Re: [tor-dev] Email Bridge Distributor Interactive Commands
isis: PS: why are we still shipping obfs2 bridges?! tl;dr: Because we have them. The protocol is known to be broken and fingerprintable. That's something we know. Not users. If BridgeDB is giving them out, then it must be that it's ok to use, right? We can't just make Tor Browser stop accepting obfs2 because some people are using obfs2 bridges right now. But we shouldn't add more people to the set of users of a broken protocol. -- Lunar lu...@torproject.org signature.asc Description: Digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Email Bridge Distributor Interactive Commands
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lunar wrote: We can't just make Tor Browser stop accepting obfs2 because some people are using obfs2 bridges right now. But we shouldn't add more people to the set of users of a broken protocol. We should really be reaching out to those running obfs2 nodes and convincing them to move to obfs3 if at all possible. Related question: are there geographic areas where standard bridges are being blocked, where obfs2 are still usable? If so, maybe in the future it would be possible to restrict distribution of remaining obfs2 bridges to those areas. But on the whole I agree that giving those out is problematic. Unless they comprise a large portion of bridges, maybe it's time to phase them out of bridgeDB (not necessarily TBB). best, Griffin - -- Wherever truth, love and laughter abide, I am there in spirit. - -Bill Hicks -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQEcBAEBAgAGBQJT0f/jAAoJEAPPSgqzx5pjSn0IAIpa7EY0si58vgM61Zqzt3Fi qCICh7CMpLBWJqWJVF+1kv09L+28ZEsGkrvR+9nzjmd2lOAUJZvtgvOMgv81YTUc jPF+ZhvAwh0vdyvk0ANmncO3uI7yBN6Xsxam6iIjERksLRwgPfxJNLwdGYC2235J eKVVWmlQpvLW1oTsnUU1Gw/5rChIYMnsJisUDeVoz/yJ3HAl5hCqjdSwXVAmzdjJ P0cR7034iLfhnYotVfeDpyxUwrNp6yFeE2b8QcZVlLjW0pTPUMXMmwJ73GQ9egIp KLqKq0RcUPijoNLI0AIt8aZGm40FV0gixGbxWl2AvSr1wIWqt2jIB7nBGvZdHfg= =0jn8 -END PGP SIGNATURE- ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Email Bridge Distributor Interactive Commands
Griffin Boyce transcribed 0.8K bytes: isis wrote: Do you have a better suggestion for what to call vanilla bridges? I keep calling them standard bridges (as opposed to fancy, monocle-wearing bridges). People seem to understand immediately that other types of bridges are special somehow if I call regular/vanilla/non-obfs bridges Standard. And then I explain how obfs bridges and flashproxy are used in different circumstances. Okay, this one works for me. If people are going to continue complaining, this one's in the bucket of possible new names. Also, I vote that we ditch the 'obfs' name from obfs5 and beyond in favor of 'crypto-voltron.' This will also make user education 40% more awesome. +1 for naming transports after Pokémon. Or the transformerish Voltron cartoon. As an aside, I'm happy that 'huggable transports' [1] is a thing now :D best, Griffin [1] https://twitter.com/abditum/status/431665969627672576 ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev -- ♥Ⓐ isis agora lovecruft _ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt signature.asc Description: Digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Email Bridge Distributor Interactive Commands
Lunar transcribed 2.1K bytes: isis: PS: why are we still shipping obfs2 bridges?! tl;dr: Because we have them. The protocol is known to be broken and fingerprintable. That's something we know. Not users. If BridgeDB is giving them out, then it must be that it's ok to use, right? It still works to get past many corporate/university firewalls, from what I understand. And the UI clearly says that obfs3 is recommended. It even defaults to giving obfs3 if you ask for transports. You'd have to specifically request obfs2 to get them. We can't just make Tor Browser stop accepting obfs2 because some people are using obfs2 bridges right now. But we shouldn't add more people to the set of users of a broken protocol. Obfs3 is also broken, it's just that we haven't yet seen a DPI box do it IRL. If you want me to only hand out the holy grail, I'm never going to hand anything out. -- ♥Ⓐ isis agora lovecruft _ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt signature.asc Description: Digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Email Bridge Distributor Interactive Commands
isis: We can't just make Tor Browser stop accepting obfs2 because some people are using obfs2 bridges right now. But we shouldn't add more people to the set of users of a broken protocol. Obfs3 is also broken, it's just that we haven't yet seen a DPI box do it IRL. That's news to me. Any pointers? -- Lunar lu...@torproject.org signature.asc Description: Digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Email Bridge Distributor Interactive Commands
On Fri, 25 Jul 2014 10:00:01 +0200 Lunar lu...@torproject.org wrote: isis: We can't just make Tor Browser stop accepting obfs2 because some people are using obfs2 bridges right now. But we shouldn't add more people to the set of users of a broken protocol. Obfs3 is also broken, it's just that we haven't yet seen a DPI box do it IRL. That's news to me. Any pointers? Well, the protocol is ok, but it is vulnerable to active probing (eg: See something they don't recognize, flag the destination IP/Port, call back later). Doing so on a mass scale is *quite* expensive since the obfs3 handshake isn't exactly cheap, but probably is in the reach of a nation-state adversary (China springs to mind). There also are a few interesting statistical attacks that are possible vs the obfs3 protocol if you make guesses about the inner payload, but such things are unnecessary for obfs3 (and ScrambleSuit/obfs4 both have some defenses against those, although not all are enabled as a performance tradeoff). Regards, -- Yawning Angel signature.asc Description: PGP signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Email Bridge Distributor Interactive Commands
isis: We can't just make Tor Browser stop accepting obfs2 because some people are using obfs2 bridges right now. But we shouldn't add more people to the set of users of a broken protocol. Obfs3 is also broken, it's just that we haven't yet seen a DPI box do it IRL. If you want me to only hand out the holy grail, I'm never going to hand anything out. The holy grail will never exist, indeed. I fail too see why this would be a reason to continue giving out solutions that are known to be bad when they have suitable replacement. -- Lunar lu...@torproject.org signature.asc Description: Digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Email Bridge Distributor Interactive Commands
On Fri, 25 Jul 2014 13:25:31 +0200 Lunar lu...@torproject.org wrote: isis: We can't just make Tor Browser stop accepting obfs2 because some people are using obfs2 bridges right now. But we shouldn't add more people to the set of users of a broken protocol. Obfs3 is also broken, it's just that we haven't yet seen a DPI box do it IRL. If you want me to only hand out the holy grail, I'm never going to hand anything out. The holy grail will never exist, indeed. I fail too see why this would be a reason to continue giving out solutions that are known to be bad when they have suitable replacement. For what it's worth, the official plan is to kill off obfs2 once we figure out how we want to handle deprecating old transports. https://trac.torproject.org/projects/tor/ticket/10314 Personally I think when we deploy the next round of transports (meek, and either ScrambleSuit or obfs4) would be the right time to revisit this, and I can't think of a good reason to keep obfs2 around beyond there are bridges that only support obfs2 which is a fairly terrible reason keep distributing the protocol to new users. My other objection to the idea a while back was that Orbot only supported obfs2, but that's been fixed for a while now. Regards, -- Yawning Angel signature.asc Description: PGP signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Email Bridge Distributor Interactive Commands
Griffin Boyce transcribed 1.6K bytes: Lunar wrote: We can't just make Tor Browser stop accepting obfs2 because some people are using obfs2 bridges right now. But we shouldn't add more people to the set of users of a broken protocol. We should really be reaching out to those running obfs2 nodes and convincing them to move to obfs3 if at all possible. Related question: are there geographic areas where standard bridges are being blocked, where obfs2 are still usable? Yes, some university/corporate networks. If so, maybe in the future it would be possible to restrict distribution of remaining obfs2 bridges to those areas. Unfortunately, this is rather hard to detect in automated fashion, and I would have no interest in building nor maintaining such a list. But on the whole I agree that giving those out is problematic. Unless they comprise a large portion of bridges, maybe it's time to phase them out of bridgeDB (not necessarily TBB). Well, you're correct that obfs2 isn't the majority anymore (finally!), but there still is a rather huge chunk of bridges which are obfs2: bridgedb@ponticum:/srv/bridges.torproject.org$ grep 'transport obfs2' from-authority/cached-extrainfo* | wc -l 2071 bridgedb@ponticum:/srv/bridges.torproject.org$ grep 'transport obfs3' from-authority/cached-extrainfo* | wc -l 2840 bridgedb@ponticum:/srv/bridges.torproject.org$ grep 'transport scramblesuit' from-authority/cached-extrainfo* | wc -l 2221 bridgedb@ponticum:/srv/bridges.torproject.org$ grep 'transport fte' from-authority/cached-extrainfo* | wc -l 625 best, Griffin -- Wherever truth, love and laughter abide, I am there in spirit. -Bill Hicks ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev -- ♥Ⓐ isis agora lovecruft _ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt signature.asc Description: Digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Email Bridge Distributor Interactive Commands
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Yawning Angel transcribed 2.9K bytes: On Fri, 25 Jul 2014 13:25:31 +0200 Lunar lu...@torproject.org wrote: isis: We can't just make Tor Browser stop accepting obfs2 because some people are using obfs2 bridges right now. But we shouldn't add more people to the set of users of a broken protocol. Obfs3 is also broken, it's just that we haven't yet seen a DPI box do it IRL. If you want me to only hand out the holy grail, I'm never going to hand anything out. The holy grail will never exist, indeed. I fail too see why this would be a reason to continue giving out solutions that are known to be bad when they have suitable replacement. For what it's worth, the official plan is to kill off obfs2 once we figure out how we want to handle deprecating old transports. https://trac.torproject.org/projects/tor/ticket/10314 Thanks, I was looking for that one. :) Personally I think when we deploy the next round of transports (meek, and either ScrambleSuit or obfs4) would be the right time to revisit this, and I can't think of a good reason to keep obfs2 around beyond there are bridges that only support obfs2 which is a fairly terrible reason keep distributing the protocol to new users. Scramblesuit is deployed, if you ask me... We've got roughly 2221 scramblesuit supporting bridges. My other objection to the idea a while back was that Orbot only supported obfs2, but that's been fixed for a while now. So... I'm going to wait for an update from the Huggable Transport folks, telling me to phase out obfsXYZ, whenever that happens. Until then, obfs3 is still the default transport distributed. Does this sound okay to everyone? Otherwise you're shoving me back into the hell where I get yelled at if I don't make a unilateral decision, and also get yelled at if I do make a decision. It's kind of annoying to get yelled at all the time. :( - -- ♥Ⓐ isis agora