Hi isis
I don't want to speak for the Tor Browser Team, but I think we'd be happy to take you up on it. I can add your obfs4 bridges to Tor Browser's default bridges, or—if you would be excited to write the patch—I can show you where/what to edit. Please let me know which you'd prefer.
It's may-be better done by the experts - means not me :)
Please don't paste it here on the list, but we'll need the IP(s), obfs4 ports, fingerprints, and bridgelines for your bridges. The fingerprint should be in $DATA_DIRECTORY/fingerprint and the bridgeline should be in $DATA_DIRECTORY/pt_state /obfs4_bridgeline.txt.
All is here. Where shall I ship this stuff ?
Thanks again!
It's my pleasure.
Felix transcribed 1.2K bytes:
Hi isis
I don't want to speak for the Tor Browser Team, but I think we'd be happy to take you up on it. I can add your obfs4 bridges to Tor Browser's default bridges, or—if you would be excited to write the patch—I can show you where/what to edit. Please let me know which you'd prefer.
It's may-be better done by the experts - means not me :)
Please don't paste it here on the list, but we'll need the IP(s), obfs4 ports, fingerprints, and bridgelines for your bridges. The fingerprint should be in $DATA_DIRECTORY/fingerprint and the bridgeline should be in $DATA_DIRECTORY/pt_state /obfs4_bridgeline.txt.
All is here. Where shall I ship this stuff ?
Thanks again!
It's my pleasure.
Hey Felix,
If you send it to isis@torproject.org, I'll make a patch. The ticket for this is:
https://trac.torproject.org/projects/tor/ticket/23166
Best regards,
On Thu, Aug 10, 2017 at 12:02:16AM +0000, isis agora lovecruft wrote:
If you send it to isis@torproject.org, I'll make a patch. The ticket for this is:
Felix, we usually ask operators of default bridges to configure these settings in torrc: AssumeReachable 1 BridgeRelay 1 ExtORPort auto
In addition, it is best if you use a firewall to block the bridge's regular ORPort (while leaving the obfs4 port unblocked). Blocking the bridge's ORPort is a hack to prevent the bridge from being included in BridgeDB, which eliminates a couple of ways a censor might discover and block the bridge: 1) by enumerating BridgeDB, and 2) by fingerprinting plain-Tor connections to the bridge's IP address (made by users who discovered the plain-Tor port through BridgeDB).
Hi David
Thanks for the guidance.
Felix, we usually ask operators of default bridges to configure these settings in torrc: AssumeReachable 1
Done.
BridgeRelay 1
Was already done.
ExtORPort auto
I set my jail IP and port here.
In addition, it is best if you use a firewall to block the bridge's regular ORPort (while leaving the obfs4 port unblocked). Blocking the bridge's ORPort is a hack to prevent the bridge from being included in BridgeDB, which eliminates a couple of ways a censor might discover and block the bridge: 1) by enumerating BridgeDB, and 2) by fingerprinting plain-Tor connections to the bridge's IP address (made by users who discovered the plain-Tor port through BridgeDB).
Done.
All is restarted and TBB obfs4 connects still fine.
I have set up some Fallbacks of my own choise for the bridges. ok ?
The bridges nat's to real guard IPs. A mid relay will never see the bridges IP. ok ?
On Thu, Aug 10, 2017 at 11:19:59PM +0200, Felix wrote:
ExtORPort auto
I set my jail IP and port here.
Setting to "auto" is good enough. Don't configure an external IP address for ExtORPort. "auto" will cause it to listen on 127.0.0.1 on a random port.
ExtORPort is only used for localhost communication between obfs4proxy and tor. It shouldn't be exposed externally. It's needed in order to have the bridge contribute to user metrics.
I have set up some Fallbacks of my own choise for the bridges. ok ?
You mean fallback directories? I don't know, it sounds okay.
The bridges nat's to real guard IPs. A mid relay will never see the bridges IP. ok ?
That is okay.
On Thu, Aug 10, 2017 at 02:32:00PM -0700, David Fifield wrote:
The bridges nat's to real guard IPs. A mid relay will never see the bridges IP. ok ?
That is okay.
That is more than ok -- it is a nice feature. :)
It takes care of attacks 2, 3, 4, and 5 on https://blog.torproject.org/blog/research-problems-ten-ways-discover-tor-bri...
--Roger
On 11 Aug 2017, at 07:32, David Fifield david@bamsoftware.com wrote:
I have set up some Fallbacks of my own choise for the bridges. ok ?
You mean fallback directories? I don't know, it sounds okay.
Bridges download their first consensus from a fallback (or authority). Bridges select directory guards from the live consensus. Clients use the bridge as their only directory guard.
It might also enable some attacks via the bridge's unique set of fallbacks: * if all the fallbacks are down, the bridge will use the directory authorities (this is ok) * if all the fallbacks provide outdated consensuses, the bridge might go down (this is bad) * if all the fallbacks provide a restricted set of descriptors, then the other descriptors will be fetched from the bridge's directory guards (this is ok)
I haven't thought about it much, I think it's ok, but using the defaults (plus extra fallbacks if you want) could be safer.
T -- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n ------------------------------------------------------------------------
Hi isis
I don't want to speak for the Tor Browser Team, but I think we'd be happy to take you up on it. I can add your obfs4 bridges to Tor Browser's default bridges, or—if you would be excited to write the patch—I can show you where/what to edit. Please let me know which you'd prefer.
It's may-be better done by the experts - means not me :)
Please don't paste it here on the list, but we'll need the IP(s), obfs4 ports, fingerprints, and bridgelines for your bridges. The fingerprint should be in $DATA_DIRECTORY/fingerprint and the bridgeline should be in $DATA_DIRECTORY/pt_state /obfs4_bridgeline.txt.
All is here. Where shall I ship this stuff ?
Hey Felix,
If you send it to isis at torproject.org, I'll make a patch.
You should have received it some days ago. If it is missing please tell me.
The ticket for this is:
Should I better switch to the ticket for discussing technical topics ( rather than on tor-project ) ?
Felix transcribed 1.1K bytes:
You should have received it some days ago. If it is missing please tell me.
Thanks, got it! The branch with the patch in it is on the ticket.
Should I better switch to the ticket for discussing technical topics ( rather than on tor-project ) ?
It's fine to discuss things here or the ticket. The ticket would be better suited perhaps for more specific technical discussions, like about a certain patch or configuration, than general questions/discussion on running default bridges.
Best regards,
tor-project@lists.torproject.org
-
David Fifield -
Felix -
isis agora lovecruft -
Roger Dingledine -
teor