On Sun, Jul 20, 2014 at 06:07:03PM -0400, Philipp Winter wrote:
On Sun, Jul 20, 2014 at 06:52:44PM +0000, Matthew Finkel wrote:
So, the questions I am posing to those in the community who has an opinion about this: What do you think? What problems do you currently have with this? How can this be improved?
Non-technical users might be confused by the parameters. Perhaps we could drop the "transport" parameter and have the following flat hierarchy? get vanilla get ipv6 get obfs3 get fte get scramblesuit etc
So you think we should accept (roughly) the regex "^.*(\w*)$" and return bridges based on the last token? I think we can do something like this. I do think, based on other responses, that we have some other open questions, though. Listing multiple token on a single will become more difficult, but we can figure something out.
An even simpler option would be to also drop "get" and simply look for the keywords "vanilla", "obfs3", ... in the email subject and body.
Also, if the user fails to form a valid email, I think we should still reply with a set of bridges.
This is a tricky problem:
"I'm TorBrowser, I know about N bridges, but I don't know which ones I should use, so I will pick a few and try them."
"I'm <adversary>. Wow, look at this traffic coming from <ip address>! That looks odd, I see this traffic that looks like Tor, BLOCK! And another flow that looks like obfs2, BLOCK! and another that looks like...huh, I don't recognize it. Let's play it safe. BLOCK!"
Alternatively the adversary could simply detect recognizable tor-flows and then track all subsequent traffic and see what it does and how it behaves, thus building a profile of it.
We need to be very careful about blindly giving out different transports together. We can default to a few obfs3 bridges, though, instead of obfs3, scramblesuit, and fteproxy.
The above example is obvious contrived, and my not be used (often), but it is a risk, and I'm mostly against playing that game unless we are significantly harming peoples' abilities to access the internet.
Thanks for the feedback Philipp, very much appreciated!