-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 22/03/2014 11:56 AM, James Valleroy wrote:
Thanks for the information. Is it likely that obfs3 and scramblesuit will be usable in the long-term? Or will they need to be deprecated at some point like obfs2?
Also, if obfs3 or scramblesuit were deprecated, but some FreedomBoxes continued to run those transports, what would be the result? Would the worst case be that the bridge is no longer usable by some, as in [0]?
The reason that I'm asking is that FreedomBox is currently working within Debian "testing" but our target is Debian "stable". Once our packaged configuration is frozen for the next stable release, it will be more difficult for us to push changes other than security fixes.
I can't speak to whether more pluggable transports will be deprecated in future, but I'll go out on a limb here and say "probably." The nature of things ensures that the capabilities of censors continue to advance. And as they do, new approaches will be found and deployed to bypass those advancing attempts to block the network.
When bridges were first deployed, the fact that they weren't all openly listed in a public directory made them more difficult to block. Now, most plain bridges are very easy to block. When obfs2 was first deployed, it was a solid protocol (I have no doubt). These days, China is actively hunting down and blocking obfs2. There is very little point to deploying either a plain bridge or an obfs2 pluggable transport these days, especially on a mass scale.
On the plus side, obfs3 is still pretty strong, and it's one of the common pluggable transports right now. Scramblesuit is not live in the official bundles yet (AFAIK), but it just released and has some pretty robust-looking defenses against active probing and other attacks. If you're working on something new to deploy, these should be included, without a doubt. They may indeed be deprecated in future, and in the worst case may become unusable or make the bridge more susceptible to being blocked. But if you go with a plain bridge or obfs2, you're already in your worst-case scenario. You have nothing to lose and everything to gain by enabling the newest pluggable transports.
I would highly recommend adding the Tor package repository to the FreedomBoxes. As explained in [0], this won't always give you the latest version of tor, but it will provide security fixes. My hunch is that it will almost always also be a little fresher than Debian stable. And given that network censors and network developers are always going to be in an escalating arms race, enabling new releases of Tor (and obfsproxy) directly from the project is going to make the FreedomBox much more useful in the long term.
-Lance
[0] https://www.torproject.org/docs/debian