[tor-dev] Email Bridge Distributor Interactive Commands

Wed Jul 30 02:57:10 UTC 2014

Lunar transcribed 3.7K bytes:
> isis:
> > Lunar transcribed 2.9K bytes:
> > > Matthew Finkel:
> > > > I agree, and I think it's safe to assume that some nation-state
> > > > adversaries do not have these capabilities yet. Users should choose
> > > > obfs3 over obfs2, but if a user has a reason for requesting obfs2 then
> > > > I don't think we should deny them.
> > > 
> > > But aren't “we” the expert on the topic? Which reasons do you think a user
> > > might have to choose obfs2 over obfs3? Isn't it in an attacker interest
> > > to trick users into using obfs2?
> > > 
> > > Should all HTTPS websites allow DES because users might have a
> > > reason to request it? Should OTR clients continue to support OTRv1
> > > because users might a have a reason to request it [1]?
> > > 
> > > Sorry, but as a fail to see good reasons, I just don't get the logic.
> > > 
> > > For the Tor Browser, we stop even distributing the binaries as soon as a
> > > new version is out because we know the previous one to be insecure. Why
> > > should a broken protocol still be advertised? Why should addresses of
> > > insecure bridge still be distributed when we can just avoid them?
> > > 
> > > What do users get out of retrieving obfs2 bridge addresses that they
> > > can't get when retrieving obfs3?
> > 
> > Alice's university sysadmin / corporate IT department / highschool
> > administration / overly-conservative techie parents block tor, by protocol
> > identification after watching Alice's tor handshake with the first hop.  They
> > block relays from the public list. Their firewall runs Bro or similar, and
> > they're able to detect and block bridges too. [0]
> > 
> > They see an obfs2 handshake, and they try to connect to the obfs2 IP:port
> > using vanilla tor (without any PTs). It doesn't work. Isn't not their job to
> > spend all day trying to figure out what that weird protocol was, and they're
> > not savvy enough to realise that the handshake is also fingerprintable.
> > 
> > That's where obfs2 still works just fine.
> 
> But obfs3 will work just as fine. Why continue giving out obfs2 bridges?

Because we have only finite obfs3 bridges. If we had infinite, sure, everyone
should use them. But in the meantime, I still see several uses for obfs2
bridges. Using obfs2, when the obfuscation provided is sufficent for your
situation, allows for more obfs3 bridges to be distributed to people with a
greater need for them.

-- 
 ♥Ⓐ isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1154 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140730/002b4f06/attachment-0001.sig>