[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Internet-wide scanning for bridges



I totally agree with you, the ideal solution is for bridges to be security to by default: Either by getting rid of the ORPort for bridges and requiring the use of PTs, or changing the behavior of 'auto' for ports and having ORPort be set to auto by default. However, these changes don't appear trivial to me. I do plan to also update the documentation to use 'ORPort auto' for bridges, but I think it's also useful to nudge bridge operators to a safer configuration in the short term (the same way tor already does for HS+relay colocation and a couple of other cases.)

On Wed Dec 17 2014 at 11:12:01 AM Sebastian Hahn <sebastian@xxxxxxxxxxxxxx> wrote:
Hi there,

On 14 Dec 2014, at 20:06, Vlad Tsyrklevich <vlad@xxxxxxxxxxxxxxx> wrote:
> I'm not against keeping some around, but this warning is unlikely to turn around the thousands that currently match this configuration--hopefully it'll just encourage future bridge operators to use a 'safer' configuration. The obfs4proxy README shows users how to set-up obfs4 running over port 443 which is probably the most desirable option: those users can evade network restrictions without enabling discovery by scanning.

I really dislike warnings unless we absolutely need to have
them, and this imo is in the category of "change the default,
update the docs", especially because just changing the port
is not a real solution in my book.

Cheers
Sebastian

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev