After reading #27469 and #16650, I believe that we need to configure
 another azure reflector, e.g., wolpertinger.azureedge.net, which is hooked
 up to https://bridges.torproject.org/wolpertinger/.

 If you only care about reachability, then yes, all you need is a CDN
 configuration pointing to bridges.torproject.org. That's also the easiest
 to deploy and use because you don't need anything more than curl to
 interact with it.

 If you need confidentiality from the CDN (i.e., if you suspect that the
 CDN is eavesdropping on connections and recording bridge addresses), then
 the above model is not good enough. The problem is that you have hop-by-
 hop TLS from the client to the CDN, and from the CDN to BridgeDB, but no
 end-to-end secure channel. For end-to-end security I think you have two
 options:
  1. Do like Moat, and tunnel an end-to-end TLS session through the hop-by-
 hop CDN TLS sessions. The end-to-end security is provided by the existing
 TLS certificate of bridges.torproject.org. This is more awkward to use
 because you need to run e.g. meek-client and meek-server at the endpoints
 to build the tunnel.
  2. Provide a layer of security in Wolpertinger separate from TLS. That
 is, don't just return some bridge addresses in plaintext, but use
 something like an [https://noiseprotocol.org/noise.html#interactive-
 handshake-patterns-fundamental NK or IK Noise protocol] to establish an
 ephemeral session key and return an authenticated ciphertext in one round
 trip. The client could send its part of the handshake as a URL query
 parameter or POST body, and the server could return its part of the
 handshake followed by an authenticated ciphertext in its response body.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34212#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #34212 [Circumvention/Wolpertinger]: Set up a domain-fronted end point for wolpertinger
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #34031 [Metrics/Onionperf]: Figure out warning about unknown error type when exporting .tpf file
Next by Author: [tor-bugs] #34131 [Core Tor/Tor]: Fix logic error in parse_extended_hostname
Previous by thread: [tor-bugs] #34212 [Circumvention/Wolpertinger]: Set up a domain-fronted end point for wolpertinger
Next by thread: Re: [tor-bugs] #18497 [Applications/Tor Browser]: Check that MAR signing is done properly on the files available in the update responses
Index(es):
- Author
- Thread