> http://tor.eff.org/svn/trunk/doc/design-paper/blocking.pdf
It seems to me that the most difficult things are 1) to ensure that a user in a blocked country always has access to a bridge, and 2) proving that bridges are useful. 1) It seems a user needs to know at least two working bridges in order to not have their connection permanently disrupted (and require re-bootstrapping). If only one bridge is known, if that bridge moves or goes offline, bootstrapping is required. However, if two bridges are known, the first bridge can be used for an active connection, and the status of the second bridge can be maintained (and confirmed with the bridge authority periodically), so if the active bridge moves, the backup bridge can be used to connect to Tor and use the bridge authority to check the status of the now-inactive or moved bridge. Clearly this only protects against bridge moves, since if the first bridge has gone offline, the user is now left with only one. 2) Determining whether a bridge is "useful" may be impossible without allowing an adversary to enumerate a bridge. Any adversary that blocks a bridge from their jurisdiction can set up a connection through that bridge to make it seem like the bridge is actively being used. There is no easy way for the bridge authority or users to learn that a bridge has been blocked. While users in a given country may know they can't connect to a bridge, they have no easy way to notify the bridge authority. First, the user is not authoritative: we can't trust what a given user says, since that user may be working for the "government" (for arbitrary values of "government") and may be attempting to disable bridges by bad-mouthing (saying they are already blocked). Second, the user needs to have access to the Tor network in the first place to notify the bridge authority that a bridge is blocked. This is perhaps a lesser problem than the first one. I'm not sure this item CAN have a workable solution... Thoughts? Thanks, Eugene -- Eugene Y. Vasserman http://www.cs.umn.edu/~eyv/
