[tor-bugs] #32740 [Circumvention/BridgeDB]: Implement a feedback loop between BridgeDB and OONI
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 14 01:51:36 UTC 2020
#32740: Implement a feedback loop between BridgeDB and OONI
-------------------------------------------------+-------------------------
Reporter: phw | Owner: phw
Type: project | Status:
| assigned
Priority: Medium | Milestone:
Component: Circumvention/BridgeDB | Version:
Severity: Normal | Resolution:
Keywords: s30-o23a2, anti-censorship-roadmap- | Actual Points:
2020Q1 |
Parent ID: #31280 | Points: 10
Reviewer: | Sponsor:
| Sponsor30-must
-------------------------------------------------+-------------------------
Comment (by phw):
Thanks for your feedback!
Replying to [comment:5 cohosh]:
> I'm mostly thinking about this from a bridge enumeration standpoint at
the moment, since this opens up another vector for attack. I guess my
first question here, is what are we most interested in learning from this?
Is it whether specific bridges have been blocked in specific places, or
that countries X, Y, and Z are very effective at blocking bridges of type
A?
[[br]]
It's the former. We want censorship measurement platforms to tell us if a
given bridge is reachable in country X. BridgeDB already has code that
takes into account where a bridge is blocked and where a user is from. The
goal is to optimise bridge distribution, so users end up with bridges that
are (most likely) unblocked in their country.
[[br]]
> If we do want to know when and where each specific bridge is blocked,
then we should make sure we know how useful this information is to us and
what we're going to do with it. If it's not useful, perhaps we should re-
evaluate whether it's worth the exposure. Or if there's a less risky (more
passive) way to get this information.
[[br]]
I suggest we start with low-risk bridges like our default bridges (which
are already public anyway) and bridges in our HTTPS/Proxy bucket. We lose
little to nothing if these bridges get into our adversaries' hands.
[[br]]
> > * Arturo mentioned that OONI probes may not talk to wolpertinger
directly, but rather proxy their requests over OONI's infrastructure. In
this case, we don't need to worry about making wolpertinger resistant to
censorship, but we may still want to make it available over domain
fronting so we are prepared for a future in which censorship measurement
probes (which are unlikely to be able to talk to *.torproject.org) connect
directly.
>
> Another question for the OONI side of things: are all OONI clients
testing each bridge? Or just a subset of them? A subset will again limit
exposure and make it difficult for a censor to be able to enumerate
bridges just by running an OONI client.
[[br]]
That's a great question and I don't have satisfying answers yet. But I
agree that we should start with a small set of bridges and iterate as we
gain experience. We should at least build this system in a way that it
doesn't make it easier for an adversary to collect bridges.
[[br]]
> I like this design for now where OONI gets the bridge information and
distributes it to probes as opposed to probes asking for it directly. This
is much easier for us to secure and I'm not sure we'd ever want to the
latter situation because of the potential for enumeration.
[[br]]
Yes, agreed.
[[br]]
> >- When requesting a bridge to test, a censorship measurement probe
should tell us the country it's in. We may also want to know its
autonomous system. What else do we want to know?
> A timestamp for sure. I think it would be useful for the same probe to
try multiple times within some time frame (4x/day for 2-3 days).
[[br]]
I don't follow: do you mean an OONI probe should embed a timestamp when
requesting a bridge to test? Why do we want a probe to request bridges
multiple times per time frame?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32740#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list