I was researching tor bridges and I’m a bit confused with their purpose, as they seem like they could be easily made obsolete if governments really wanted to.
Since you can simply get bridge lines just by solving a captcha/emailing, couldn’t governments automate this so that they know the addresses for a lot of the entry nodes? Then, if someone connects to one that they discovered, it would be the same as them connecting to tor normally (without the bridge) as the government now knows this “private/hidden” entry node?
So, in a country where tor is illegal, they could do this and bridges would be more risky to use for those who want to connect to tor, right?
Sorry if this isn’t true. I’m new to tor and am trying to understand it better.
Yes, theoretically they could and with longevity it would be fair to assume that all bridges available will be identified as points of entry to Tor. My understanding is that bridges are more designed for bypassing current censorship of networks at the time of use rather than providing long term obscurification. This is one of many reasons why its actually best to use a VPN to connect to Tor, your ISP will only see an IP known to belong to a company, they can’t see what goes on within it
First, there are different types of bridges and pluggable transports to circumvent censorship with Tor, for example, Snowflake is a pluggable transport built to resist against the attack that you’ve described (“bridge enumeration”).
Second, we know that some censors are abusing of BridgeDB distributors and blocking a lot of Tor bridge, so that’s why developing and adding new pluggable transports are important as well as building anti-abuse features in BridgeDB. Or even developing a new system like Salmon.
I recommend watching Roger’s talk Censorship arms race - the next chapter (DEF CON 2019).
re: Tor is illegal. I’m not a lawyer and I won’t speculate about the legal system in other countries. But keep in mind that censors have different goals and different approaches. In some places and for some people, censorship isn’t about punishing or arresting people because fear-based censorship creates backslash, but it’s about creating a bad user experience on tools that they can’t control or spy. I recommend reading this thread and this book:
Since you can simply get bridge lines just by solving a captcha/emailing, couldn’t governments automate this so that they know the addresses for a lot of the entry nodes?
They already do this. The point is that you can’t automate it quickly. It’s why you need captcha at all. Bridge distribution is tied to the sacrifice of scarce resources.