I propose that we turn on the obfs4's optional packet size and timing obfuscation on some of the default Tor Browser bridges.
The packet size and timing obfuscation can be off (iat-mode=0) or on (iat-mode=1). Currently, all of the default bridges, and probably ≈100% of BridgeDB bridges, have it turned off (iat-mode=0).
As far as I know, iat-mode=1 has never really been tried in practice. The reason I propose trying it is the current blocking situation in Kazakhstan. According to reports, obfs4 (along with meek and vanilla Tor) are blocked there--not only the built-in default bridges, but also secret bridges from BridgeDB. A user on IRC has been experimenting with the Kazakh firewall; the blocking seems to be some sort of probabilistic traffic analysis--it doesn't always block and the rate of blocking depends on the network load. That user would like to have iat-mode=1 set on some of the default bridges to see if it gets through the firewall.
Here are details on the Kazakhstan situation: https://bugs.torproject.org/20348
So I'm thinking it's a good idea to turn on iat-mode=1 on, say, 20% of the default bridges. That'll also be a good hedge against potential future blocking, as we can see if the bridges that use size and timing obfuscation are more resistant. It is safe for the server to turn on iat-mode=1 while the client still has iat-mode=0; the obfuscation will only apply in one direction but the connection will still work.
---- Addendum on how to activate iat-mode=1 on the server
If you built obfs4proxy from source, and you are using commit a7a2575cab or later, you just need to add one line to your torrc: ServerTransportOptions obfs4 iat-mode=1 Unfortunately this commit is not yet in a released version.
If you are using a released version, such as obfs4proxy-0.0.6, then you need to specify every other possible parameter in addition to iat-mode. Find the file <datadir>/pt_state/obfs4_state.json, and convert the JSON syntax into key=value syntax in a ServerTransportOptions, for example if obfs4_state.json contains {"node-id":"0af6c84b644856255dd858b2b189725db6ded51a","private-key":"d04e61ea38757ef67131a3032709e26bbf77a370aadf3950180fbf797973b365","public-key":"fedde584dc36265f9071ab6f7d845a9ae9e3cea5b9c956b252c1c7849aa2d006","drbg-seed":"5bb4dd59f507a89660c4d313f598ed56f4e9e0a620e129af","iat-mode":0} then add this to torrc: ServerTransportOptions obfs4 node-id=0af6c84b644856255dd858b2b189725db6ded51a private-key=d04e61ea38757ef67131a3032709e26bbf77a370aadf3950180fbf797973b365 public-key=fedde584dc36265f9071ab6f7d845a9ae9e3cea5b9c956b252c1c7849aa2d006 drbg-seed=5bb4dd59f507a89660c4d313f598ed56f4e9e0a620e129af iat-mode=1 You will know you need to do this if, when you try to set iat-mode=1 by itself, you get the tor.log error: [warn] Server managed proxy encountered a method error. (obfs4 missing argument 'private-key')