On Sat, Oct 12, 2019 at 12:09:20AM +0200, Marco Gruß wrote:
I have been running 2 middle relays for a while and now fired up an obfs4 bridge (in a relay-free AS no less ;) as well.
Great!
I've been thinking, as MyFamily is a no-no for bridges, how about firewalling the bridge from my nodes? If I add rules on my bridge that prevent it from connecting to my other relays and prevent my other relays from connecting to it (using iptables' -j REJECT, which results in a "connection refused", as if the tcp port was closed), it would be technically impossible for my bridge to inadvertently build a circuit through one of my other relays. (Well, it could of course still choose them as the second hop.)
Does this make any sense at all? Will this break stuff?
It does make sense.
A little bit against: it will break stuff a little bit, in that clients that use your bridge will sometimes fail to make the circuit they wanted, because they won't be able to extend from your bridge to those relays. There's already some uncertainty around how many links between relays are broken, and why they might be broken, so intentionally adding more breakage will make those questions more confusing. Not a big deal if a few bridges do it, but could get messy if many do.
A little bit in favor: it will indeed avoid circuits that use your relays for the first two hops. This is actually a bigger deal than you describe above, because circuits that use bridges are still only three hops total ("bridge - middle - exit"), so if a user picks your bridge and your middle relay, then there's only the exit relay left that is not yours.
A little bit against: because these circuits are only three hops, there is a low-impact low-probability anonymity issue with doing what you describe: if a user does the same activity repeatedly over time, and that activity is recognizable (linkable) by the exit relay (e.g. logging into a non-https website or going to a really rare destination), then an attacker running some exit relays will be able to build a profile over time of what middle hops the person uses, and notice that they never use your middle hops, and conclude that maybe they're using your bridge as their first hop. Not a big deal, but it's an example of how anonymity analysis can get really tricky.
I would say that if you're excited to do it, it won't hurt much and might help a bit so feel free. But if not you shouldn't. And it would be a shame if many people started doing it, because the two "little bit against" points get a little bit worse when the behavior is more common.
Hope this helps, --Roger