[tor-dev] Email Bridge Distributor Interactive Commands

Lunar lunar at torproject.org
Tue Jul 29 09:20:16 UTC 2014


isis:
> Lunar transcribed 2.9K bytes:
> > Matthew Finkel:
> > > I agree, and I think it's safe to assume that some nation-state
> > > adversaries do not have these capabilities yet. Users should choose
> > > obfs3 over obfs2, but if a user has a reason for requesting obfs2 then
> > > I don't think we should deny them.
> > 
> > But aren't “we” the expert on the topic? Which reasons do you think a user
> > might have to choose obfs2 over obfs3? Isn't it in an attacker interest
> > to trick users into using obfs2?
> > 
> > Should all HTTPS websites allow DES because users might have a
> > reason to request it? Should OTR clients continue to support OTRv1
> > because users might a have a reason to request it [1]?
> > 
> > Sorry, but as a fail to see good reasons, I just don't get the logic.
> > 
> > For the Tor Browser, we stop even distributing the binaries as soon as a
> > new version is out because we know the previous one to be insecure. Why
> > should a broken protocol still be advertised? Why should addresses of
> > insecure bridge still be distributed when we can just avoid them?
> > 
> > What do users get out of retrieving obfs2 bridge addresses that they
> > can't get when retrieving obfs3?
> 
> Alice's university sysadmin / corporate IT department / highschool
> administration / overly-conservative techie parents block tor, by protocol
> identification after watching Alice's tor handshake with the first hop.  They
> block relays from the public list. Their firewall runs Bro or similar, and
> they're able to detect and block bridges too. [0]
> 
> They see an obfs2 handshake, and they try to connect to the obfs2 IP:port
> using vanilla tor (without any PTs). It doesn't work. Isn't not their job to
> spend all day trying to figure out what that weird protocol was, and they're
> not savvy enough to realise that the handshake is also fingerprintable.
> 
> That's where obfs2 still works just fine.

But obfs3 will work just as fine. Why continue giving out obfs2 bridges?

-- 
Lunar                                             <lunar at torproject.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140729/90d2bad0/attachment.sig>


More information about the tor-dev mailing list