[tor-talk] How do the OBFS4 "built-in" Bridges work?

Jacki M jackiam2003 at yahoo.com
Mon Apr 30 07:33:55 UTC 2018


The service The latest TorBrowser alpha uses to connect to obtain the bridges “BridgesDB" has been down for a while, so I can not test this. It should be up and running before the stable is ready. 

> On Apr 29, 2018, at 9:21 PM, Nathaniel Suchy (Lunorian) <me at lunorian.is> wrote:
> 
> So the concerns I brought up are already addressed in an upcoming update?
> 
> Cheers,
> Nathaniel
> 
> Jacki M:
>> Torbrowser 8a3 added moat which I’m actually fetches new bridges, without requiring you to go to bridges.torproject.org.
>> 
>> Bug 23136: Moat integration (fetch bridges for the user)
>> Download the latest alpha https://dist.torproject.org/torbrowser/8.0a6/
>> Remember this is an alpha and should only be used for testing purposes, moat should be included in the next major stable.
>> Sent from my iPad
>> 
>>> On Apr 29, 2018, at 12:41 PM, Nathaniel Suchy (Lunorian) <me at lunorian.is> wrote:
>>> 
>>> Thank you for clarifying that. The obfs4 bridges you can get at
>>> bridges.torproject.org also pose an interesting risk, the ports each
>>> Bridge IP Address is using seem to be non-standard, I'm in the US and
>>> most networks I am at do not censor although sometimes certain ports at
>>> public wifi networks are blocked, could a threat actor threatening you
>>> or tor users in general realize an IP Address was a Tor Bridge by
>>> identifying a large amount of traffic to a non-standard port on random
>>> datacenter IP Addresses?
>>> 
>>> You can tell Tor Browser your Firewall only allows connections to
>>> certain ports which I assume when used with bridges would help further
>>> hide the fact you are using Tor.
>>> 
>>> The fact I email here obviously shows I am a Tor user, although I'd like
>>> more technical measures built into Tor Browser to obfuscate the times I
>>> am using Tor.
>>> 
>>> Cheers,
>>> Nathaniel Suchy
>>> 
>>>>> On 4/29/18 2:36 PM, Matthew Finkel wrote:
>>>>> On Sun, Apr 29, 2018 at 02:06:49PM -0400, Nathaniel Suchy (Lunorian) wrote:
>>>>> I see that Tor Browser, for users who are censored in their country,
>>>>> work, or school (or have some other reason to use bridges) has a variety
>>>>> of built in bridges. Once of those are the OBFS4 bridges. My first
>>>>> thought would be these are hard coded, of course giving everyone the
>>>>> same set of bridges is bad right?
>>>> 
>>>> Currently this is how it works, yes. It is not ideal, and there is
>>>> on-going development work for rolling out a more scalable method.
>>>> 
>>>>> Then a bad actor could download Tor
>>>>> Browser, get the list, and null route the IPs on their network(s). Also
>>>>> these bridges could get quite crowded. Are the bridges being used to
>>>>> fetch other bridges, or something else? How does Tor Browser handle
>>>>> these risks / technical issues?
>>>> 
>>>> Indeed "Bad actors" could block the bridges hard-coded in Tor Browser.
>>>> It is also true many of those default bridges are overloaded.
>>> 
>>> -- 
>>> tor-talk mailing list - tor-talk at lists.torproject.org
>>> To unsubscribe or change other settings go to
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> -- 
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk



More information about the tor-talk mailing list