Hi there.
I was thinking, what could be the ways Russian authorities could get bridges to block. One of the obvious ways to do this is to grab bridges from Moat/HTTPS, but since that would require solving a captcha, this would indicate its strength is insufficient, or they are able to crowdsource/mass solve somehow.
The other thought is an attack via email. Can we do something with it, what do you think? -- Best regards, Space Oddity.
Quoting Space Oddity via tor-relays (2021-12-16 11:35:10)
I was thinking, what could be the ways Russian authorities could get bridges to block. One of the obvious ways to do this is to grab bridges from Moat/HTTPS, but since that would require solving a captcha, this would indicate its strength is insufficient, or they are able to crowdsource/mass solve somehow.
Captchas are a hard valance between usability an hard to break. I'm happy to hear ideas on how to do captchas better without sharing data of the users to third parties or making it way harder for people that solve them.
There are many services that you pay to solve captchas they could be using, captchas doesn't seem to be a great protection and we are working on finding other options.
The other thought is an attack via email. Can we do something with it, what do you think?
What do you mean about attack via email?
I know it might be a fundamental change to the Tor network, but would it be possible to obfuscate the Tor bridge/relay addresses with their respective fingerprints; similar, to the I2P network? I've often thought that this aspect of the I2P network is one that is implemented well. Perhaps Directory Authorities could preform fingerprint to address resolution? I think it would be extremely beneficial if neither bridge or relay addresses were published in the wild. It would make great strides in further buffering the Tor network from various black-listing/censorship techniques. Respectfully,
Gary— This Message Originated by the Sun. iBigBlue 63W Solar Array (~12 Hour Charge) + 2 x Charmast 26800mAh Power Banks = iPhone XS Max 512GB (~2 Weeks Charged)
On Thursday, December 16, 2021, 4:43:29 AM MST, meskio meskio@torproject.org wrote:
Quoting Space Oddity via tor-relays (2021-12-16 11:35:10)
I was thinking, what could be the ways Russian authorities could get bridges to block. One of the obvious ways to do this is to grab bridges from Moat/HTTPS, but since that would require solving a captcha, this would indicate its strength is insufficient, or they are able to crowdsource/mass solve somehow.
Captchas are a hard valance between usability an hard to break. I'm happy to hear ideas on how to do captchas better without sharing data of the users to third parties or making it way harder for people that solve them.
There are many services that you pay to solve captchas they could be using, captchas doesn't seem to be a great protection and we are working on finding other options.
The other thought is an attack via email. Can we do something with it, what do you think?
What do you mean about attack via email?
On Dec 22, 2021, at 22:42, Gary C. New via tor-relays tor-relays@lists.torproject.org wrote:
Perhaps Directory Authorities could preform fingerprint to address resolution?
I'm not familiar with how I2P does this, but wouldn't this just shift blocking targets from the relatively large pool of bridges and relays to a much smaller and easier-to-block list of directory authorities?
On Thursday, December 23, 2021 7:42:09 AM CET Gary C. New via tor-relays wrote:
I know it might be a fundamental change to the Tor network, but would it be possible to obfuscate the Tor bridge/relay addresses with their respective fingerprints; similar, to the I2P network? I've often thought that this aspect of the I2P network is one that is implemented well. Perhaps Directory Authorities could preform fingerprint to address resolution? I think it would be extremely beneficial if neither bridge or relay addresses were published in the wild. It would make great strides in further buffering the Tor network from various black-listing/censorship techniques.
The idea sounds good at first. Fingerprint and Cert from bridges are already issued by the BridgeDB. But: I2P is nearly the same as Tor Hidden Services. Tor-Browser to bridge is a p2p connection and therefore no problem to see the IP anyway.
