On Sun, Jul 20, 2014 at 06:07:03PM -0400, Philipp Winter wrote: > On Sun, Jul 20, 2014 at 06:52:44PM +0000, Matthew Finkel wrote: > > So, the questions I am posing to those in the community who has an > > opinion about this: What do you think? What problems do you currently > > have with this? How can this be improved? > > Non-technical users might be confused by the parameters. Perhaps we > could drop the "transport" parameter and have the following flat > hierarchy? > get vanilla > get ipv6 > get obfs3 > get fte > get scramblesuit > etc >
So you think we should accept (roughly) the regex "^.*(\w*)$" and return bridges based on the last token? I think we can do something like this. I do think, based on other responses, that we have some other open questions, though. Listing multiple token on a single will become more difficult, but we can figure something out. > An even simpler option would be to also drop "get" and simply look for > the keywords "vanilla", "obfs3", ... in the email subject and body. > > Also, if the user fails to form a valid email, I think we should still > reply with a set of bridges. This is a tricky problem: "I'm TorBrowser, I know about N bridges, but I don't know which ones I should use, so I will pick a few and try them." "I'm <adversary>. Wow, look at this traffic coming from <ip address>! That looks odd, I see this traffic that looks like Tor, BLOCK! And another flow that looks like obfs2, BLOCK! and another that looks like...huh, I don't recognize it. Let's play it safe. BLOCK!" Alternatively the adversary could simply detect recognizable tor-flows and then track all subsequent traffic and see what it does and how it behaves, thus building a profile of it. We need to be very careful about blindly giving out different transports together. We can default to a few obfs3 bridges, though, instead of obfs3, scramblesuit, and fteproxy. The above example is obvious contrived, and my not be used (often), but it is a risk, and I'm mostly against playing that game unless we are significantly harming peoples' abilities to access the internet. Thanks for the feedback Philipp, very much appreciated! _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
