On Sun, Sep 01, 2013 at 01:32:23PM +0300, George Kadianakis wrote:
Kevin P Dyer kpdyer@gmail.com writes:
=== How do we invoke PTs? I had this discussion with Roger, but I don't see any open tickets or clear discussion on this already. If we have N>1 PTs and at least one bridge per PT, how do we select which PT (and which bridge associated with that PT) to use? Determinism is bad because then only one PT is used. Booting up all PTs is bad, especially if (say) the PTs make network connections prior to any incoming SOCKS connections. Selecting a random PT is potentially bad, too, depending upon how hostile and persistent and stateful the adversary is.
That's an interesting question. I'm not sure if the process of Tor picking bridges is deterministic or not. I should test it out. David might know.
(A good scenario would be that Tor treats bridges like guards and selects some at random to build circuits.)
I don't know how Tor decides which PT bridges to use. I would guess that it treats them like any other Bridge lines in torrc.
You should see this ticket and blog post: "Config option to declare whether you're using bridges for reachability or for security" https://trac.torproject.org/projects/tor/ticket/4624 https://blog.torproject.org/blog/different-ways-use-bridge The idea behind it is that some users want covertness (I need to hide the fact that I am using Tor), and some users want reachability (I need some way to circumvent the firewall). The way I see it, the unstated policy of the PT bundles is to optimize for reachability. By default we launch all the transports we know about, so for example if three transports are blocked and one gets through, that is a success. This doesn't work for the first kind of user, for whom a blocked transport means they have been detected.
This first kind of user is likely to have to take some extraordinary steps while using Tor in any case. I don't think we have a plan for how to make a bundle that, in its default configuration, is safe to use for all such users. However we can make a bundle that does reachability with no special configuration, so that's what we're doing.
The new 3.0 series bundles ask you, on startup, whether you are able to connect directly to Tor or whether you have to do your own manual configuration (like adding bridges). The option to launch only one specific safe transport could in principle be added to such a UI.
David Fifield