[tor-project] Many bridges (22%) have nickname "ki"

[Yawning Angel]

On Tue, 13 Dec 2016 17:14:49 -0500
Roger Dingledine <arma at mit.edu> wrote:
> I would put my money on "somebody's research project, which aims to
> show how easy it is to do what they're doing." Then they'll tell
> everybody how broken the design is, without coming up with any
> helpful fixes or improvements. So not exactly malicious per se, but
> for sure indirectly harmful.

Now that you drive my thinking along those lines, we should have learned
from past experience and taken aggressive action back in November when
dcf first pointed them out because, it might be researchers from CERT
(or the like) again.

So, I'm more in favor of blacklisting them with extreme prejudice, and
the sooner the better.

> I wonder if there are more systemic solutions we can consider, ranging
> from "just inform people that bridges from bridgedb are dangerous" to
> "we only give out bridges run by vetted people".

The first should happen regardless, because as much as I don't trust my
guard, I trust Bridges less, and so should everyone else (the barrier
to entry being lower would be the primary distinction here).

I have mixed feelings regarding the latter.  While I don't doubt that
it would be effective, the general public being able to contribute
capacity to the network is probably a good thing.

Other ideas:

 1) Impose similar requirements on uptime/stability/bandwidth before we
 give bridges out.  Likely to be unpopular among the "I want to
 contribute to the network from a residential line" crowd, and trivial
 to game.

 2) "Meek/webrtc is the way of the future.".  Which in effect is "we
 only give out bridges run by vetted people".

Regards,

-- 
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20161213/f7f873ae/attachment.sig>