On Mon, Nov 14, 2016 at 04:56:03PM -0800, David Fifield wrote:
I propose that we turn on the obfs4's optional packet size and timing obfuscation on some of the default Tor Browser bridges.
The packet size and timing obfuscation can be off (iat-mode=0) or on (iat-mode=1). Currently, all of the default bridges, and probably ≈100% of BridgeDB bridges, have it turned off (iat-mode=0).
So I'm thinking it's a good idea to turn on iat-mode=1 on, say, 20% of the default bridges. That'll also be a good hedge against potential future blocking, as we can see if the bridges that use size and timing obfuscation are more resistant. It is safe for the server to turn on iat-mode=1 while the client still has iat-mode=0; the obfuscation will only apply in one direction but the connection will still work.
I'm aware of three bridges that changed their iat-mode setting. I opened https://bugs.torproject.org/20837 to make the matching change in the client settings.
These are the changes that are in the patch: ndnop3 → iat-mode=1 ndnop5 → iat-mode=2 Lisbeth → iat-mode=1 If anyone else changed the setting but didn't tell me, tell me now so I can add it to the patch. If you didn't change anything, you don't need to change anything; 3 out of 19 default bridges is probably enough for now.
By the way, we got a report that iat-mode=1 and iat-mode=2 both worked to get through a particular firewall (and neither worked against another particular firewall). https://lists.torproject.org/pipermail/tor-talk/2016-November/042586.html