On Wed, May 06, 2015 at 04:36:48AM +0000, isis wrote:
But just to be clear — since it sounds like you've asked for several new things in that last paragraph :) — which do you want:
Tor Browser users use meek to get to BridgeDB, to get non-meek bridges by: 1.a. Retrieving and solving a CAPTCHA inside Tor Launcher. 1.b. Solving a CAPTCHA on a BridgeDB web page.
Tor Browser users use BridgeDB's domain front, to get non-meek bridges by: 2.a. Retrieving and solving a CAPTCHA inside Tor Launcher. 2.b. Solving a CAPTCHA on a BridgeDB web page.
If you want #2, then we're essentially transferring the domain-fronting costs (and the DDoS risks) from meek to BridgeDB, and we'd need to decide who is going to maintain that service, and who is going to pay for it. Could The Tor Project fund BridgeDB domain fronting?
You still have the DoS risk, but in normal usage the costs will be way way less because you're only paying for bootstrapping and not for GNU/Linux ISO downloads or whatever it is people do with Tor. Bandwidth costs across all CDNs are between $0.10 and $0.20 per GB. To reach even one GB would take a million 1K bootstraps.
As far as maintenance goes, the threat to any of our domain fronts, including meek and any BridgeDB domain fronts, from China's Great Cannon waging economic counter-counter-warfare by attacking us (like they did to GreatFire.org) is something which must be taken into account. Will the maintainer of this service need to wake up to emergency, the-request-rate-is-skyrocketing, emails at 4AM to shut the service down? Or do we already have technical measures to detect DDoS and prevent $30,000+/day CDN bills? Further, what happens when #2 is being DDoS-ed? Should we fallback to #1? Should we have both, and some strategy for balancing between the two?
App Engine is nice because you can set a daily cost limit, and the service shuts down after that. It's currently set at $45/day (after we bumped into the previous $40/day limit one day last week :/). It's nice because the maximum damage a DoS can cause (besides shutting down the service) is O(1).
Amazon sucks and they don't have any automatic way to shut down a service. I emailed them and they were very clear about that. The best you can do is set up an email alert at different cost threshold (which I have done). But that requires someone with credentials to be awake and online when it happens. This is the main reason I want to drop Amazon. (Apart from the billing concerns, Amazon's CDN, technically, is nice and fast and reliable.)