lovecruft _ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt -BEGIN PGP SIGNATURE- iQMhBAEBCgELBQJT0tf8BYMB4TOAVhSAACUAKGlzaXMrc2lnbnN1YmtleUBw YXR0ZXJuc2ludGhldm9pZC5uZXRGQzYzQUE1Q0QxOTM4NjlDMzIzNzE0NUE1QzE3 Nzc2RTI3RjdFODRESxSAABoAKGlzaXNAcGF0dGVybnNpbnRoZXZvaWQubmV0 MEE2QTU4QTE0QjU5NDZBQkRFMThFMjA3QTNBREI2N0EyQ0RCOEIzNS4aaHR0cHM6 Ly9ibG9nLnBhdHRlcm5zaW50aGV2b2lkLm5ldC9wb2xpY3kudHh0LJhodHRwczov L2Jsb2cucGF0dGVybnNpbnRoZXZvaWQubmV0L2lzaXMudHh0AAoJEFwXd24n9+hN ctgP/2YK+IGN3DdQUkD1c4iMUW5EF/krVHt9Hi6sPQD1vUk4vPcDpeQfC/7BE+Rq G63nazZV8Nwr0r6c71XqdVnLNK5wj1Tsj766Qygxz1nv0b0daY4CyC9+3JbRfLmR dZB8cywXQUifRoMhzQAlmgWxnN+4EL3eIRKpURydtp6YkImN+4s4SoHTczhwYTko iXJ4gDxKUjpPkQ4TJajKUfaHSKPcAQJGtv14AMhvrNjb8GkGJ7DA6xtCeYXleG5E PDEEo9Kv0Mcs/iAj9SwoJ7thtkwzUN95SejWYhAdiDkJNKYKf01ovUkEJyMYBmZx 54W2BrEw3X2pt+SNOIDRM3gXDXmxpcth2hrwHZ9n8Pa6W2egGzI71nzrSyVZx7q5 BYjKHlD/9HL1U0pzo9XGzGTHBuS7DEVjPsQND4yDvkW3o1+GRWdiXix9VErQakUf 1wJrz5ZZH/teoUrIWNz/mfZrIqKhxaGex/R6gcAdB0qWPWjpPfs3KJ9nEBm7eAqp yxSlyU7rsie1Kg30Pir1d8zhDicDFx3mf3/JDRUQE5erNgpGhSzGCrltMS6ODSlR vGZLGzu6+8+nxJOX/CAOMzeW8h3lRRttaWzqeBxIBSYU0bX7X3T0XHa5j+5Ss8+M GfIAMV5OauFuCLqdklSdwgZch4IIaMg+CjxRQ1MeEZtLSTU3 =Gn4q -END PGP SIGNATURE- ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Email Bridge Distributor Interactive Commands
isis transcribed 4.0K bytes: bridgedb@ponticum:/srv/bridges.torproject.org$ grep 'transport obfs2' from-authority/cached-extrainfo* | wc -l 2071 bridgedb@ponticum:/srv/bridges.torproject.org$ grep 'transport obfs3' from-authority/cached-extrainfo* | wc -l 2840 bridgedb@ponticum:/srv/bridges.torproject.org$ grep 'transport scramblesuit' from-authority/cached-extrainfo* | wc -l 2221 bridgedb@ponticum:/srv/bridges.torproject.org$ grep 'transport fte' from-authority/cached-extrainfo* | wc -l 625 I forgot to mention that these are non-deduplicated. Perhaps a little rough, but the numbers appear to be accurate. -- ♥Ⓐ isis agora lovecruft _ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt signature.asc Description: Digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Email Bridge Distributor Interactive Commands
On Fri, 25 Jul 2014 22:19:40 + isis i...@torproject.org wrote: Personally I think when we deploy the next round of transports (meek, and either ScrambleSuit or obfs4) would be the right time to revisit this, and I can't think of a good reason to keep obfs2 around beyond there are bridges that only support obfs2 which is a fairly terrible reason keep distributing the protocol to new users. Scramblesuit is deployed, if you ask me... We've got roughly 2221 scramblesuit supporting bridges. Kind of. TBB/Orbot and the FirefoxOS code all need to move to 0.2.5.x for those bridges to actually be useful which I belive is Real Soon Now. Just having bridges that only people that build stuff on their own can connect to is a bit silly. My other objection to the idea a while back was that Orbot only supported obfs2, but that's been fixed for a while now. So... I'm going to wait for an update from the Huggable Transport folks, telling me to phase out obfsXYZ, whenever that happens. Until then, obfs3 is still the default transport distributed. Does this sound okay to everyone? Otherwise you're shoving me back into the hell where I get yelled at if I don't make a unilateral decision, and also get yelled at if I do make a decision. It's kind of annoying to get yelled at all the time. :( That's fine by me. I belive obfs3 should be ok for a while, and there are easier ways to identify bridges via active probing than doing on obfs3 handshake anyway (Fixing such things is also on my TODO list). Regards, -- Yawning Angel signature.asc Description: PGP signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] Counter Base Encryption
Hi I have to do some experiments on tor and I must disable counter-based encryption for cells. Is there a simple way to do that? I appreciate any idea. Soroosh ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev