In November 2016 there was a discussion on the tor-team list about adding some new default obfs4 bridges (Subject: Coordinating to run high capacity obfs4 bridges). The thread turned into a discussion about the same entity running both bridges and exits, and didn't go anywhere.
We haven't added any new obfs4 bridges, or changed the port number of any existing bridges, since January 2017 (Tor Browser 6.5 and 7.0a1). I suspect that the 20 existing default bridges are still under high load and we could stand to have some more bridges to help share it. Are we still interested in adding new obfs4 bridges? If so, do we have any leads on who could run them?
On 9 Mar 2017, at 22:24, David Fifield david@bamsoftware.com wrote:
In November 2016 there was a discussion on the tor-team list about adding some new default obfs4 bridges (Subject: Coordinating to run high capacity obfs4 bridges). The thread turned into a discussion about the same entity running both bridges and exits, and didn't go anywhere.
We haven't added any new obfs4 bridges, or changed the port number of any existing bridges, since January 2017 (Tor Browser 6.5 and 7.0a1). I suspect that the 20 existing default bridges are still under high load and we could stand to have some more bridges to help share it. Are we still interested in adding new obfs4 bridges? If so, do we have any leads on who could run them?
Team Cymru and Mozilla recently asked how they could help out. (Cymru hosts a directory authority, I don't know whether either run exits.)
John Ricketts volunteered, but he runs (about 6% of) exits.
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
On Thu, Mar 09, 2017 at 10:27:33PM +1100, teor wrote:
On 9 Mar 2017, at 22:24, David Fifield david@bamsoftware.com wrote:
In November 2016 there was a discussion on the tor-team list about adding some new default obfs4 bridges (Subject: Coordinating to run high capacity obfs4 bridges). The thread turned into a discussion about the same entity running both bridges and exits, and didn't go anywhere.
We haven't added any new obfs4 bridges, or changed the port number of any existing bridges, since January 2017 (Tor Browser 6.5 and 7.0a1). I suspect that the 20 existing default bridges are still under high load and we could stand to have some more bridges to help share it. Are we still interested in adding new obfs4 bridges? If so, do we have any leads on who could run them?
Team Cymru and Mozilla recently asked how they could help out.
If you know who is was at those organizations, can you have them contact me or tbb-dev@lists.torproject.org? We can get them the information they need to get bridges running and get them integrated into the browser.
Hi Sina, Tom,
Can Team Cymru or Mozilla help out by running obfs4 bridges?
If so, David would love to hear from you.
On 9 Mar 2017, at 22:33, David Fifield david@bamsoftware.com wrote:
On Thu, Mar 09, 2017 at 10:27:33PM +1100, teor wrote:
On 9 Mar 2017, at 22:24, David Fifield david@bamsoftware.com wrote:
In November 2016 there was a discussion on the tor-team list about adding some new default obfs4 bridges (Subject: Coordinating to run high capacity obfs4 bridges). The thread turned into a discussion about the same entity running both bridges and exits, and didn't go anywhere.
We haven't added any new obfs4 bridges, or changed the port number of any existing bridges, since January 2017 (Tor Browser 6.5 and 7.0a1). I suspect that the 20 existing default bridges are still under high load and we could stand to have some more bridges to help share it. Are we still interested in adding new obfs4 bridges? If so, do we have any leads on who could run them?
Team Cymru and Mozilla recently asked how they could help out.
If you know who is was at those organizations, can you have them contact me or tbb-dev@lists.torproject.org? We can get them the information they need to get bridges running and get them integrated into the browser.
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
On 9 March 2017 at 05:42, teor teor2345@gmail.com wrote:
Hi Sina, Tom,
Can Team Cymru or Mozilla help out by running obfs4 bridges?
If so, David would love to hear from you.
Yes, I will start a thread.
-tom
Hi Tom and Team,
Yes definitely, I will follow up tomorrow and update this thread.
All the best, Sina
"Be the change that you wish to see in the world." - Mahatma Gandhi
----- On Mar 9, 2017, at 3:42 AM, teor teor2345@gmail.com wrote:
Hi Sina, Tom,
Can Team Cymru or Mozilla help out by running obfs4 bridges?
If so, David would love to hear from you.
On 9 Mar 2017, at 22:33, David Fifield david@bamsoftware.com wrote:
On Thu, Mar 09, 2017 at 10:27:33PM +1100, teor wrote:
On 9 Mar 2017, at 22:24, David Fifield david@bamsoftware.com wrote:
In November 2016 there was a discussion on the tor-team list about adding some new default obfs4 bridges (Subject: Coordinating to run high capacity obfs4 bridges). The thread turned into a discussion about the same entity running both bridges and exits, and didn't go anywhere.
We haven't added any new obfs4 bridges, or changed the port number of any existing bridges, since January 2017 (Tor Browser 6.5 and 7.0a1). I suspect that the 20 existing default bridges are still under high load and we could stand to have some more bridges to help share it. Are we still interested in adding new obfs4 bridges? If so, do we have any leads on who could run them?
Team Cymru and Mozilla recently asked how they could help out.
If you know who is was at those organizations, can you have them contact me or tbb-dev@lists.torproject.org? We can get them the information they need to get bridges running and get them integrated into the browser.
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org
On 03/09/2017 06:24 AM, David Fifield wrote:
In November 2016 there was a discussion on the tor-team list about adding some new default obfs4 bridges (Subject: Coordinating to run high capacity obfs4 bridges). The thread turned into a discussion about the same entity running both bridges and exits, and didn't go anywhere.
We haven't added any new obfs4 bridges, or changed the port number of any existing bridges, since January 2017 (Tor Browser 6.5 and 7.0a1). I suspect that the 20 existing default bridges are still under high load and we could stand to have some more bridges to help share it. Are we still interested in adding new obfs4 bridges? If so, do we have any leads on who could run them?
I've expressed interest in the past about running default obfs4 bridges and am still willing to do so.
I'd like to hold off actually setting them up till its close to the time that Tor Browser will integrate them. I hear it's better for the default bridges to not advertise and I'd rather they didn't sit paid for but idle for too long.
You can find me on IRC as pastly.
Matt
On Fri, Mar 10, 2017 at 11:00:37PM -0500, Matt Traudt wrote:
I've expressed interest in the past about running default obfs4 bridges and am still willing to do so.
I'd like to hold off actually setting them up till its close to the time that Tor Browser will integrate them. I hear it's better for the default bridges to not advertise and I'd rather they didn't sit paid for but idle for too long.
You can find me on IRC as pastly.
Matt says he can get some new bridges running quickly--say, in time for the next release of Tor Browser.
I don't really know Matt apart from on IRC. I think it would be helpful to know whether people are happy to have him as a new default bridge operator.
Hi David,
On Sun, Mar 12, 2017 at 09:11:59PM -0700, David Fifield wrote:
On Fri, Mar 10, 2017 at 11:00:37PM -0500, Matt Traudt wrote:
I've expressed interest in the past about running default obfs4 bridges and am still willing to do so.
I'd like to hold off actually setting them up till its close to the time that Tor Browser will integrate them. I hear it's better for the default bridges to not advertise and I'd rather they didn't sit paid for but idle for too long.
You can find me on IRC as pastly.
Matt says he can get some new bridges running quickly--say, in time for the next release of Tor Browser.
I don't really know Matt apart from on IRC. I think it would be helpful to know whether people are happy to have him as a new default bridge operator.
I don't know if this will help with decisions, but in case it does: Matt has been working as a contractor at NRL for c. half a year (working mostly on KIST and Shadow). We are hopefully going to hire him as a regular employee as soon as we are able. He also just finished his undergraduate degree at Kansas State under Eugene Vasserman who was Nick Hopper's PhD student and has done various Tor/anonymity research. I endorse him as both capable and dedicated.
aloha, Paul
David Fifield:
On Fri, Mar 10, 2017 at 11:00:37PM -0500, Matt Traudt wrote:
I've expressed interest in the past about running default obfs4 bridges and am still willing to do so.
I'd like to hold off actually setting them up till its close to the time that Tor Browser will integrate them. I hear it's better for the default bridges to not advertise and I'd rather they didn't sit paid for but idle for too long.
You can find me on IRC as pastly.
Matt says he can get some new bridges running quickly--say, in time for the next release of Tor Browser.
Since Matt also runs exit relays [1], would it make sense to add a logic to torbrowser that *IFF* the user choose to use default bridges these exits get excluded in that torbrowser's tor instance?
That would also be a possible workaround for isis's ticket about noisebridge bridges? [2]
[1] https://atlas.torproject.org/#details/335746A6DEB684FABDF3FC5835C3898F05C5A5... https://atlas.torproject.org/#details/09FA8B4F665AD65D2C2A49870F1AA3BA8811E4... https://atlas.torproject.org/#details/95880E08A375C62D570B885554CCCFBCCB3626...
[2] https://trac.torproject.org/projects/tor/ticket/21864
NoiseTor would like to run high-capacity default bridges for Tor Browser, but they are nervous about simultaneously running exits without being able to direct people not to use both.
On Mon, Apr 17, 2017 at 10:00:00AM +0000, nusenu wrote:
David Fifield:
On Fri, Mar 10, 2017 at 11:00:37PM -0500, Matt Traudt wrote:
I've expressed interest in the past about running default obfs4 bridges and am still willing to do so.
I'd like to hold off actually setting them up till its close to the time that Tor Browser will integrate them. I hear it's better for the default bridges to not advertise and I'd rather they didn't sit paid for but idle for too long.
You can find me on IRC as pastly.
Matt says he can get some new bridges running quickly--say, in time for the next release of Tor Browser.
Since Matt also runs exit relays [1], would it make sense to add a logic to torbrowser that *IFF* the user choose to use default bridges these exits get excluded in that torbrowser's tor instance?
That would also be a possible workaround for isis's ticket about noisebridge bridges? [2]
Matt contacted me to say he changed his mind about running bridges. So we don't have to worry about that particular case.
On Fri, Mar 10, 2017 at 11:00:37PM -0500, Matt Traudt wrote:
I've expressed interest in the past about running default obfs4 bridges and am still willing to do so.
I'd like to hold off actually setting them up till its close to the time that Tor Browser will integrate them. I hear it's better for the default bridges to not advertise and I'd rather they didn't sit paid for but idle for too long.
Hi Matt, I think we are ready for the bridges now. Please send me bridge lines when you have them.
The bridge lines includes the IP address, port, relay fingerprint, and obfs4 parameters. The fingerprint is in <tor datadir>/hashed-fingerprint and the obfs4 parameters are in <tor datadir>/pt_state/obfs4_bridgeline.txt Example: Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=hLMtj0qIlIL1/gz/LrfRsA8wQDKWlz20aMzELFNtCctJvEcd/9vTD4fJP02KcjcTCviuUQ iat-mode=1
On 9 Mar 2017, at 22:24, David Fifield david@bamsoftware.com wrote:
In November 2016 there was a discussion on the tor-team list about adding some new default obfs4 bridges (Subject: Coordinating to run high capacity obfs4 bridges). The thread turned into a discussion about the same entity running both bridges and exits, and didn't go anywhere.
We haven't added any new obfs4 bridges, or changed the port number of any existing bridges, since January 2017 (Tor Browser 6.5 and 7.0a1). I suspect that the 20 existing default bridges are still under high load and we could stand to have some more bridges to help share it. Are we still interested in adding new obfs4 bridges? If so, do we have any leads on who could run them?
Hi Mart, Sacha,
Would GreenHost be interested in running some of the default Tor Browser obfs4 bridges?
If so, please reply to this thread.
(GreenHost already runs the default Tor bridge authority, but since the default Tor Browser bridges don't use the bridge authority, I can't see any technical or trust issues here.)
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
Hello Tim & list,
On 03/12/2017 11:02 PM, teor wrote:
On 9 Mar 2017, at 22:24, David Fifield david@bamsoftware.com wrote:
[cut]
Hi Mart, Sacha,
Would GreenHost be interested in running some of the default Tor Browser obfs4 bridges?
If so, please reply to this thread.
(GreenHost already runs the default Tor bridge authority, but since the default Tor Browser bridges don't use the bridge authority, I can't see any technical or trust issues here.)
Are there any special requirements (hardware/network) for a obfs4 bridges and what are the typical resources needed? I think we have sufficient capacity within our infrastructure to support you with this, but would like some details. A quick scan on the Internet didn't reveal any surprising, but probably you know all better. Also, are there any geographical preferences?
Regards,
Mart
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org
On Mon, Mar 13, 2017 at 02:34:39PM +0100, Mart van Santen wrote:
Are there any special requirements (hardware/network) for a obfs4 bridges and what are the typical resources needed? I think we have sufficient capacity within our infrastructure to support you with this, but would like some details. A quick scan on the Internet didn't reveal any surprising, but probably you know all better. Also, are there any geographical preferences?
