Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+--
 Reporter:  arma  |  Owner:  phw
 Type:  defect| Status:  needs_review
 Priority:  High  |  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:  bridgedb  |  Actual Points:
Parent ID:| Points:  2
 Reviewer:|Sponsor:  Sponsor19
--+--

Comment (by phw):

 I now have a working patch in my `bug28655` branch:
 https://gitweb.torproject.org/user/phw/bridgedb.git/log/?h=bug28655

 The patch also required a change in leekspin:
 
https://gitweb.torproject.org/user/phw/leekspin.git/commit/?id=3bc9c660e8df80fe89693c8e4fad38955011bf20

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+--
 Reporter:  arma  |  Owner:  phw
 Type:  defect| Status:  needs_review
 Priority:  High  |  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:  bridgedb  |  Actual Points:
Parent ID:| Points:  2
 Reviewer:|Sponsor:  Sponsor19
--+--

Comment (by phw):

 Replying to [comment:14 dcf]:
 > Replying to [comment:13 phw]:
 > > The numbers show that we have 251 bridges that are active probing-
 resistant. 38 (15%) of these bridges ''also'' run a transport that is not
 active probing resistant---obfs2, obfs3, and/or fte. After fixing this
 ticket, we will stop handing out these transports.
 >
 > If I understand right, then all 251 (100%) will ''also'' stop handing
 out their vanilla ORport?

 Yes, that is correct.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+--
 Reporter:  arma  |  Owner:  phw
 Type:  defect| Status:  needs_review
 Priority:  High  |  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:  bridgedb  |  Actual Points:
Parent ID:| Points:  2
 Reviewer:|Sponsor:  Sponsor19
--+--

Comment (by dcf):

 Replying to [comment:13 phw]:
 > The numbers show that we have 251 bridges that are active probing-
 resistant. 38 (15%) of these bridges ''also'' run a transport that is not
 active probing resistant---obfs2, obfs3, and/or fte. After fixing this
 ticket, we will stop handing out these transports.

 If I understand right, then all 251 (100%) will ''also'' stop handing out
 their vanilla ORport?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+--
 Reporter:  arma  |  Owner:  phw
 Type:  defect| Status:  needs_review
 Priority:  High  |  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:  bridgedb  |  Actual Points:
Parent ID:| Points:  2
 Reviewer:|Sponsor:  Sponsor19
--+--

Comment (by phw):

 I wanted to understand how many bridges would be affected by this patch. I
 took an assignments.log file that BridgeDB created on 2019-04-19. Here's
 what the file can tell us:

 ||= Description =||= # =||= % =||= Command =||
 || All bridges || 968|| 100.0|| `wc -l assignments.log` ||
 || Bridges that have a transport protocol || 258|| 26.7|| `grep -c
 transport assignments.log` ||
 || Bridges that have obfs4 || 249|| 25.7|| `grep -c obfs4 assignments.log`
 ||
 || Bridges that have obfs4 or scramblesuit || 251|| 26.0|| `grep -c
 '\(obfs4\|scramblesuit\)' assignments.log` ||
 || Bridges with obfs or scramblesuit and obfs2, obfs3, or fte || 38||
 3.9|| `grep '\(obfs4\|scramblesuit\)' assignments.log | grep -c
 '\(obfs2\|obfs3\|fte\)'` ||

 The numbers show that we have 251 bridges that are active probing-
 resistant. 38 (15%) of these bridges ''also'' run a transport that is not
 active probing resistant---obfs2, obfs3, and/or fte. After fixing this
 ticket, we will stop handing out these transports.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+--
 Reporter:  arma  |  Owner:  phw
 Type:  defect| Status:  needs_review
 Priority:  High  |  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:  bridgedb  |  Actual Points:
Parent ID:| Points:  2
 Reviewer:|Sponsor:  Sponsor19
--+--

Comment (by phw):

 So far, all of leekspin's generated descriptors included obfs2, obfs3,
 obfs4, and scramblesuit. This broke BridgeDB's unit tests because all
 descriptors included a probing-resistant PT (obfs4 and scramblesuit), so
 BridgeDB wouldn't hand out its obfs2, obfs3, and vanilla bridges. To fix
 this, I made leekspin generate descriptors with various combinations of
 pluggable transports:
 
https://gitweb.torproject.org/user/phw/leekspin.git/commit/?id=9af6c71b3b4aeb56c509df9ae6a16650f9b58dd2
 Let me know if this patch looks good to you.

 Unfortunately, the HTTPS unit tests still break -- apparently randomly.
 Here's one of my recent, failed builds: https://travis-
 ci.org/NullHypothesis/bridgedb/jobs/520411314

 Since my leekspin patch creates pluggable transport combinations
 deterministically, I believe that the issue is somewhere in BridgeDB's
 HTTPS distribution mechanism.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+--
 Reporter:  arma  |  Owner:  phw
 Type:  defect| Status:  needs_review
 Priority:  High  |  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:  bridgedb  |  Actual Points:
Parent ID:| Points:  2
 Reviewer:|Sponsor:  Sponsor19
--+--

Comment (by phw):

 Small update: My patch broke several unit tests because they rely on an
 obfs4 bridge being willing to hand out its vanilla descriptor. A proper
 fix will require a minor change to leekspin (the tool that creates test
 descriptors for BridgeDB as part of its unit tests), which I'm working on
 now.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+--
 Reporter:  arma  |  Owner:  phw
 Type:  defect| Status:  needs_review
 Priority:  High  |  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:  bridgedb  |  Actual Points:
Parent ID:| Points:  2
 Reviewer:|Sponsor:  Sponsor19
--+--
Changes (by phw):

 * status:  assigned => needs_review


Comment:

 I made a first attempt at fixing this issue in my
 [https://gitweb.torproject.org/user/phw/bridgedb.git/log/?h=bug28655
 bug28655 branch]. It's not yet ready to merge. I'd first like to hear what
 our seasoned BridgeDB veterans think.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+---
 Reporter:  arma  |  Owner:  phw
 Type:  defect| Status:  assigned
 Priority:  High  |  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:  bridgedb  |  Actual Points:
Parent ID:| Points:  2
 Reviewer:|Sponsor:  Sponsor19
--+---
Changes (by phw):

 * owner:  dgoulet => phw


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+---
 Reporter:  arma  |  Owner:  dgoulet
 Type:  defect| Status:  assigned
 Priority:  High  |  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:  bridgedb  |  Actual Points:
Parent ID:| Points:  2
 Reviewer:|Sponsor:  Sponsor19
--+---
Changes (by phw):

 * cc: phw (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+---
 Reporter:  arma  |  Owner:  dgoulet
 Type:  defect| Status:  assigned
 Priority:  High  |  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:  bridgedb  |  Actual Points:
Parent ID:| Points:  2
 Reviewer:|Sponsor:  Sponsor19
--+---

Comment (by arma):

 Replying to [comment:6 dcf]:
 > Linking #7349, which is like this ticket, but more comprehensive

 I would say differently comprehensive, but not a superset of this one.

 In this ticket, I want us to e.g. stop giving out the obfs3 port when
 there is an obfs4 port.

 More broadly, if a bridge supports both active-probing-resistant and
 active-probing-vulnerable options, then we should give out only the
 active-probing-resistant ones.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+---
 Reporter:  arma  |  Owner:  dgoulet
 Type:  defect| Status:  assigned
 Priority:  High  |  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:  bridgedb  |  Actual Points:
Parent ID:| Points:  2
 Reviewer:|Sponsor:  Sponsor19
--+---

Comment (by dcf):

 Linking #7439, which is like this ticket, but more comprehensive in that
 it would allow bridges not to expose their ORPort at all, not merely
 prevent BridgeDB from advertising it. That would also prevent mass-
 scanning discovery like
  * https://lists.torproject.org/pipermail/tor-
 dev/2014-December/007957.html
  * https://censorbib.nymity.ch/#Matic2017a

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+---
 Reporter:  arma  |  Owner:  (none)
 Type:  defect| Status:  assigned
 Priority:  High  |  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:  bridgedb  |  Actual Points:
Parent ID:| Points:  2
 Reviewer:|Sponsor:  Sponsor19
--+---
Changes (by gaba):

 * owner:  sysrqb => (none)
 * priority:  Medium => High
 * points:   => 2
 * status:  new => assigned


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+---
 Reporter:  arma  |  Owner:  sysrqb
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:  bridgedb  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:  Sponsor19
--+---
Changes (by gaba):

 * keywords:   => bridgedb


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+---
 Reporter:  arma  |  Owner:  sysrqb
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:  Sponsor19
--+---

Comment (by dcf):

 Replying to [ticket:28655 arma]:
 > Second, it assumes that the FOCI paper is actually correct in its
 conclusions about how China has changed its blocking.

 Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, and Srikanth V.
 Krishnamurthy observed the same in their
 [https://censorbib.nymity.ch/#Wang2017a INTANG paper], §7.3:
 > Meanwhile, any hidden bridge nodes requested by the remaining 7 vantage
 points triggers active probing [‌[https://censorbib.nymity.ch/#Ensafi2015b
 13], [https://censorbib.nymity.ch/#Winter2012a 31]‌] and are immediately
 blocked by the GFW, ''i.e.'', any node in China can no longer connect to
 this IP via any port. This is very different from what was previously
 reported ''i.e.'', the GFW only blocks the Tor port on that hidden bridge
 [‌[https://censorbib.nymity.ch/#Winter2012a 31]‌], and could cause
 collateral damage as the Amazon EC2 IPs are recycled. We test 5 different
 hidden bridge IPs and find no exceptions so far.

 This test was done between May 10 and May 18, 2017, according to my
 correspondence with the authors.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28655 [Obfuscation/BridgeDB]: If a bridge supports obfs4, don't give out its other flavors

[Tor Bug Tracker & Wiki]

#28655: If a bridge supports obfs4, don't give out its other flavors
--+---
 Reporter:  arma  |  Owner:  sysrqb
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Obfuscation/BridgeDB  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:  Sponsor19
--+---

Comment (by dcf):

 Replying to [ticket:28655 arma]:
 > There's a FOCI 2018 paper looking at blocking of bridges inside China,
 and one of their conclusions is that China has moved from "block by
 IP:port" to "block to IP":
 >
 > Second, it assumes that the FOCI paper is actually correct in its
 conclusions about how China has changed its blocking. I recall in the Q&A
 at the end of the presentation that some folks questioned the analysis,
 but I didn't follow it enough to form a solid opinion. But even if China
 isn't doing its censorship in this new way yet, now is a great time for
 bridgedb to become able to handle it.)

 My, Lynn Tsai's, and Qi Zhong's monitoring of default Tor Browser bridges
 also reached this conclusion, that the GFW changed from single-port
 blocking to all-port blocking (at least for these special bridges). The
 change happened in October 2016.

 https://www.bamsoftware.com/papers/thesis/#sec:china-perport
 https://www.bamsoftware.com/papers/thesis/#sec:china-allports
 > The blocking event of October 20, 2016 was noteworthy not only because
 it occurred before a release, but also because it affected more than one
 port on some bridges. See point ⓗ in
 [https://www.bamsoftware.com/papers/thesis/#fig:proxy-probe-timelines-
 china1 Figure 5.2]. When GreenBelt:7013 was blocked, so were
 GreenBelt:5881 (which had escaped blocking in the previous batch) and
 GreenBelt:12166 (which was awaiting deployment in the next batch).
 Similarly, when MaBishomarim:7920 and JonbesheSabz:4148 were blocked, so
 were the Orbot-reserved MaBishomarim:1984 and JonbesheSabz:1984 (point ⓚ),
 ending an eight-month unblocked streak.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs