[tor-bugs] #16995 [BridgeDB]: Splitting the pool of bridges by seperating people depending on typing cadence

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 7 21:35:44 UTC 2015


#16995: Splitting the pool of bridges by seperating people depending on typing
cadence
-----------------------------+---------------------------------------------
     Reporter:  elypter      |      Owner:  isis
         Type:  enhancement  |     Status:  closed
     Priority:  normal       |  Milestone:
    Component:  BridgeDB     |    Version:
   Resolution:  worksforme   |   Keywords:  bridge-dist, bridgedb-https, ml
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+---------------------------------------------
Changes (by isis):

 * status:  new => closed
 * keywords:   => bridge-dist, bridgedb-https, ml
 * resolution:   => worksforme


Comment:

 Replying to [ticket:16995 elypter]:
 > with OCR getting better and better captchas soon wont be able to provide
 enough protection against bots fetching bridges anymore. but even if it
 was safe enough a censor could still hire a cheap worker to type in
 captchas all day long.

 CAPTCHAs (and many other Proof-of-Work systems) already provide little-to-
 no protection against enumeration. We do not intend to continue their
 usage in the long term for new Bridge distribution systems which we
 develop.

 The current plan for moving forward is to create a new Bridge Distributor
 (#7520) which uses a variant of the
 [https://people.torproject.org/~isis/papers/rBridge:%20User%20Reputation%20based%20Tor%20Bridge%20Distribution%20with%20Privacy%20Preservation.copy%20with%20notes.pdf
 rBridge] scheme in order to anonymously record "good behaviour points" for
 Bridge users whose Bridges do not routinely become blocked. These "good
 behaviour points" may later be "spent" by a well-behaved user in order to
 obtain new Bridges or to invite friends into the system. Once this system
 is in place, and a suitable user-friendly mechanism exists within Tor
 Browser to interact with it, my plan is to allocate an increasing majority
 of new Bridges to that system. (The HTTPS and Email Distributors will be
 left in place, but will eventually contain only a minor portion of the
 total Bridges.)

 Due to the overwhelming number of development hours required to implement
 this new Distributor, I will not have time to develop major improvements
 to the HTTPS and Email Distributors. Further, I would argue that doing so
 would be a waste of time, since, as mentioned above, these Distributors
 will not contain very many Bridges. However, I would gladly encourage you
 to contribute patches for less time-consuming anti-enumeration
 improvements to either the HTTPS or Email Distributors.

 > if you let a neural network group people by typing cadence and only
 supply a group with a subset of the bridges then a single person/bot will
 never be able to pull the whole database.

 As
 [https://trac.torproject.org/projects/tor/ticket/16995?replyto=description&reply=%E2%86%B3+Reply#comment:1
 mentioned by Yawning above], we already have
 [https://pythonhosted.org/bridgedb/bridgedb.https.html#bridgedb-https-
 distributor simpler measures in place] which provide precisely the same
 protection properties (in addition to grouping users by IP address subnet,
 we also rotate hashrings at regular intervals).  Also,
 [https://trac.torproject.org/projects/tor/ticket/1517 Tor Browser
 truncates timestamps], including those which could be used by a webapp to
 fingerprint user typing cadence.

 Further, neural networks are likely overkill for this particular
 application. Using an
 [https://en.wikipedia.org/wiki/Support_vector_machine SVM] or even
 [https://en.wikipedia.org/wiki/K-nearest_neighbors_algorithm k-NN] would
 be a more manageable approaches. If you wish to play with doing so in
 Python, I'd encourage you to check out the various classification
 algorithms provided by [http://scikit-learn.org/stable/ the Scikit
 project].

 Closing for now, since I've no plans to implement anything like this, but
 please feel free to reopen if you'd like to contribute patches.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16995#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list