isis: > Lunar transcribed 2.9K bytes: > > Matthew Finkel: > > > I agree, and I think it's safe to assume that some nation-state > > > adversaries do not have these capabilities yet. Users should choose > > > obfs3 over obfs2, but if a user has a reason for requesting obfs2 then > > > I don't think we should deny them. > > > > But aren't âweâ the expert on the topic? Which reasons do you think a user > > might have to choose obfs2 over obfs3? Isn't it in an attacker interest > > to trick users into using obfs2? > > > > Should all HTTPS websites allow DES because users might have a > > reason to request it? Should OTR clients continue to support OTRv1 > > because users might a have a reason to request itÂ[1]? > > > > Sorry, but as a fail to see good reasons, I just don't get the logic. > > > > For the Tor Browser, we stop even distributing the binaries as soon as a > > new version is out because we know the previous one to be insecure. Why > > should a broken protocol still be advertised? Why should addresses of > > insecure bridge still be distributed when we can just avoid them? > > > > What do users get out of retrieving obfs2 bridge addresses that they > > can't get when retrieving obfs3? > > Alice's university sysadmin / corporate IT department / highschool > administration / overly-conservative techie parents block tor, by protocol > identification after watching Alice's tor handshake with the first hop. They > block relays from the public list. Their firewall runs Bro or similar, and > they're able to detect and block bridges too. [0] > > They see an obfs2 handshake, and they try to connect to the obfs2 IP:port > using vanilla tor (without any PTs). It doesn't work. Isn't not their job to > spend all day trying to figure out what that weird protocol was, and they're > not savvy enough to realise that the handshake is also fingerprintable. > > That's where obfs2 still works just fine. But obfs3 will work just as fine. Why continue giving out obfs2 bridges? -- Lunar <lunar@xxxxxxxxxxxxxx>
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev