[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Do less-secure pluggable transports on bridges render more-secure types useless?



I've read that obfs4 and scramblesuit are very resistant ("immune" is so optimistic) to such things as active probes performed by the Great Firewall, which can quickly probe and detect older transports (and of course vanilla ORports), plus the older transports and ORports are subject to relatively quick detection through deep packet inspection once a user connects from there.

Does it make sense to offer older more vulnerable transports along with newer more secure ones? If my bridge offers both obfs3 and obfs4, does that just mean that as soon as someone in China uses obfs3 it's detected and my IP address is blocked, making the obfs4 port unusable from there as well even though it would have avoided detection on its own? More fundamentally, does the bridge address server also publish vanilla ORports for those bridges which offer obfs4, and does a Chinese user accessing my bridge's ORport doom my entire bridge to immediate blockage from there?

I can't imagine the GFW would be so kind as to only block the ORport's specific port number, I assume it blocks the entire bridge IP address, making all transports useless if any single one of them is detected. Would it be better to only offer obfs4 to avoid detection and blockage via older transports?

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays