[tor-bugs] #12673 [Pluggable transport]: New fte bridges

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jul 25 04:53:21 UTC 2014 

#12673: New fte bridges
-------------------------------------+------------------------------
     Reporter:  kpdyer               |      Owner:  asn
         Type:  enhancement          |     Status:  closed
     Priority:  normal               |  Milestone:
    Component:  Pluggable transport  |    Version:
   Resolution:  fixed                |   Keywords:  MikePerry201407R
Actual Points:                       |  Parent ID:
       Points:                       |
-------------------------------------+------------------------------

Comment (by mikeperry):

 Replying to [comment:9 kpdyer]:
 > Replying to [comment:8 mikeperry]:
 > > Replying to [comment:7 kpdyer]:
 > > > Hi Mike,
 > > >
 > > > - If we can't use DNS, we'll need to remove the IPv6 bridge for now.
 That was using DNS load balancing on AWS, and there's no guarantee that
 the IPv6 address will stay the same.
 > >
 > > Hrmm. If there is no way to get a fixed IPv6 IP, then we'll have to
 remove the lines. This is a shame, though, because IPv6 is pretty much
 completely uncensored everywhere, afaik.
 >
 > I could find another provider that can host an IPv6 fte bridge. How much
 time do I have before the next tag+release?

 I will merge an IPv6 bridge as soon as you have it. Who knows when our
 next release will be, though. Anywhere between 1 day and 5 weeks from now.

 > > > - Can you remind me why we shouldn't use DNS names in the bridge
 lines?
 > >
 > > Because the DNS resolution happens outside of Tor before it has a
 circuit. This means that it is both a blocking point for the adversary
 (who might even be able to use their existing IPv4 DNS censorship
 infrastructure to block the resolution, depending on how DNS is configured
 on the client), as well as a clear signal that Tor is in use by that
 client, since it is cleartext.
 >
 > It's not clear to me why this is worse, if we have DNS bridges in
 addition to hard-coded bridges.

 From my POV, DNS doesn't add anything, and seems to introduce new risks
 and blocking points, especially for IPv6.

 > Do you mind if I bring this discussion to tor-dev?

 Sure, go ahead. It might be useful to get a second opinion on this,
 especially if you believe that DNS improves our blocking resistance
 somehow (which I also do not see how it would).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12673#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list