[tor-talk] Newbie with a bunch of questions for Tor Cloud

Soul Plane soulplane11 at gmail.com
Thu Mar 20 03:32:09 UTC 2014

On Wed, Mar 19, 2014 at 6:01 PM, Runa A. Sandvik <runa.sandvik at gmail.com>wrote:

> On Wed, Mar 19, 2014 at 9:05 PM, Soul Plane <soulplane11 at gmail.com> wrote:
> > More questions:
> >
> > Why is the only region available for the Tor images us-east virginia? I
> > thought I could use the free tier in other places. Wouldn't it be better
> to
> > vary the regions instead of sticking them all in one place?
> We initially had images in all regions, but due to a bug/issue (see
> https://trac.torproject.org/projects/tor/ticket/10318) I decided to
> temporarily remove all images except the ones in us-east-1. The goal
> is to bring back images for the other regions at some point.

Thanks, I read the bug and the AWS thread and it looks like there is
something wrong with the image copy process. If I wanted to setup in a
location other than Virginia would I be able to use your build script to do
that or would I run into the same image copy problem? Also I noticed in
ec2-prep.sh you have:
curl -m 5
That address is invalid, what is the reservation id for?

> > I read in Tor Weekly News today that the obfs3 protocol is vulnerable to
> > active probing attacks and there is a replacement ScrambleSuit. If I
> setup
> > the AWS Obfsproxy image now does that mean the Chinese can detect it and
> > block it? Is that image obfs2 or 3 or both? Should I just wait until
> > ScrambleSuit is supported, or can I modify the config file to only use
> > ScrambleSuit, or is that not a good idea at this point? I don't want to
> run
> > something that nobody is going to be able to use because governments can
> > just detect it and block it.
> The current image is a "standard" bridge, an obfs2 bridge, and an
> obfs3 bridge. ScrambleSuit is not included. If you create an SSH key
> when setting up the instance, you can log on and change whatever you
> want. The Great Firewall of China blocks "standard" bridges and obfs2,
> but I believe it has yet to block obfs3.

Ok so after I do a build if I want scramblesuit I change this line:
ServerTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy --managed
to this:
ServerTransportPlugin scramblesuit exec /usr/bin/obfsproxy --managed

According to this here I need to update obfsproxy first? Is that relevant

> > Is Tor obfuscation specifically more likely to come under attack from
> > repressive governments?
> More likely than what?

Than regular tor bridges. Are obfs3 bridges special bridges that users in
repressive countries are more likely to use because other bridges are
blocked? Maybe I don't understand.

> > How is security handled. For example suppose there's a known
> vulnerability
> > in Tor or Ubuntu does the server shut down until it's fixed and an update
> > is available or does the server stay up and risk being hacked? Is there
> any
> > notification sent to the AWS administrator in these cases? I would
> imagine
> > even a small window is gold for some state run group to break in.
> The server stays up and checks for regular package updates from
> Ubuntu. If someone were to break in, they would not learn anything
> more than if they had set up a bridge themselves.

Ok. Let's say there was a security vulnerability being exploited in Tor
bridges. Is there any warning from Tor staff? Like when there is one in
Flash or Microsoft etc I will get a CERT or a security advisory saying "xxx
is being actively exploited", view such and such a page for more
information. In those cases I will just turn off flash or run the fix it.

> > How can I determine the integrity of the server and do I have any
> > responsibility to do that? Do you guys who are running these instances in
> > the Tor Cloud just set it and forget it or is there some oversight
> required?
> The Ubuntu image the Tor Cloud image is based off of is verified when
> the image is built. The Tor package is verified as it is installed
> (which happens within the first five minutes you boot the server for
> the very first time).

Thanks I took a look at the script.

> > I would take an active role in securing the instance if necessary but I
> > need to know what to do. What do you guys do?
> The image has been configured to automatically check for package
> updates. In addition, it is recommended that you only open certain
> ports in the firewall (22 for SSH, plus 443, 40872 and 52176 for Tor).

Is there any obfuscation benefit to using random ports, like changing
40872  to 1234 etc.


More information about the tor-talk mailing list