[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Internet-wide scanning for bridges

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Internet-wide scanning for bridges
From: Vlad Tsyrklevich <vlad@xxxxxxxxxxxxxxx>
Date: Wed, 17 Dec 2014 21:19:28 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 17 Dec 2014 16:19:42 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAH0z3hOVNFgPE88p+kRfXMRqVVFOeQLqV6-4zskhfFp0-b3M6A@xxxxxxxxxxxxxx> <20141214183456.GB9817@xxxxxxxxx> <CAH0z3hNuO8Z5qVha6dFp+cyjRXw5PYXbUKo3Die6wWYFxBhUmw@xxxxxxxxxxxxxx> <073D1E5E-95EC-4AF8-804A-C9B8EB91D943@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

I totally agree with you, the ideal solution is for bridges to be security to by default: Either by getting rid of the ORPort for bridges and requiring the use of PTs, or changing the behavior of 'auto' for ports and having ORPort be set to auto by default. However, these changes don't appear trivial to me. I do plan to also update the documentation to use 'ORPort auto' for bridges, but I think it's also useful to nudge bridge operators to a safer configuration in the short term (the same way tor already does for HS+relay colocation and a couple of other cases.)

On Wed Dec 17 2014 at 11:12:01 AM Sebastian Hahn <sebastian@xxxxxxxxxxxxxx> wrote:

Hi there,

On 14 Dec 2014, at 20:06, Vlad Tsyrklevich <vlad@xxxxxxxxxxxxxxx> wrote:
> I'm not against keeping some around, but this warning is unlikely to turn around the thousands that currently match this configuration--hopefully it'll just encourage future bridge operators to use a 'safer' configuration. The obfs4proxy README shows users how to set-up obfs4 running over port 443 which is probably the most desirable option: those users can evade network restrictions without enabling discovery by scanning.

I really dislike warnings unless we absolutely need to have
them, and this imo is in the category of "change the default,
update the docs", especially because just changing the port
is not a real solution in my book.

Cheers
Sebastian

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Internet-wide scanning for bridges
  - From: Vlad Tsyrklevich
- Re: [tor-dev] Internet-wide scanning for bridges
  - From: Philipp Winter
- Re: [tor-dev] Internet-wide scanning for bridges
  - From: Vlad Tsyrklevich
- Re: [tor-dev] Internet-wide scanning for bridges
  - From: Sebastian Hahn

Prev by Author: Re: [tor-dev] Internet-wide scanning for bridges
Next by Author: Re: [tor-dev] Vanilla ORPorts burning PT ports? (was: Internet-wide scanning for bridges)
Previous by thread: Re: [tor-dev] Internet-wide scanning for bridges
Next by thread: Re: [tor-dev] Internet-wide scanning for bridges
Index(es):
- Author
- Thread