As in the title, it took me over an hour to find one - for my security requirements, the timing and sometimes, packet size obfuscation, is very important.
Now this might sound a bit like sarcasm, but I also think that we should harden the https://bridges.torproject.org page, just a captcha and not delivering new bridges to the same IP is a bit weak, in my opinion.
Perhaps extend that block to an entire /16 range, or require some computational power to be used up (could be easily implemented in _javascript_) first.
The last suggestion would also eliminate bots that scrape bridge addresses using plaintext clients entirely, at least until someone builds a chromium / (insert arbitrary browser engine here) bot.
I know this is a cat and mouse game, but the bridge page should be as secure as possible.
For example: I wouldn't mind waiting 5-15 minutes to get a list of 3 bridges (optionally, with a button that says, iat-mode non-zero only, but we need to harden more before implementing something like that), some government agencies might be thrown off by this, along with the fact that they also only have limited IP ranges.
Thoughts?