[tor-project] Turning on timing obfuscation (iat-mode=1) for some default bridges

David Fifield david at bamsoftware.com
Wed Nov 30 00:42:28 UTC 2016

On Mon, Nov 14, 2016 at 04:56:03PM -0800, David Fifield wrote:
> I propose that we turn on the obfs4's optional packet size and timing
> obfuscation on some of the default Tor Browser bridges.
> The packet size and timing obfuscation can be off (iat-mode=0) or on
> (iat-mode=1). Currently, all of the default bridges, and probably ≈100%
> of BridgeDB bridges, have it turned off (iat-mode=0).
> So I'm thinking it's a good idea to turn on iat-mode=1 on, say, 20% of
> the default bridges. That'll also be a good hedge against potential
> future blocking, as we can see if the bridges that use size and timing
> obfuscation are more resistant. It is safe for the server to turn on
> iat-mode=1 while the client still has iat-mode=0; the obfuscation will
> only apply in one direction but the connection will still work.

I'm aware of three bridges that changed their iat-mode setting. I opened
https://bugs.torproject.org/20837 to make the matching change in the
client settings.

These are the changes that are in the patch:
	ndnop3 → iat-mode=1
	ndnop5 → iat-mode=2
	Lisbeth → iat-mode=1 
If anyone else changed the setting but didn't tell me, tell me now so I
can add it to the patch. If you didn't change anything, you don't need
to change anything; 3 out of 19 default bridges is probably enough for

By the way, we got a report that iat-mode=1 and iat-mode=2 both worked
to get through a particular firewall (and neither worked against another
particular firewall).

More information about the tor-project mailing list