[tor-project] Turning on timing obfuscation (iat-mode=1) for some default bridges

Linus Nordberg linus at torproject.org
Tue Nov 15 10:33:14 UTC 2016

David Fifield <david at bamsoftware.com> wrote
Mon, 14 Nov 2016 16:56:03 -0800:

> So I'm thinking it's a good idea to turn on iat-mode=1 on, say, 20% of
> the default bridges. That'll also be a good hedge against potential
> future blocking, as we can see if the bridges that use size and timing
> obfuscation are more resistant. It is safe for the server to turn on
> iat-mode=1 while the client still has iat-mode=0; the obfuscation will
> only apply in one direction but the connection will still work.

ndnop3 is now running with iat-mode=1.

Yawning Angel <yawning at schwanenlied.me> wrote
Tue, 15 Nov 2016 01:19:13 +0000:

>> The delay can be up to 10 ms. Why this may be a problem is the sleep
>> happens during thr round trip between client and server. If the
>> round-trip time is greater than the delay, then it is as if there was
>> no delay. Delays happen only once per write (i.e. obfs4 doesn't split
>> up writes to insert delays). So the timing obfuscation may be less
>> effective during the handshake phase than during the steady state,
>> which can have consecutive writes not bound by latency.
> It *can* split writes to insert delays.  See `iat-mode=2`.

ndnop5 is now running with iat-mode=2. I will keep an eye on CPU usage
as I understand this is expensive.

Let me know if you think this is a bad idea.

More information about the tor-project mailing list