[anti-censorship-team] Better bridge distribution methods

Sat May 2 01:57:35 UTC 2020

There are 4 parts.

-- /1./ --

For those that are new let me explain my discussion with Philipp Winter.

I suggest a browser fingerprinting based bridge distribution.

Each fingerprint only gets one bridge, so if you keep automatically asking you just keep getting the same address over and over.

I can tell you that it is almost impossible to exhaustively spoof a fingerprint, and we can use that to our advantage. We can group similar fingerprints together so that it doesn't matter if someone spoofs a few things. And we should ignore the user-agent.

>>I think I'm missing something here. Doesn't it suffice for an adversary

to tamper with a single feature to create a new browser fingerprint, and

thus obtain different bridges? I suppose it would depend on how the

server derives its fingerprints.<<

Like I said: Once we've given out all the bridges to each unique fingerprint then we start grouping new fingerprints to the nearest match.

In other words we assume the first users are more legitimate, and the GFW comes along later. So in the beginning we give out a new bridge to a fingerprint that is anyhow different from one we’ve seen before, and once we’ve given them all out (that we are willing to give out through fingerprinting), then if a new fingerprint comes along, he gets the same bridge as the fingerprint that had the highest quantity of same aspects to it. This defeats partial spoofing. Like I said, full spoofing is near impossible.

-- /2./ --

>>I know lots of people in China using Linode and Google Cloud which also

a credit card. They only support the credit card like VISA or MasterCard

instead of China UnionPay card. So it isn't too hard if someone wants to

get the card, especially is GFW who be described as "unlimited fund" by

GFW technology review blog.

They don't block the IP just because a few people use it. Yes, the

credit card it did block a lot of people:(<<

Thanks Tom for clearing up my misunderstanding.

-- /3./ –

Why not switch Obfs4 bridges to dynamic IPs and remove UpdateBridgesFromAuthority. This would make it like WAY more blocking resistant.

-- /4./ –

I take back what I said, I recon the Salmon algorithm is currently the best proxy distribution we have. I’m planning to read the paper, but just from what I’ve seen from the talk... https://www.invidio.us/watch?v=RO3wXRn8BfY

… I see one major vulnerability: what if the GFW gets just one bridge, then creates thousands of accounts (which there is no barrier for), then sends an invite across all of those accounts, then waits for trust level to get high, and all of those accounts gets a new bridge, repeat until you know all the bridges, then only block them all in one go once they have all the addresses.

The solution is to put a limit on how many addresses are given out per accounts with knowledge of a certain bridge. Basically extending the recommendation grouping that every bridge which accounts know only allows for a finite quantity of new bridges to be received. So an adversary that has one address can’t crawl the whole network, but only a fraction of it.

Another but minor weakness, I don’t think social network based distribution would scale well compared to fingerprinting based distribution.

I’m not claiming to know it all but hopefully my thoughts are helpful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/anti-censorship-team/attachments/20200502/2f90b22e/attachment.htm>