Opened 2 months ago

Last modified 4 weeks ago

#28526 assigned project

Document how NGOs can run private obfs4 bridges, and get some doing it

Reported by: arma Owned by: ggus
Priority: Medium Milestone:
Component: Community/Tor Support Version:
Severity: Normal Keywords: ux-team education documentation
Cc: sysrqb, flexlibris, ggus, phoul Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor19

Description

One of our eventual goals is to get bridgedb back on its feet, and using bridge distribution strategies that China can't defeat, but in the mean time we should document one approach that should still work: setting up your Tor Browser with a private (not publicized) tor bridge.

In particular, we know many NGOs that would be happy to run unpublished obfs4 bridges for their people, and give them private bridge addresses when they visit China.

There are several steps to following through with this idea.

Round one (minimum viable approach):

(1) Document for NGOs how to easily run a few private obfs4 bridges. I've seen some guides floating around but nothing both simple and obviously official.

(2) Document for NGOs how they should get these bridge addresses to their users, and how the users should add them to Tor Browser. On Android it seems that Orbot hooks the "bridge://" url, so sending bridge addresses via signal, email, etc should work: the user clicks on the bridge address, which launches Orbot which adds that bridge to its configuration. Having docs for actual users, with screenshots and stuff, would be the clear next step. On desktop the interface choices are messier: see #28015.

(3) Walk a few NGOs through the process from beginning to end, so we can confirm for ourselves that it works as intended, and so we can have a more direct connection to actual users to get feedback on all angles of the user experience.

Round two (once we like round one):

(4) Document for NGOs how to run a series of obfs4 bridges. This could start with one bridge address per computer, but the longer term answer is to have a single Tor client binding to many bridge addresses, maybe with help from the ISP to point these many bridge addresses to that Tor.

(5) Understand if private bridges actually work in China. Apparently Lantern uses obfs4 and they don't get blocked by DPI, so that's a good start, but I've also heard stories of DPI-based throttling. In step 3 above we'll get some anecdotal answers, but here we should design and deploy some recurring experiments from computers inside China that assess (a) connectivity, (b) whether it can bootstrap, and (c) throughput, through a private bridge.

(6) We should invent and document some best practices for where NGOs ought to run their bridges, and how many bridges they need per user. At the extreme bad end of the spectrum, they would run one bridge and give it to all of the people attending a given training -- and in that case, apart from the obvious "what if one of the users is bad and gets the address blocked" worry, discovering some of the users could lead to discovering other related users. At the other end of the spectrum is one bridge (on its own separate ISP) per user. What are some acceptable solutions in between?

Child Tickets

Change History (7)

comment:1 Changed 2 months ago by arma

Status: assignednew

comment:2 Changed 2 months ago by arma

(I put this ticket in webpages -> support because I couldn't think of a better component. It is clearly a cross-component project, so please feel free to bring in the other right people.)

comment:3 Changed 7 weeks ago by emmapeel

Component: Webpages/SupportCommunity/Tor Support
Owner: set to ggus
Status: newassigned

ey gus, maybe this is one for the community portal?

comment:4 Changed 5 weeks ago by pili

Once we have a nice guide, maybe this is something we could try to do during some of our country trainings when we're meeting with people.

comment:5 in reply to:  description Changed 5 weeks ago by arma

Replying to arma:

(1) Document for NGOs how to easily run a few private obfs4 bridges. I've seen some guides floating around but nothing both simple and obviously official.

I just watched somebody on irc use
https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy
to get their obfs4 bridge up and working on debian.

So this might be a good guide to start from.

comment:6 Changed 5 weeks ago by phoul

Cc: phoul added

comment:7 Changed 4 weeks ago by gaba

Keywords: education documentation added
Note: See TracTickets for help on using tickets.