More thoughts on bridge distribution strategies

Nick Mathewson nickm at
Thu Dec 17 22:21:14 UTC 2009

On Mon, Dec 07, 2009 at 08:12:20PM -0500, Roger Dingledine wrote:
> Practically speaking, what we expect to see for the next months is
> people mostly ignoring us with perhaps one or two days where they put
> in a lot of effort. They're not (yet) rolling out automated enumeration
> programs that run 24/7 and try to block bridges in real-time.

Right.  I would expect this trend to continue for about as long as it
seems to continue to work okay for them.  After all, the typical
censors already have extensive experience in and ample
hardware/software support for the "use manpower to find all the IPs
for X and block them all" model of censorship.  So long as that model
works well enough to seriously inconvenience most users, they've not
got much incentive to work harder at it.

> Conclusion #4 is that we need to automate some other distribution
> approaches.

I think something else we really need to do here is stop trying to do
all the bridge distribution R&D ourselves.  This is a case where a
diversity of good approaches will help, not hurt, privacy... and we'll
get more approaches if we work better with people who want to develop

In my ideal world, we'd assign bridges to one or more distributors,
some of which would be our existing email/twitter/web schemes, some of
which would be informal social networks, some of which would be crazy
captcha-based systems developed by third parties, and so on.  We'd try
to track, for each bridge, whether it was used and whether it was
blocked by various censors.  We'd then try to infer which distributors
were good at getting bridges used where, and which were bad at keeping
bridges from getting blocked by whom.

Instead of leaving many bridges completely unused, we'd either assign
them to distributors with low (but nonzero) usage and very low
blocking, or assign them to distributors with a fairly local

Roger will doubtlessly be recalling the papers he worked on ages ago
about the limits of resisting insider attacks against in reputation
systems of this kind, but I think something like this could be a
positive step in the arms race.

Of course, right now it's all handwaving on my part.  Somebody needs
to sit down and work out the math.  I've gotten a little progress made
here; once I'm farther along I'll ask some of the usual suspects whether
they're interested in coauthoring a paper.

Nick Mathewson

More information about the tor-dev mailing list