[tor-commits] [tor-design-2012/master] Add discussion of bridges, censorship resistance, and pluggable transports

sjm217 at torproject.org sjm217 at torproject.org
Mon Nov 12 17:24:23 UTC 2012


commit 1ca57049a6858a4efb2baa14cf31e4a874b9e4ec
Author: Steven Murdoch <Steven.Murdoch at cl.cam.ac.uk>
Date:   Mon Nov 12 17:24:07 2012 +0000

    Add discussion of bridges, censorship resistance, and pluggable transports
---
 todo                |    2 +-
 tor-design-2012.tex |   39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletions(-)

diff --git a/todo b/todo
index 3c4e430..ac44c7f 100644
--- a/todo
+++ b/todo
@@ -19,7 +19,7 @@ ITEMS:
      o Cell queueing and scheduling.
    . Integrate content from the second blog post [steven]
      o guard nodes
-     - Bridges, censorship resistance, and pluggable transports
+     o Bridges, censorship resistance, and pluggable transports
      - Changes and complexities in our path selection algorithms
      o stream isolation
    . Integrate content from the third blog post [steven]
diff --git a/tor-design-2012.tex b/tor-design-2012.tex
index d163891..2f48cbb 100644
--- a/tor-design-2012.tex
+++ b/tor-design-2012.tex
@@ -1953,6 +1953,45 @@ in source code form, encourage source audits, and frequently
 warn our users never to trust any software (even from us) that
 comes without source.\\
 
+\emph{Block access to the network.} An attacker who controls a
+user's Internet connection can block access to the Tor network
+by blocking connections to the directory authorities and/or Tor
+nodes. The IP addresses of the former are embedded in every copy
+of Tor and the IP addresses of the latter can be easily found by
+asking the directory authorities. Tor resists this attack by
+having an additional type of OR -- the ``bridge node'' which is
+distinguished from other ORs by not having its IP address
+included in the directory. Operators of bridge nodes publish
+their IP address to a single bridge authority which distributes
+IP addresses to users in a way to resist an attacker being able
+to enumerate (and thus block) them all. Currently bridge IP
+addresses are made available on a website (where requests from
+the same source IP address always get the same answer) and via
+email (where requests from the same email address always get the
+same answer). Bridge IP addresses are also distributed by
+personal contacts.
+
+Bridges resist blocking access to the Tor network by IP address,
+but do not prevent an attacker blocking by protocol fingerprint.
+Tor's use of TLS is designed to provide some resistance against
+this attack, through impersonating HTTPS, but due to efficiency
+and simplicity considerations, it does not give perfect
+protection. Steganographic transports (e.g. embedding data in
+images) would improve resistance to fingerprinting but at a high
+cost to effeciency so would not be appropriate for all users.
+Also, users in some countries may need to disguise their traffic
+as different protocols due to particular policies in place.
+Therefore the protocol-fingerprinting-resistance part of Tor has
+been left the responsibility of an external ``pluggable
+transport'' program, which is responsible for obfuscating Tor's
+TLS traffic at the OP end, and converting it back to TLS at the
+bridge. Since the pluggable transport operates on TLS
+ciphertext, which would otherwise be sent directly over the
+network, it can't harm the security properties Tor provides, and
+so Tor users can accept pluggable transports written by
+third-parties, as long as they are confident the software is not
+malicious.
+
 \noindent{\large\bf Directory attacks}\\
 % This whole section is mostly wrong now. -NM
 % Needs a discussion of epistemic attacks. -NM



More information about the tor-commits mailing list