On 2021-12-22 22:42, Gary C. New via tor-relays wrote:
I know it might be a fundamental change to the Tor network, but would it be possible to obfuscate the Tor bridge/relay addresses with their respective fingerprints; similar, to the I2P network? I've often thought that this aspect of the I2P network is one that is implemented well. Perhaps Directory Authorities could preform fingerprint to address resolution? I think it would be extremely beneficial if neither bridge or relay addresses were published in the wild. It would make great strides in further buffering the Tor network from various black-listing/censorship techniques.
The thing is, while Tor itself is decentralized, the directory authorities and fallback directories are not.
For a Tor client to bootstrap, you need a list of relays to be able to connect to. And in turn you have to contact the dirauths or the fallbacks.
While you could use an I2P-style or more recently blockchain-style setup, I believe there was a reason for Tor to use centralized dirauths.
I can't seem to find the article/FAQ right now, even though I had it a few years ago. I'm guessing it's to prevent malicious dirauths, unlike how Bitcoin could get manipulated by bad actors with a decentralized authority system.
Respectfully,
Gary
-Neel
Neel, I get the security vs usability considerations between centralized vs decentralized (or in the case of Tor semi-decentralized) networks. However, at a minimum, doesn't it make sense to exclude publishing address information from Tor metrics, etc, as to stop giving censorship organizations a free handout? Force them to invest resources to setup distributed Tor relays to glean addresses asynchronously in the wild. As it stands, all they have to do is write a simple bot to extract the synchronously published data on a daily basis. It seems to be an inherent obstacle in design attempting to anonymize a sub-network within an established known super-network. Thank you for your response. Respectfully,
Gary— This Message Originated by the Sun. iBigBlue 63W Solar Array (~12 Hour Charge) + 2 x Charmast 26800mAh Power Banks = iPhone XS Max 512GB (~2 Weeks Charged)
On Thursday, December 23, 2021, 10:14:05 PM PST, Neel Chauhan neel@neelc.org wrote:
On 2021-12-22 22:42, Gary C. New via tor-relays wrote:
I know it might be a fundamental change to the Tor network, but would it be possible to obfuscate the Tor bridge/relay addresses with their respective fingerprints; similar, to the I2P network? I've often thought that this aspect of the I2P network is one that is implemented well. Perhaps Directory Authorities could preform fingerprint to address resolution? I think it would be extremely beneficial if neither bridge or relay addresses were published in the wild. It would make great strides in further buffering the Tor network from various black-listing/censorship techniques.
The thing is, while Tor itself is decentralized, the directory authorities and fallback directories are not.
For a Tor client to bootstrap, you need a list of relays to be able to connect to. And in turn you have to contact the dirauths or the fallbacks.
While you could use an I2P-style or more recently blockchain-style setup, I believe there was a reason for Tor to use centralized dirauths.
I can't seem to find the article/FAQ right now, even though I had it a few years ago. I'm guessing it's to prevent malicious dirauths, unlike how Bitcoin could get manipulated by bad actors with a decentralized authority system.
Respectfully,
Gary
-Neel
On 2021-12-22 23:42, Gary C. New via tor-relays wrote:
I know it might be a fundamental change to the Tor network, but would it be possible to obfuscate the Tor bridge/relay addresses with their respective fingerprints; similar, to the I2P network? I've often thought that this aspect of the I2P network is one that is implemented well. Perhaps Directory Authorities could preform fingerprint to address resolution? I think it would be extremely beneficial if neither bridge or relay addresses were published in the wild. It would make great strides in further buffering the Tor network from various black-listing/censorship techniques.
I guess I'm not sure how this would work, for me as a user, when I launch tor browser? How do I obtain a bridge or an initial relay?
And as a trivially simple example, what stops an organization with government level resources from offering $10-$100 (in appropriate currency) to any citizen that adds a newly discovered bridge to their list?
Regarding:> And as a trivially simple example, what stops an organization with government level resources from offering $10-$100 (in appropriate currency) to any citizen that adds a newly discovered bridge to their list?
=> It's basically an arms race. If bridges get burned fast, we can re-deploy them fast. I don't have many bridges and they are still used well, but if they were getting flagged fast I'd have no problem to deploy a double-digit number of bridges and change all of their public IPs automatically weekly, daily, hourly or at whatever frequency is needed.
You can automatically deploy stuff like that quite easily with any large Cloud provider - preferably with multiple at the same time. They'd need to block entire IP ranges (hitting a significant portion of the internet) or keep fighting our automation with a lot of manual effort. Not sure who would be interested to play this game for an extended period of time. Even government level of funding has to show some kind of effect or the campaign will get shut down sooner or later.
Dec 27, 2021, 04:42 by dw@thedave.ca:
On 2021-12-22 23:42, Gary C. New via tor-relays wrote:
I know it might be a fundamental change to the Tor network, but would it be possible to obfuscate the Tor bridge/relay addresses with their respective fingerprints; similar, to the I2P network? I've often thought that this aspect of the I2P network is one that is implemented well. Perhaps Directory Authorities could preform fingerprint to address resolution? I think it would be extremely beneficial if neither bridge or relay addresses were published in the wild. It would make great strides in further buffering the Tor network from various black-listing/censorship techniques.
I guess I'm not sure how this would work, for me as a user, when I launch tor browser? How do I obtain a bridge or an initial relay?
And as a trivially simple example, what stops an organization with government level resources from offering $10-$100 (in appropriate currency) to any citizen that adds a newly discovered bridge to their list?
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Dave, After corresponding with Neel and reviewing I2P's obfuscating techniques, in more detail, it does appear that I2P is blockchaining the fingerprint-to-host database to all garlic routers. What is not clear is whether said database is encrypted and secured from operators and only accessable by the garlic routers themselves? My thoughts are... What if the Tor Network distributed encrypted fingerprint-to-host databases to browsers/bridges/relays during the bootstrap process, with Directory Authorities, that operators did not have access? Such a process could be further segmented, so only a fraction of the browser/bridge/relay population would have a portion of the fingerprint-to-host database at any given time. While you are correct in surmising that such obfuscation techniques still wouldn't prevent organizations, with adequate resources, from eventually discovering browser/bridge/relay addresses, over the wire, it might slow their blacklisting/censorship efforts and provide browsers/bridges/relays with a longer shelf-life. These thoughts are predicated on the Tor Network satisfying questions of security vs usability and opportunity vs cost. I hope this sheds some light on my previous comment. Respectfully,
Gary "It seems to be an inherent obstacle in design attempting to anonymize a sub-network within an established known super-network." –Gary C. New
On Monday, December 27, 2021, 7:03:34 AM MST, Dave Warren dw@thedave.ca wrote:
On 2021-12-22 23:42, Gary C. New via tor-relays wrote:
I know it might be a fundamental change to the Tor network, but would it be possible to obfuscate the Tor bridge/relay addresses with their respective fingerprints; similar, to the I2P network? I've often thought that this aspect of the I2P network is one that is implemented well. Perhaps Directory Authorities could preform fingerprint to address resolution? I think it would be extremely beneficial if neither bridge or relay addresses were published in the wild. It would make great strides in further buffering the Tor network from various black-listing/censorship techniques.
I guess I'm not sure how this would work, for me as a user, when I launch tor browser? How do I obtain a bridge or an initial relay?
And as a trivially simple example, what stops an organization with government level resources from offering $10-$100 (in appropriate currency) to any citizen that adds a newly discovered bridge to their list?
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Thursday, December 16, 2021 12:43:09 PM CET meskio wrote:
The other thought is an attack via email. Can we do something with it, what do you think?
What do you mean about attack via email?
Actually, we shouldn't be giving any tips to the Chinese or Russian governments. But they are already familiar with this:
You write 1000 emails from 1000 different accounts to get a few thousand bridge addresses ;-)
tor-relays@lists.torproject.org
-
abuse@lokodlare.com -
Dave Warren -
Gary C. New -
lists@for-privacy.net -
meskio -
Neel Chauhan -
ronqtorrelays@risley.net -
spaceoddity@disroot.org