Re: [tor-relays] Relay configuration for FreedomBox

[Lance Hathaway <qhltx@xxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 22/03/2014 11:56 AM, James Valleroy wrote:
> Thanks for the information. Is it likely that obfs3 and
> scramblesuit will be usable in the long-term? Or will they need to
> be deprecated at some point like obfs2?
> 
> Also, if obfs3 or scramblesuit were deprecated, but some
> FreedomBoxes continued to run those transports, what would be the
> result? Would the worst case be that the bridge is no longer usable
> by some, as in [0]?
> 
> The reason that I'm asking is that FreedomBox is currently working 
> within Debian "testing" but our target is Debian "stable". Once
> our packaged configuration is frozen for the next stable release,
> it will be more difficult for us to push changes other than
> security fixes.
> 
> [0] https://trac.torproject.org/projects/tor/ticket/10314

I can't speak to whether more pluggable transports will be deprecated
in future, but I'll go out on a limb here and say "probably." The
nature of things ensures that the capabilities of censors continue to
advance. And as they do, new approaches will be found and deployed to
bypass those advancing attempts to block the network.

When bridges were first deployed, the fact that they weren't all
openly listed in a public directory made them more difficult to block.
Now, most plain bridges are very easy to block. When obfs2 was first
deployed, it was a solid protocol (I have no doubt). These days, China
is actively hunting down and blocking obfs2. There is very little
point to deploying either a plain bridge or an obfs2 pluggable
transport these days, especially on a mass scale.

On the plus side, obfs3 is still pretty strong, and it's one of the
common pluggable transports right now. Scramblesuit is not live in the
official bundles yet (AFAIK), but it just released and has some pretty
robust-looking defenses against active probing and other attacks. If
you're working on something new to deploy, these should be included,
without a doubt. They may indeed be deprecated in future, and in the
worst case may become unusable or make the bridge more susceptible to
being blocked. But if you go with a plain bridge or obfs2, you're
already in your worst-case scenario. You have nothing to lose and
everything to gain by enabling the newest pluggable transports.

I would highly recommend adding the Tor package repository to the
FreedomBoxes. As explained in [0], this won't always give you the
latest version of tor, but it will provide security fixes. My hunch is
that it will almost always also be a little fresher than Debian
stable. And given that network censors and network developers are
always going to be in an escalating arms race, enabling new releases
of Tor (and obfsproxy) directly from the project is going to make the
FreedomBox much more useful in the long term.

 -Lance

[0] https://www.torproject.org/docs/debian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBCgAGBQJTLeycAAoJEECmBqfoBgXnJkgP/2//1UQt8syESruHCNoxVPmo
7USRn42O8jcHRCIk3tFLwey+RisG3+E5NQIKDpnvtkX4FevmjAfyje3K+DkI8Nnh
QdALbtgfmzFisoCF5DS+XW0pagfhxzI5XcJPq+xOPXBbcGCC7AFqGbK5HdFBNcj1
ZONkMhzQtHLlkdLkEKHT6COpjs64VrbQr3+og04Pntk4LPwmKGbfc8sJoBatsGS4
ojaTYM4DygPo/5UgfbnyhlpF/gt6ymr3EjLy9K+b7ieV8xat5MuMp24GP/pQ+SzX
yiN4O2mlFP8W7JfsbIsKDp8f/vIFb60p8O2+FERyfVkot+EGwDN+TLX5cs/KKH7X
kclgeUwPhM3A2d8FErWJJJoVeMBbt+cjKqLxnWQowxqnkWAvvFExx73cVYJYBS7r
ePKlXl/s/1VMr+uL/i7J+b507WVQRMvi28qspwtoyQWvhIiA5o1EgliU6wPra/Rx
FATTkEbMOBv3Xd0jRDUAgvZDxS+cRtcAklfvhdiOJrMXQiYYjomqhT2CLvz6haYI
7+4aKDTlyGfk8LXONqXQugg5Bge8FtI04AeYNXKi/rffUBFRyKJgsWYJG8Hkoemh
aWPMiVy9gED5vxmojDGFzYAWIx1ANf5JP8/vKhIh/OkkFauRFaW/OcKA6OJKd4D/
sA7VglzvQuU747MrVmoM
=2x1k
-----END PGP SIGNATURE-----
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays