subject:"\[tor\-bugs\] #31252 \[Circumvention\/BridgeDB\]\: Equip BridgeDB with anti\-bot mechanism"

Re: [tor-bugs] #31252 [Circumvention/BridgeDB]: Equip BridgeDB with anti-bot mechanism

2019-08-19 Thread Tor Bug Tracker & Wiki

#31252: Equip BridgeDB with anti-bot mechanism
+-
 Reporter:  phw |  Owner:  phw
 Type:  enhancement | Status:  closed
 Priority:  Medium  |  Milestone:
Component:  Circumvention/BridgeDB  |Version:
 Severity:  Normal  | Resolution:  implemented
 Keywords:  |  Actual Points:  2
Parent ID:  | Points:  4
 Reviewer:  cohosh  |Sponsor:
+-
Changes (by phw):

 * status:  merge_ready => closed
 * resolution:   => implemented
 * actualpoints:   => 2


Comment:

 Merged and deployed.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31252 [Circumvention/BridgeDB]: Equip BridgeDB with anti-bot mechanism

2019-08-16 Thread Tor Bug Tracker & Wiki

#31252: Equip BridgeDB with anti-bot mechanism
+-
 Reporter:  phw |  Owner:  phw
 Type:  enhancement | Status:  merge_ready
 Priority:  Medium  |  Milestone:
Component:  Circumvention/BridgeDB  |Version:
 Severity:  Normal  | Resolution:
 Keywords:  |  Actual Points:
Parent ID:  | Points:  4
 Reviewer:  cohosh  |Sponsor:
+-

Comment (by phw):

 Replying to [comment:2 cohosh]:
 > This looks good to me. Do we need to add this to the
 [https://gitweb.torproject.org/torspec.git/tree/bridgedb-spec.txt
 specification]?
 [[br]]
 We probably should. The spec seems in dire need of an overhaul. I filed
 #31426 for this.
 [[br]]
 > I'm interested in how the decisions on what headers to blacklist will be
 made. Since the files are meant to not be public, is there some process we
 go through to add new things to the blacklist or ensure that we're not
 introducing too many false positives here?
 [[br]]
 Hmm, good question. I suggest that we bring up the overall approach in our
 weekly meeting (i.e., that we start using regular expressions to look for
 bot requests) and coordinate the specific regular expressions among
 ourselves, in private. Does this sound reasonable? Do we have a better
 idea?
 [[br]]
 > The idea of giving out a decoy bridge is very nice. It would be
 interesting to see where/when this bridge gets blocked.
 [[br]]
 Yes, I intend to set up a private bridge for this purpose.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31252 [Circumvention/BridgeDB]: Equip BridgeDB with anti-bot mechanism

2019-08-15 Thread Tor Bug Tracker & Wiki

#31252: Equip BridgeDB with anti-bot mechanism
+-
 Reporter:  phw |  Owner:  phw
 Type:  enhancement | Status:  merge_ready
 Priority:  Medium  |  Milestone:
Component:  Circumvention/BridgeDB  |Version:
 Severity:  Normal  | Resolution:
 Keywords:  |  Actual Points:
Parent ID:  | Points:  4
 Reviewer:  cohosh  |Sponsor:
+-
Changes (by cohosh):

 * status:  needs_review => merge_ready


Comment:

 This looks good to me. Do we need to add this to the
 [https://gitweb.torproject.org/torspec.git/tree/bridgedb-spec.txt
 specification]?

 I'm interested in how the decisions on what headers to blacklist will be
 made. Since the files are meant to not be public, is there some process we
 go through to add new things to the blacklist or ensure that we're not
 introducing too many false positives here?

 The idea of giving out a decoy bridge is very nice. It would be
 interesting to see where/when this bridge gets blocked.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31252 [Circumvention/BridgeDB]: Equip BridgeDB with anti-bot mechanism

2019-08-14 Thread Tor Bug Tracker & Wiki

#31252: Equip BridgeDB with anti-bot mechanism
+--
 Reporter:  phw |  Owner:  phw
 Type:  enhancement | Status:  needs_review
 Priority:  Medium  |  Milestone:
Component:  Circumvention/BridgeDB  |Version:
 Severity:  Normal  | Resolution:
 Keywords:  |  Actual Points:
Parent ID:  | Points:  4
 Reviewer:  cohosh  |Sponsor:
+--
Changes (by phw):

 * status:  assigned => needs_review
 * reviewer:   => cohosh


Comment:

 I have an implementation in my
 
[https://github.com/NullHypothesis/bridgedb/commit/a728f5d50886911011cc269522c2dbad2c1b86d8
 feature/31252 branch]. The patch uses two new configuration files, which
 is a bit of a nuisance but we shouldn't be storing blacklisted request
 headers or decoy bridges in bridgedb.conf
 [https://gitweb.torproject.org/user/phw/bridgedb-
 admin.git/tree/etc/bridgedb.conf because the file is public]. Instead, we
 want to keep these configuration options hidden from our adversaries.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #31252 [Circumvention/BridgeDB]: Equip BridgeDB with anti-bot mechanism

2019-07-25 Thread Tor Bug Tracker & Wiki

#31252: Equip BridgeDB with anti-bot mechanism
+--
 Reporter:  phw |  Owner:  phw
 Type:  enhancement | Status:  assigned
 Priority:  Medium  |  Milestone:
Component:  Circumvention/BridgeDB  |Version:
 Severity:  Normal  |   Keywords:
Actual Points:  |  Parent ID:
   Points:  4   |   Reviewer:
  Sponsor:  |
+--
 BridgeDB sees many bot requests. The ones I've seen cycle over exit relays
 to fetch several bridge types (obfs2 (!), obfs3, obfs4, scramblesuit, and
 vanilla) from BridgeDB's HTTPS interface. Interestingly, they get most
 captchas right.

 We don't know who's operating these bots or what they are doing with their
 bridges but we should make BridgeDB more resistant to these attacks. Let's
 add a mechanism that allows us to configure request headers that BridgeDB
 should ignore, e.g., requests whose user agent contains curl.

 Ideally, instead of BridgeDB responding "bots aren't allowed to get
 bridges," we could serve an empty response, or a decoy bridge whose only
 purpose is to find out what the bot operators are doing with it.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31252 [Circumvention/BridgeDB]: Equip BridgeDB with anti-bot mechanism

Re: [tor-bugs] #31252 [Circumvention/BridgeDB]: Equip BridgeDB with anti-bot mechanism

Re: [tor-bugs] #31252 [Circumvention/BridgeDB]: Equip BridgeDB with anti-bot mechanism

Re: [tor-bugs] #31252 [Circumvention/BridgeDB]: Equip BridgeDB with anti-bot mechanism

[tor-bugs] #31252 [Circumvention/BridgeDB]: Equip BridgeDB with anti-bot mechanism

5 matches

Site Navigation

Mail list logo

Footer information