On Wed, Aug 15, 2012 at 11:55:55AM +0800, Lorenz Kirchner wrote:
I'm not a tor expert but I am in China and have been using tor... I brought this up before and I still feel that tor would benefit from having special (entry)relays inside the GFW that have a reliable link to relays outside the GFW. Clients inside GFW could then always connect to these relays. Actually, probably tens of thousands of people have VPN connections and they could host such relays to provide access to clients, even such that might be completely blocked from accessing addresses outside the GFW, which, sadly, that is not so uncommon either.
I guess, that would require a modification of the path selection on the clients side. Usually, Tor clients randomly pick relays weighted by bandwidth. Unless the Chinese relays would provide an enormous amount of bandwidth, they would barely get selected by clients which leads to a poor user experience.
Perhaps it's better to focus on improved bridge distribution strategies [0] and hard-to-block transport protocols [1]. Also, that would be a universal solution which would also help in other countries and not a specific - and probably hard to maintain - Chinese-only solution.
Of course it would be great to reveal as little information as possible about such special relays in public... and continue to make the tor connections as un-conspicuous as possible
I guess, the firewall operators would notice that quite soon when Chinese relays would start popping up in the consensus or am I missing something here? And as soon as something is in the consensus, it's particularly easy to block.
20 mbit fiber connections are rapidly becoming commonplace in China. VPNs are commonplace already and I think in the case of GFW the tor project could make use of this situation.
Aren't these 20 mbit only achievable with domestic traffic? I thought that international traffic gets throttled a lot in China?
I'd love to see some sort of an easy deployable tor relay package that could listen on both the chinese and vpn address and relay traffic between the two...
For what it's worth, I and a few others are running bridges with the brdgrd tool [1]. The tool rewrites the first announced window size of a bridge and hence "forces" the client to split its cipher list in two halves. That way, the firewall has not been able to recognize Tor so far. The handy thing is, it only requires modification of bridges and not clients.
Philipp
[0] https://blog.torproject.org/blog/bridge-distribution-strategies [1] https://www.torproject.org/docs/pluggable-transports.html.en [2] https://github.com/NullHypothesis/brdgrd