[tor-dev] Internet-wide scanning for bridges

Vlad Tsyrklevich vlad at tsyrklevich.net
Wed Dec 17 21:19:28 UTC 2014


I totally agree with you, the ideal solution is for bridges to be security
to by default: Either by getting rid of the ORPort for bridges and
requiring the use of PTs, or changing the behavior of 'auto' for ports and
having ORPort be set to auto by default. However, these changes don't
appear trivial to me. I do plan to also update the documentation to use
'ORPort auto' for bridges, but I think it's also useful to nudge bridge
operators to a safer configuration in the short term (the same way tor
already does for HS+relay colocation and a couple of other cases.)

On Wed Dec 17 2014 at 11:12:01 AM Sebastian Hahn <sebastian at torproject.org>
wrote:

> Hi there,
>
> On 14 Dec 2014, at 20:06, Vlad Tsyrklevich <vlad at tsyrklevich.net> wrote:
> > I'm not against keeping some around, but this warning is unlikely to
> turn around the thousands that currently match this
> configuration--hopefully it'll just encourage future bridge operators to
> use a 'safer' configuration. The obfs4proxy README shows users how to
> set-up obfs4 running over port 443 which is probably the most desirable
> option: those users can evade network restrictions without enabling
> discovery by scanning.
>
> I really dislike warnings unless we absolutely need to have
> them, and this imo is in the category of "change the default,
> update the docs", especially because just changing the port
> is not a real solution in my book.
>
> Cheers
> Sebastian
>
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20141217/0896b81e/attachment.html>


More information about the tor-dev mailing list