There are no real requirements for hardware or network, though of course the bigger the better. You should count on about 1.5 cores being consumed by tor and obfs4proxy, so a two-core machine may struggle (bridge operators: does that match your experience?).
Here are some of the existing default bridges; you can see from their bandwidth graphs that they tend to read/write 5–30 MB/s: https://atlas.torproject.org/#details/D9C805C955CB124D188C0D44F271E9BE57DE21... https://atlas.torproject.org/#details/3E0908F131AC417C48DDD835D78FB6887F4CD1... https://atlas.torproject.org/#details/FEC8FB380DABA9D3C80790B634E4540BF5D09C... https://atlas.torproject.org/#details/FFD3FAB14109181882D3F25F78A9FE1840D113... https://atlas.torproject.org/#details/D3D4A456FCB5F301F092F6A49ED671B84B432F...
As for geographic preferences, I don't know.
On 03/14/2017 03:41 AM, David Fifield wrote:
On Mon, Mar 13, 2017 at 02:34:39PM +0100, Mart van Santen wrote:
Are there any special requirements (hardware/network) for a obfs4 bridges and what are the typical resources needed? I think we have sufficient capacity within our infrastructure to support you with this, but would like some details. A quick scan on the Internet didn't reveal any surprising, but probably you know all better. Also, are there any geographical preferences?
There are no real requirements for hardware or network, though of course the bigger the better. You should count on about 1.5 cores being consumed by tor and obfs4proxy, so a two-core machine may struggle (bridge operators: does that match your experience?).
Here are some of the existing default bridges; you can see from their bandwidth graphs that they tend to read/write 5–30 MB/s: https://atlas.torproject.org/#details/D9C805C955CB124D188C0D44F271E9BE57DE21... https://atlas.torproject.org/#details/3E0908F131AC417C48DDD835D78FB6887F4CD1... https://atlas.torproject.org/#details/FEC8FB380DABA9D3C80790B634E4540BF5D09C... https://atlas.torproject.org/#details/FFD3FAB14109181882D3F25F78A9FE1840D113... https://atlas.torproject.org/#details/D3D4A456FCB5F301F092F6A49ED671B84B432F...
As for geographic preferences, I don't know.
Hello all,
In that case I do not see any problems to run a few, to a maximum of 4. For example 2 in Europe, and 2 in Asia.
Please let me know if you want us to move forward with this.
Regards,
Mart
On Tue, Mar 14, 2017 at 04:13:13PM +0100, Mart van Santen wrote:
In that case I do not see any problems to run a few, to a maximum of 4. For example 2 in Europe, and 2 in Asia.
Please let me know if you want us to move forward with this.
Yes, I think we're ready for you to move forward. Please send me the bridge lines in private email and I will take of filing the necessary tickets.
We need a slightly special configuration for the default bridges. The main thing is that the ORPort should be firewalled off, so the bridge stays out of BridgeDB. I think it's worth setting iat-mode=1 for these new bridges, because most of the existing bridges use iat-mode=0.
These are the essential things to have in the torrc configuration file: BridgeRelay 1 ExtORPort auto ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy ServerTransportOptions obfs4 iat-mode=1
One tor is running, we will need to know the "bridge line" which includes the IP address, port, relay fingerprint, and obfs4 parameters. The fingerprint is in <tor datadir>/hashed-fingerprint and the obfs4 parameters are in <tor datadir>/pt_state/obfs4_bridgeline.txt Example: Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=hLMtj0qIlIL1/gz/LrfRsA8wQDKWlz20aMzELFNtCctJvEcd/9vTD4fJP02KcjcTCviuUQ iat-mode=1
On its first run, obfs4 will choose a random high-numbered port to listen on. We've found it is helpful for bridges also to listen on ports 80 and 443, if possible. Unfortunately, the best way to do this is via iptables rules, separate from the Tor configuration: https://tor.stackexchange.com/questions/543/how-to-set-up-an-obfs3-bridge-on... For example: iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port <obfs4 port>
tor-project@lists.torproject.org
-
David Fifield -
Mart van Santen -
Matt Traudt -
nusenu -
Paul Syverson -
Sina Rabbani -
teor -
Tom Ritter