On Sat, Mar 31, 2018 at 07:40:48AM +1100, teor wrote:
Which is different from the bridge line I used by hand, i.e. has FINGERPRINT, has cert=? and iat-mode=?. These extra bits made all the difference, but why?
Tor can't connect to an obfs4 bridge without its certificate. The encryption just won't work.
Right. The longer answer is because obfs4 protects against what are called "active probing" attacks: https://www.freehaven.net/anonbib/#foci12-winter where the censor sees a connection that their Deep Packet Inspection (DPI) system can't classify for sure, so they do a follow-up connection talking the protocol they think it might be.
If you connect to an obfs2 bridge from within China, it will trigger an "active probe" followup, which talks obfs2 + tor to the destination, and when the bridge talks obfs2 + tor back, that address gets banned.
For obfs4, the active prober doesn't know the secret "cert" parameter, and without that the obfs4 bridge won't act like an obfs4 bridge, making it hard for the censor to decide for certain that it should be banned.
Hope that helps, --Roger