[tor-dev] Email Bridge Distributor Interactive Commands

Lunar lunar at torproject.org
Mon Jul 28 08:17:42 UTC 2014

Matthew Finkel:
> I agree, and I think it's safe to assume that some nation-state
> adversaries do not have these capabilities yet. Users should choose
> obfs3 over obfs2, but if a user has a reason for requesting obfs2 then
> I don't think we should deny them.

But aren't “we” the expert on the topic? Which reasons do you think a user
might have to choose obfs2 over obfs3? Isn't it in an attacker interest
to trick users into using obfs2?

Should all HTTPS websites allow DES because users might have a
reason to request it? Should OTR clients continue to support OTRv1
because users might a have a reason to request it [1]?

Sorry, but as a fail to see good reasons, I just don't get the logic.

For the Tor Browser, we stop even distributing the binaries as soon as a
new version is out because we know the previous one to be insecure. Why
should a broken protocol still be advertised? Why should addresses of
insecure bridge still be distributed when we can just avoid them?

What do users get out of retrieving obfs2 bridge addresses that they
can't get when retrieving obfs3?

What does the Tor Project get when misleading users?

  [1]: https://bugs.debian.org/725779

Lunar                                             <lunar at torproject.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140728/90026bd4/attachment.sig>

More information about the tor-dev mailing list