Opened 6 years ago

Closed 6 years ago

#8705 closed enhancement (fixed)

bridges.torproject.org Pluggable Transport configuration warnings

Reported by: oscardelta Owned by: isis
Priority: Low Milestone:
Component: Circumvention/BridgeDB Version:
Severity: Keywords: webUI
Cc: isis@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Instructions from https://bridges.torproject.org/ aren't complete so I tried to write better from the Vidalia help and https://blog.torproject.org/blog/different-ways-use-bridge

(https://bridges.torproject.org/)
"(here I suggest to add the https://bridges.torproject.org/?transport=obfs3 link.
It would be convenient to provide and highlight the active links from the bottom of the page to here and for all the supported Transports than to let the users to feel lucky with "Specify transport by name:" form. I suggest to rename the "Looking for obfsproxy bridges?" to specific obfs2)
  
To receive your bridge relay address, please prove you are human

Here is the address you asked for:

x

  
Another way to find public bridge addresses is to send mail to bridges@… with the line "get bridges" in the body of the mail. However, so we can make it harder for an attacker to learn lots of bridge addresses, you must send this request from an email address at one of the following domains:

gmail.com
yahoo.com

To use the Bridge address, go to Vidalia's Network settings page, check the "My ISP blocks connections to the Tor network" box and add the bridges, one at a time, to the list.

WARNINGS!

Configuring more than one bridge address will make your Tor connection more capable of circumvention, in case the Bridge became unreachable, but also more recognizable, in case some bridge you are using became recognized as Tor-specific relay.
Tor Project bundles, by default, handshaking through the Internet with all bridges listed in Vidalia's network settings. IT IS SUGGESTED to replace all the default bridges from the list to minimize the probability of recognition as Tor user BEFORE YOU START to use the Pluggable Transport bundles

  1. Go off-line
  2. Launch Vidalia (start browser bundle)
  3. Stop Tor
  4. Configure the Bridges list
  5. Restart the Vidalia and Tor (restart browser bundle)

or

  1. Redact the "torrc" before the first launch.

If you are using the Pluggable Transport Bundle for obfuscation rather than for circumvention, so you got trusted Bridge, you should disable Flash proxy bridges from connecting to your browser by deleting the websocket bridge from the Bridges list. Read about default Flash proxy configuration here https://trac.torproject.org/projects/tor/wiki/FlashProxyHowto

Even if your connection to the Tor have already leaked you could still help the new users to obtain their first Bridge address without them contacting the Tor directly.

FAQ

What is Tor bridge?

"Bridge relays (or "bridges" https://www.torproject.org/docs/bridges.html.en for short) are the common name for the cutting edge Tor entrance relays(entry nodes?) being developed and running on the diverse Pluggable Transports servers configuration.
You could imagine your Pluggable Transport of choice is coursing between your client and the Tor network first by the specialized (possibly hidden or even private) Bridges, then routed by classic Tor to the Internet, and back again.

After you choose and configure the connection method(s) with Pluggable Transports https://www.torproject.org/docs/pluggable-transports.html.en in your Tor client you should point it to the compatible "bridge". An instance created from any of the current https://cloud.torproject.org/ images will automatically be a normal bridge, an obfs2 bridge, and an obfs3 bridge. (What do you suggest to use and why?)

Are bridges significantly more secure than TBB direct relays? Should I move to the PTB?

Pluggable Transports have their specific advantages and disadvantages.

The differences to the "direct relays"(basic Tor entry nodes?) are

  1. Users can customize own connection priorities using Pluggable Transports.
  2. Relay authority can choose to publish bridge address to the Bridge Authority (a special Tor Project relay collecting all bridge addresses that it receives and providing it to users with interfaces like this page), or to distribute it in any other ways.
  3. https://metrics.torproject.org/users.html#bridge-users to https://metrics.torproject.org/users.html#direct-users

So Pluggable Transports could provide a significantly stronger circumvention and obfuscation abilities but could add to the connection latency so the TBB could be faster for a while"

Please edit, move, just don't throw away all this as I have invested time in this to help the project as much as I can.

Child Tickets

Change History (3)

comment:1 in reply to:  description Changed 6 years ago by isis

Cc: isis@… added
Keywords: webUI added; Pluggable Transport bridges warnings removed
Owner: set to isis
Priority: majorminor
Status: newaccepted

Replying to oscardelta:

Instructions from https://bridges.torproject.org/ aren't complete so I tried to write better from the Vidalia help and https://blog.torproject.org/blog/different-ways-use-bridge

We are planning to deprecate Vidalia, and, given that the volume of complaints generated about Vidalia's UI, I think it is unwise to model future UI developments on Vidalia.

I have literally had Syrian activists slap me on the wrist for how difficult it is for them to configure TBB correctly (for their situation, for what I was advising them to try) using Vidalia. That said, I completely agree with you that bridges.tpo needs improvements -- I just don't think it's a good idea to attempt to improve one broken thing by modelling it after another broken thing.

