Hi,
tl;dr: if Tails makes it too easy to use Meek bridges, could it overload the current set of Meek bridges?
First some background: during startup Tails can be told to start Tor Launcher so users can e.g. configure any bridges they want. So far we have not provided any pre-configured bridges, i.e. the only option has been to manually enter the bridge information you have obtained yourself.
In Tails' threat model it is assumed that adversaries monitor the default bridges provided by the Tor Browser, and that our users want to avoid detection of that, so we are not interested in adding the default bridges to Tails, but we are interested in adding support for Meek [1] (at least because it's the only PT that works in China), since our understanding is that it adds enough plausible deniability to avoid the above problem. So, in summary, Tails would like to provide two options in its (patched) Tor Launcher, Meek or manually providing the bridge info. [2]
However, we wonder if the combination of not providing the default bridges while making Meek available could overwhelm the Meek bridges; we expect some significant amount of Tails bridge users to select the Meek option over manual entry simply out of convenience.
Let's do some back-of-the-envelope estimations to see what we can expect:
(Assumption: Tor Browser users and Tails users are very similar, e.g. similar ratios want to use each PT, similar requirements for "convenience over security", and so on.)
Looking at your metrics, there are 1000k daily Tor Browser users [3], overall bridge/PT usage is 50k [4], Meek usage is around 10k [5], so 5% of Tor Browser users use bridges/PTs, and 1% use Meek. On the Tails side, we measure around 30k daily users (from update pings).
From what I said above, I don't think we can expect only 1% of the Tails users to pick Meek; I would expect it to be closer to the 1% of Meek users plus the x% of default bridge users, but I couldn't find stats for that in your metrics. Still, we know that it cannot be more than the percentage of all bridge/PT users, so we know that 1% + x% <= 5%. So, let's just assume the worst case, that 5% of Tails users will use Meek, and we have that we expect 5% of 30k = 1.5k additional Meek users.
Also, if we consider places where Meek is the only options, Tails probably has close to zero users there, but once Meek is supported it could grow. I guess China is the only such place (?), so with its 1250 Meek users in China [6] we can expect 1250 * 30k/1000k = 34 new Tails users using Meek. Basically a negligible amount. Even if we consider all Meek users, 10k * 30k/1000k = 300 doesn't change much.
So, all-in-all, we can expect Tails to bring up to 1.5k + 300 = 1.8k new Meek users, but since those are upper-bound estimations it would probably be much lower. Looking on Meek usage over time, it seems to fluctuate way more than that, e.g. during the summer of 2019 it was up to over 25k, i.e. more than three times what it is now. So I guess we don't have to worry about shocking the Meek bridges?
OTOH, a possible side-effect is that this change in Tails increases usage of Meek outside of China. Perhaps whoever pays the bills for the Meek instances don't want this?
Please advice! Also, please let us know if there is something else we haven't thought of!
Cheers!
[1] https://redmine.tails.boum.org/code/issues/8243 [2] If you are really interested you can check out our PoC/WIP here: https://nightly.tails.boum.org/build_Tails_ISO_feature-8243-meek/builds/last... [3] https://metrics.torproject.org/webstats-tb.html [4] https://metrics.torproject.org/userstats-bridge-transport.html [5] https://metrics.torproject.org/userstats-bridge-transport.html?transport=!%3... [6] https://metrics.torproject.org/userstats-bridge-combined.html?start=2019-12-...
anonym:
In Tails' threat model it is assumed that adversaries monitor the default bridges provided by the Tor Browser, and that our users want to avoid detection of that, so we are not interested in adding the default bridges to Tails
We're not offering the default bridges in Tails also because it's impossible right now to store your bridge configuration in the Persistent Storage.
We're afraid that this would lead to more people relying on the default bridges in Tails than in Tor Browser, where you can configure your custom bridges once and for all.
It's also currently easier to get custom bridges from Tor Browser outside of Tails than inside Tails.
Hi,
On 20/03/2020 15:30, sajolida wrote:
In Tails' threat model it is assumed that adversaries monitor the default bridges provided by the Tor Browser, and that our users want to avoid detection of that, so we are not interested in adding the default bridges to Tails
We're not offering the default bridges in Tails also because it's impossible right now to store your bridge configuration in the Persistent Storage.
Maybe I've overlooked something obvious, but could you use Moat?
https://gitweb.torproject.org/bridgedb.git/tree/README.rst#n391
This would use meek to fetch the bridges, but then you have non-default bridges for the rest of the session. It can be automated as part of the Tor start-up, but you do need to solve a CAPTCHA.
Thanks, Iain.
Iain Learmonth:
Hi,
On 20/03/2020 15:30, sajolida wrote:
In Tails' threat model it is assumed that adversaries monitor the default bridges provided by the Tor Browser, and that our users want to avoid detection of that, so we are not interested in adding the default bridges to Tails
We're not offering the default bridges in Tails also because it's impossible right now to store your bridge configuration in the Persistent Storage.
Maybe I've overlooked something obvious, but could you use Moat?
https://gitweb.torproject.org/bridgedb.git/tree/README.rst#n391
This would use meek to fetch the bridges, but then you have non-default bridges for the rest of the session. It can be automated as part of the Tor start-up, but you do need to solve a CAPTCHA.
Nothing is preventing us except more work. :) Essentially, Tails only allows the tor process to talk clearnet as part of its Tor enforcement [1], which makes this a bit trickier than in less locked down environments that Tor Launcher is designed to run from. But it indeed looks like also adding Moat support (and making it the default, I think) is the way for us to go, so thanks for the reminder! :)
Cheers!
[1] https://tails.boum.org/contribute/design/Tor_enforcement/
On Fri, Mar 20, 2020 at 11:51:41AM +0100, anonym wrote:
tl;dr: if Tails makes it too easy to use Meek bridges, could it overload the current set of Meek bridges?
The default meek bridge is already overloaded, unfortunately. Users complain that even though it works, it is too slow. Reports of 20 KB/s are typical. See for example this recent comment from China: https://bugs.torproject.org/33219#comment:9
...with the pre integrated meek bridges I just had 20 kb/s, at most 30, sometimes even lower than 20. So it took me over one hour to download the browser.
Here's the brandwidth chart for the default meek bridge btw. I would guess that the bridge is capable of going faster, but it may have a BandwidthRate set to keep costs from getting out of control. https://metrics.torproject.org/rs.html#details/8F4541EEE3F2306B7B9FEF1795EC3...
It's possible to set up a special bridge just for Tails users. It requires setting up a bridge with meek-server (this is the cheap part) and configuring a CDN to point to it (this is the expensive part). But then you can let it run as fast as your budget allows. https://trac.torproject.org/projects/tor/wiki/doc/meek#MicrosoftAzure https://trac.torproject.org/projects/tor/wiki/doc/meek#Howtorunameek-serverb...
David Fifield:
On Fri, Mar 20, 2020 at 11:51:41AM +0100, anonym wrote:
tl;dr: if Tails makes it too easy to use Meek bridges, could it overload the current set of Meek bridges?
The default meek bridge is already overloaded, unfortunately.
Ack. Tails will then *not* add Meek support until it also provides another equally convenient option, like default bridges (unlikely) and/or Moat, so the situation is the same as in Tor Browser.
It's possible to set up a special bridge just for Tails users. It requires setting up a bridge with meek-server (this is the cheap part) and configuring a CDN to point to it (this is the expensive part). But then you can let it run as fast as your budget allows.
I doubt we can afford that. At best it could be part of some future grant to make Tails usable in China, or similar.
Cheers!
-
anonym -
David Fifield -
Iain Learmonth -
sajolida