[tor-talk] Newbie with a bunch of questions for Tor Cloud

Runa A. Sandvik runa.sandvik at gmail.com
Wed Mar 19 22:01:32 UTC 2014

On Wed, Mar 19, 2014 at 9:05 PM, Soul Plane <soulplane11 at gmail.com> wrote:
> I would like to set up a Tor bridge in the Amazon cloud. I have read the
> project page at cloud.torproject.org and I think I can do this at little to
> no cost based on what I've read. Amazon just sent me a $50 credit because I
> signed up to AWS but never used it so maybe I can use that to cover any
> overages. Did anyone else get one of those coupons?

I'm glad you're considering contributing to the network!

> More questions:
> Why is the only region available for the Tor images us-east virginia? I
> thought I could use the free tier in other places. Wouldn't it be better to
> vary the regions instead of sticking them all in one place?

We initially had images in all regions, but due to a bug/issue (see
https://trac.torproject.org/projects/tor/ticket/10318) I decided to
temporarily remove all images except the ones in us-east-1. The goal
is to bring back images for the other regions at some point.

> And also wouldn't it be better to vary the OS and images in case there is a
> vulnerability in one, the rest of the ecosystem using different OSs are ok?

The operating systems would all be Linux based, so I'm not sure this
would make much of a difference.

> I read in Tor Weekly News today that the obfs3 protocol is vulnerable to
> active probing attacks and there is a replacement ScrambleSuit. If I setup
> the AWS Obfsproxy image now does that mean the Chinese can detect it and
> block it? Is that image obfs2 or 3 or both? Should I just wait until
> ScrambleSuit is supported, or can I modify the config file to only use
> ScrambleSuit, or is that not a good idea at this point? I don't want to run
> something that nobody is going to be able to use because governments can
> just detect it and block it.

The current image is a "standard" bridge, an obfs2 bridge, and an
obfs3 bridge. ScrambleSuit is not included. If you create an SSH key
when setting up the instance, you can log on and change whatever you
want. The Great Firewall of China blocks "standard" bridges and obfs2,
but I believe it has yet to block obfs3.

> Is Tor obfuscation specifically more likely to come under attack from
> repressive governments?

More likely than what?

> How is security handled. For example suppose there's a known vulnerability
> in Tor or Ubuntu does the server shut down until it's fixed and an update
> is available or does the server stay up and risk being hacked? Is there any
> notification sent to the AWS administrator in these cases? I would imagine
> even a small window is gold for some state run group to break in.

The server stays up and checks for regular package updates from
Ubuntu. If someone were to break in, they would not learn anything
more than if they had set up a bridge themselves.

> How can I determine the integrity of the server and do I have any
> responsibility to do that? Do you guys who are running these instances in
> the Tor Cloud just set it and forget it or is there some oversight required?

The Ubuntu image the Tor Cloud image is based off of is verified when
the image is built. The Tor package is verified as it is installed
(which happens within the first five minutes you boot the server for
the very first time).

> I would take an active role in securing the instance if necessary but I
> need to know what to do. What do you guys do?

The image has been configured to automatically check for package
updates. In addition, it is recommended that you only open certain
ports in the firewall (22 for SSH, plus 443, 40872 and 52176 for Tor).

Runa A. Sandvik

More information about the tor-talk mailing list