(https://bridges.torproject.org/)
"(here I suggest to add the https://bridges.torproject.org/?transport=obfs3 link.
It would be convenient to provide and highlight the active links from the bottom of the page to here and for all the supported Transports than to let the users to feel lucky with "Specify transport by name:" form. I suggest to rename the "Looking for obfsproxy bridges?" to specific obfs2)
  

Okay. Agreed.

To receive your bridge relay address, please prove you are human

Here is the address you asked for:

x

  
Another way to find public bridge addresses is to send mail to bridges@… with the line "get bridges" in the body of the mail. However, so we can make it harder for an attacker to learn lots of bridge addresses, you must send this request from an email address at one of the following domains:

gmail.com
yahoo.com

To use the Bridge address, go to Vidalia's Network settings page, check the "My ISP blocks connections to the Tor network" box and add the bridges, one at a time, to the list.

There definitely should be better instructions, although I personallly don't like the idea of having a cluttered page full of warnings that must be updated constantly as situations change. Also, changing anything to say "use Vidalia" now is not such a good idea; these things will need to be changed yet again very soon, when https://gitweb.torproject.org/tor-launcher.git is ready to be deployed.

WARNINGS!

Configuring more than one bridge address will make your Tor connection more capable of circumvention, in case the Bridge became unreachable, but also more recognizable, in case some bridge you are using became recognized as Tor-specific relay.
Tor Project bundles, by default, handshaking through the Internet with all bridges listed in Vidalia's network settings. IT IS SUGGESTED to replace all the default bridges from the list to minimize the probability of recognition as Tor user BEFORE YOU START to use the Pluggable Transport bundles

I believe this is not the case, I have not seen nor heard of any censors detecting Tor by the number of simultaneous connection initiations. Please correct me if I am wrong! :)

  1. Go off-line
  2. Launch Vidalia (start browser bundle)
  3. Stop Tor
  4. Configure the Bridges list
  5. Restart the Vidalia and Tor (restart browser bundle)

or

  1. Redact the "torrc" before the first launch.

Honestly...these instructions do not make much sense to me. I doubt they would make much sense to a person trying to figure out configuring using a Bridge to connect to the Tor network for the first time.

If you are using the Pluggable Transport Bundle for obfuscation rather than for circumvention, so you got trusted Bridge, you should disable Flash proxy bridges from connecting to your browser by deleting the websocket bridge from the Bridges list. Read about default Flash proxy configuration here https://trac.torproject.org/projects/tor/wiki/FlashProxyHowto

Hmm, perhaps starting with adding a FlashProxy page, like we have for IPv6 and obfs2 would be better? No need to confuse people with extra information that is irrelevant to them.

Even if your connection to the Tor have already leaked you could still help the new users to obtain their first Bridge address without them contacting the Tor directly.

I'm not sure that I understand what you're saying here...please explain more?

FAQ

What is Tor bridge?

"Bridge relays (or "bridges" https://www.torproject.org/docs/bridges.html.en for short) are the common name for the cutting edge Tor entrance relays(entry nodes?) being developed and running on the diverse Pluggable Transports servers configuration.
You could imagine your Pluggable Transport of choice is coursing between your client and the Tor network first by the specialized (possibly hidden or even private) Bridges, then routed by classic Tor to the Internet, and back again.

After you choose and configure the connection method(s) with Pluggable Transports https://www.torproject.org/docs/pluggable-transports.html.en in your Tor client you should point it to the compatible "bridge". An instance created from any of the current https://cloud.torproject.org/ images will automatically be a normal bridge, an obfs2 bridge, and an obfs3 bridge. (What do you suggest to use and why?)

Are bridges significantly more secure than TBB direct relays? Should I move to the PTB?

Pluggable Transports have their specific advantages and disadvantages.

The differences to the "direct relays"(basic Tor entry nodes?) are

  1. Users can customize own connection priorities using Pluggable Transports.
  2. Relay authority can choose to publish bridge address to the Bridge Authority (a special Tor Project relay collecting all bridge addresses that it receives and providing it to users with interfaces like this page), or to distribute it in any other ways.
  3. https://metrics.torproject.org/users.html#bridge-users to https://metrics.torproject.org/users.html#direct-users

So Pluggable Transports could provide a significantly stronger circumvention and obfuscation abilities but could add to the connection latency so the TBB could be faster for a while"

Hmm...most of that also did not make sense to me. Also, none of it is pertinent to what the user is trying to do when they get two bridges from bridges.tpo.

Please edit, move, just don't throw away all this as I have invested time in this to help the project as much as I can.

Thanks for writing all this. In general, any UI improvements for Tor Project things are most welcome, as we're not exactly known for having amazing UI.

comment:2 Changed 6 years ago by isis

Status: acceptedneeds_review

I think that with gsathya's and asn's recent work for #7296, this ticket can be considered largely done, perhaps underneath this section https://www.torproject.org/projects/obfsproxy.html.en#download there should be a link to a page which displays configuration warnings or a FAQ on the different usages for bridges and PTs.

comment:3 Changed 6 years ago by isis

Resolution: fixed
Status: needs_reviewclosed

gsathya's new web interface for bridges.tpo links to the documentation on bridges, which includes information on pluggable transports.

Marking as done and closing.

Note: See TracTickets for help on using tickets.