So the concerns I brought up are already addressed in an upcoming update? Cheers, Nathaniel
Jacki M: > Torbrowser 8a3 added moat which I’m actually fetches new bridges, without > requiring you to go to bridges.torproject.org. > > Bug 23136: Moat integration (fetch bridges for the user) > Download the latest alpha https://dist.torproject.org/torbrowser/8.0a6/ > Remember this is an alpha and should only be used for testing purposes, moat > should be included in the next major stable. > Sent from my iPad > >> On Apr 29, 2018, at 12:41 PM, Nathaniel Suchy (Lunorian) <m...@lunorian.is> >> wrote: >> >> Thank you for clarifying that. The obfs4 bridges you can get at >> bridges.torproject.org also pose an interesting risk, the ports each >> Bridge IP Address is using seem to be non-standard, I'm in the US and >> most networks I am at do not censor although sometimes certain ports at >> public wifi networks are blocked, could a threat actor threatening you >> or tor users in general realize an IP Address was a Tor Bridge by >> identifying a large amount of traffic to a non-standard port on random >> datacenter IP Addresses? >> >> You can tell Tor Browser your Firewall only allows connections to >> certain ports which I assume when used with bridges would help further >> hide the fact you are using Tor. >> >> The fact I email here obviously shows I am a Tor user, although I'd like >> more technical measures built into Tor Browser to obfuscate the times I >> am using Tor. >> >> Cheers, >> Nathaniel Suchy >> >>>> On 4/29/18 2:36 PM, Matthew Finkel wrote: >>>> On Sun, Apr 29, 2018 at 02:06:49PM -0400, Nathaniel Suchy (Lunorian) wrote: >>>> I see that Tor Browser, for users who are censored in their country, >>>> work, or school (or have some other reason to use bridges) has a variety >>>> of built in bridges. Once of those are the OBFS4 bridges. My first >>>> thought would be these are hard coded, of course giving everyone the >>>> same set of bridges is bad right? >>> >>> Currently this is how it works, yes. It is not ideal, and there is >>> on-going development work for rolling out a more scalable method. >>> >>>> Then a bad actor could download Tor >>>> Browser, get the list, and null route the IPs on their network(s). Also >>>> these bridges could get quite crowded. Are the bridges being used to >>>> fetch other bridges, or something else? How does Tor Browser handle >>>> these risks / technical issues? >>> >>> Indeed "Bad actors" could block the bridges hard-coded in Tor Browser. >>> It is also true many of those default bridges are overloaded. >> >> -- >> tor-talk mailing list - tor-talk@lists.torproject.org >> To unsubscribe or change other settings go to >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
