Hi,
So I had a thought. It seems like a lot of the relays run off of various port numbers (of course). However if all of the relays and bridges are running off of various port numbers (ie 9001, 10000, etc.), couldn’t this stop censored users (who’s isp or local firewall only allows certain ports like 80 and 443) from being able to connect to the tor network even when using bridges due to the port that the bridge of guard relay being run on a port number that is blocked by the isp or local firewall?
Just a thought.
Am 21.06.2018 21:48 schrieb Keifer Bly:
Hi,
So I had a thought. It seems like a lot of the relays run off of various port numbers (of course). However if all of the relays and bridges are running off of various port numbers (ie 9001, 10000, etc.), couldn’t this stop censored users (who’s isp or local firewall only allows certain ports like 80 and 443) from being able to connect to the tor network even when using bridges due to the port that the bridge of guard relay being run on a port number that is blocked by the isp or local firewall?
Just a thought.
Sure, just like for guard relays, for bridges it makes sense to configure ORPort to be 443 or 80, to be reachable from behind messy firewalls.
martin
This is the reasoning I go with for using 443/80.
On Fri, Jun 22, 2018 at 8:11 AM Martin Kepplinger martink@posteo.de wrote:
Am 21.06.2018 21:48 schrieb Keifer Bly:
Hi,
So I had a thought. It seems like a lot of the relays run off of various port numbers (of course). However if all of the relays and bridges are running off of various port numbers (ie 9001, 10000, etc.), couldn’t this stop censored users (who’s isp or local firewall only allows certain ports like 80 and 443) from being able to connect to the tor network even when using bridges due to the port that the bridge of guard relay being run on a port number that is blocked by the isp or local firewall?
Just a thought.
Sure, just like for guard relays, for bridges it makes sense to configure ORPort to be 443 or 80, to be reachable from behind messy firewalls.
martin
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Yes, but are all guard and bridge relays configured like this?
Maybe this should be a requirement for running a guard or bridge relay for this reason.
What does everyone think?
From: Matthew Glennon Sent: Friday, June 22, 2018 5:18 AM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Prepping bridges for censorship
This is the reasoning I go with for using 443/80.
On Fri, Jun 22, 2018 at 8:11 AM Martin Kepplinger martink@posteo.de wrote: Am 21.06.2018 21:48 schrieb Keifer Bly:
Hi,
So I had a thought. It seems like a lot of the relays run off of various port numbers (of course). However if all of the relays and bridges are running off of various port numbers (ie 9001, 10000, etc.), couldn’t this stop censored users (who’s isp or local firewall only allows certain ports like 80 and 443) from being able to connect to the tor network even when using bridges due to the port that the bridge of guard relay being run on a port number that is blocked by the isp or local firewall?
Just a thought.
Sure, just like for guard relays, for bridges it makes sense to configure ORPort to be 443 or 80, to be reachable from behind messy firewalls.
martin
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
No - and I don't think a standard port should be chosen. Tor comes with defaults and that's probably good enough. Keep them if you want, or customize them to fit your situation - the consensus has no problem adjusting to your customer port numbers. On the contrary, allowing a bad actor to know (for sure) what port a Bridge is using is bad news for the security of the network as a whole. It's a much better idea to let the Bridge Operator adjust the port number to their situation since they have to advertise the port to their subscribers externally anyway. For Guards, it doesn't really matter since the IP/Port pair is listed in the consensus. If a network operator really wants to attempt to block all of the Tor Guards, they could parse a list of Guard IP:Port pairs no matter what port you choose to use (this is where Bridges come in handy).
Using 443/80 really doesn't matter if you intend to run a Middle - since tor <-> tor shouldn't be a problem. There's no real downside to using 443/80 on a Guard; you may very well be available to more clients as a result of using it.
On Fri, Jun 22, 2018 at 3:43 PM Keifer Bly keifer.bly@gmail.com wrote:
Yes, but are all guard and bridge relays configured like this?
Maybe this should be a requirement for running a guard or bridge relay for this reason.
What does everyone think?
*From: *Matthew Glennon matthew@glennon.online *Sent: *Friday, June 22, 2018 5:18 AM *To: *tor-relays@lists.torproject.org *Subject: *Re: [tor-relays] Prepping bridges for censorship
This is the reasoning I go with for using 443/80.
On Fri, Jun 22, 2018 at 8:11 AM Martin Kepplinger martink@posteo.de wrote:
Am 21.06.2018 21:48 schrieb Keifer Bly:
Hi,
So I had a thought. It seems like a lot of the relays run off of various port numbers (of course). However if all of the relays and bridges are running off of various port numbers (ie 9001, 10000, etc.), couldn’t this stop censored users (who’s isp or local firewall only allows certain ports like 80 and 443) from being able to connect to the tor network even when using bridges due to the port that the bridge of guard relay being run on a port number that is blocked by the isp or local firewall?
Just a thought.
Sure, just like for guard relays, for bridges it makes sense to configure ORPort to be 443 or 80, to be reachable from behind messy firewalls.
martin
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
--
Matthew Glennon
matthew@glennon.online
PGP Signing Available Upon Request https://keybase.io/crazysane
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi,
(This thread has a lot of top-posting, so I cut the context.)
On 23 Jun 2018, at 06:54, Matthew Glennon matthew@glennon.online wrote:
No - and I don't think a standard port should be chosen. Tor comes with defaults and that's probably good enough. Keep them if you want, or customize them to fit your situation - the consensus has no problem adjusting to your customer port numbers. On the contrary, allowing a bad actor to know (for sure) what port a Bridge is using is bad news for the security of the network as a whole. It's a much better idea to let the Bridge Operator adjust the port number to their situation since they have to advertise the port to their subscribers externally anyway. For Guards, it doesn't really matter since the IP/Port pair is listed in the consensus.
Last time I checked: About 40% of relays were on 9001/9030 (the defaults) About 40% of relays were on 80/443 (the HTTP ports) The rest were on other ports
Using 443/80 really doesn't matter if you intend to run a Middle - since tor <-> tor shouldn't be a problem. There's no real downside to using 443/80 on a Guard; you may very well be available to more clients as a result of using it.
Using 80/443 on a guard makes some middleboxes think they can modify your traffic. Instead, the modification breaks Tor's security guarantees, so Tor clients can't connect.
Having a range of ports for guards is good for the network and good for clients. The same arguments apply to bridges.
T
Yes, that’s a good point. I just thought that on observing that, it might be too easy for a censoring isp to block tor just by blocking the ports the relays usually listen on, or identify tor easily by port number even when using obfscated bridges. Good point though, thanks
Sent from my iPhone
On Jun 22, 2018, at 4:40 PM, teor teor2345@gmail.com wrote:
Hi,
(This thread has a lot of top-posting, so I cut the context.)
On 23 Jun 2018, at 06:54, Matthew Glennon matthew@glennon.online wrote:
No - and I don't think a standard port should be chosen. Tor comes with defaults and that's probably good enough. Keep them if you want, or customize them to fit your situation - the consensus has no problem adjusting to your customer port numbers. On the contrary, allowing a bad actor to know (for sure) what port a Bridge is using is bad news for the security of the network as a whole. It's a much better idea to let the Bridge Operator adjust the port number to their situation since they have to advertise the port to their subscribers externally anyway. For Guards, it doesn't really matter since the IP/Port pair is listed in the consensus.
Last time I checked: About 40% of relays were on 9001/9030 (the defaults) About 40% of relays were on 80/443 (the HTTP ports) The rest were on other ports
Using 443/80 really doesn't matter if you intend to run a Middle - since tor <-> tor shouldn't be a problem. There's no real downside to using 443/80 on a Guard; you may very well be available to more clients as a result of using it.
Using 80/443 on a guard makes some middleboxes think they can modify your traffic. Instead, the modification breaks Tor's security guarantees, so Tor clients can't connect.
Having a range of ports for guards is good for the network and good for clients. The same arguments apply to bridges.
T _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Keifer Bly -
Martin Kepplinger -
Matthew Glennon -
teor