David Fifield david@bamsoftware.com wrote Mon, 14 Nov 2016 16:56:03 -0800:
So I'm thinking it's a good idea to turn on iat-mode=1 on, say, 20% of the default bridges. That'll also be a good hedge against potential future blocking, as we can see if the bridges that use size and timing obfuscation are more resistant. It is safe for the server to turn on iat-mode=1 while the client still has iat-mode=0; the obfuscation will only apply in one direction but the connection will still work.
ndnop3 is now running with iat-mode=1.
Yawning Angel yawning@schwanenlied.me wrote Tue, 15 Nov 2016 01:19:13 +0000:
The delay can be up to 10 ms. Why this may be a problem is the sleep happens during thr round trip between client and server. If the round-trip time is greater than the delay, then it is as if there was no delay. Delays happen only once per write (i.e. obfs4 doesn't split up writes to insert delays). So the timing obfuscation may be less effective during the handshake phase than during the steady state, which can have consecutive writes not bound by latency.
It *can* split writes to insert delays. See `iat-mode=2`.
ndnop5 is now running with iat-mode=2. I will keep an eye on CPU usage as I understand this is expensive.
Let me know if you think this is a bad idea.