[tor-relays] [Censorship in Russia] Make HTTPS/Moat captcha more complex?

Mailing Lists tor-relays
1

Hi there.

I was thinking, what could be the ways Russian authorities could get bridges to block. One of the obvious ways to do this is to grab bridges from Moat/HTTPS, but since that would require solving a captcha, this would indicate its strength is insufficient, or they are able to crowdsource/mass solve somehow.

The other thought is an attack via email. Can we do something with it, what do you think?

···

--
Best regards,
Space Oddity.
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like
2

Quoting Space Oddity via tor-relays (2021-12-16 11:35:10)

I was thinking, what could be the ways Russian authorities could get bridges
to block. One of the obvious ways to do this is to grab bridges from
Moat/HTTPS, but since that would require solving a captcha, this would
indicate its strength is insufficient, or they are able to crowdsource/mass
solve somehow.

Captchas are a hard valance between usability an hard to break. I'm happy to
hear ideas on how to do captchas better without sharing data of the users to
third parties or making it way harder for people that solve them.

There are many services that you pay to solve captchas they could be using,
captchas doesn't seem to be a great protection and we are working on finding
other options.

The other thought is an attack via email. Can we do something with it, what do
you think?

What do you mean about attack via email?

···

--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.

3

I know it might be a fundamental change to the Tor network, but would it be possible to obfuscate the Tor bridge/relay addresses with their respective fingerprints; similar, to the I2P network? I’ve often thought that this aspect of the I2P network is one that is implemented well. Perhaps Directory Authorities could preform fingerprint to address resolution? I think it would be extremely beneficial if neither bridge or relay addresses were published in the wild. It would make great strides in further buffering the Tor network from various black-listing/censorship techniques.

Respectfully,

Gary

···


This Message Originated by the Sun.
iBigBlue 63W Solar Array (~12 Hour Charge)

  • 2 x Charmast 26800mAh Power Banks
    = iPhone XS Max 512GB (~2 Weeks Charged)

On Thursday, December 16, 2021, 4:43:29 AM MST, meskio meskio@torproject.org wrote:

Quoting Space Oddity via tor-relays (2021-12-16 11:35:10)

I was thinking, what could be the ways Russian authorities could get bridges
to block. One of the obvious ways to do this is to grab bridges from
Moat/HTTPS, but since that would require solving a captcha, this would
indicate its strength is insufficient, or they are able to crowdsource/mass
solve somehow.

Captchas are a hard valance between usability an hard to break. I’m happy to
hear ideas on how to do captchas better without sharing data of the users to
third parties or making it way harder for people that solve them.

There are many services that you pay to solve captchas they could be using,
captchas doesn’t seem to be a great protection and we are working on finding
other options.

The other thought is an attack via email. Can we do something with it, what do
you think?

What do you mean about attack via email?


meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.

tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like
4

I'm not familiar with how I2P does this, but wouldn't this just shift blocking targets from the relatively large pool of bridges and relays to a much smaller and easier-to-block list of directory authorities?

···

On Dec 22, 2021, at 22:42, Gary C. New via tor-relays <tor-relays@lists.torproject.org> wrote:

Perhaps Directory Authorities could preform fingerprint to address resolution?

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

5

The idea sounds good at first. Fingerprint and Cert from bridges are already
issued by the BridgeDB.
But: I2P is nearly the same as Tor Hidden Services. Tor-Browser to bridge is a
p2p connection and therefore no problem to see the IP anyway.

···

On Thursday, December 23, 2021 7:42:09 AM CET Gary C. New via tor-relays wrote:

I know it might be a fundamental change to the Tor network, but would it be
possible to obfuscate the Tor bridge/relay addresses with their respective
fingerprints; similar, to the I2P network? I've often thought that this
aspect of the I2P network is one that is implemented well. Perhaps
Directory Authorities could preform fingerprint to address resolution? I
think it would be extremely beneficial if neither bridge or relay addresses
were published in the wild. It would make great strides in further
buffering the Tor network from various black-listing/censorship techniques.

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

6

Actually, we shouldn't be giving any tips to the Chinese or Russian
governments. But they are already familiar with this:

You write 1000 emails from 1000 different accounts to get a few thousand bridge
addresses :wink:

···

On Thursday, December 16, 2021 12:43:09 PM CET meskio wrote:

> The other thought is an attack via email. Can we do something with it,
> what do you think?

What do you mean about attack via email?

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

7

Neel,

I get the security vs usability considerations between centralized vs decentralized (or in the case of Tor semi-decentralized) networks. However, at a minimum, doesn’t it make sense to exclude publishing address information from Tor metrics, etc, as to stop giving censorship organizations a free handout? Force them to invest resources to setup distributed Tor relays to glean addresses asynchronously in the wild. As it stands, all they have to do is write a simple bot to extract the synchronously published data on a daily basis.

It seems to be an inherent obstacle in design attempting to anonymize a sub-network within an established known super-network.

Thank you for your response.

Respectfully,

Gary

···


This Message Originated by the Sun.
iBigBlue 63W Solar Array (~12 Hour Charge)

  • 2 x Charmast 26800mAh Power Banks
    = iPhone XS Max 512GB (~2 Weeks Charged)

On Thursday, December 23, 2021, 10:14:05 PM PST, Neel Chauhan neel@neelc.org wrote:

On 2021-12-22 22:42, Gary C. New via tor-relays wrote:

I know it might be a fundamental change to the Tor network, but would
it be possible to obfuscate the Tor bridge/relay addresses with their
respective fingerprints; similar, to the I2P network? I’ve often
thought that this aspect of the I2P network is one that is implemented
well. Perhaps Directory Authorities could preform fingerprint to
address resolution? I think it would be extremely beneficial if
neither bridge or relay addresses were published in the wild. It would
make great strides in further buffering the Tor network from various
black-listing/censorship techniques.

The thing is, while Tor itself is decentralized, the directory
authorities and fallback directories are not.

For a Tor client to bootstrap, you need a list of relays to be able to
connect to. And in turn you have to contact the dirauths or the
fallbacks.

While you could use an I2P-style or more recently blockchain-style
setup, I believe there was a reason for Tor to use centralized dirauths.

I can’t seem to find the article/FAQ right now, even though I had it a
few years ago. I’m guessing it’s to prevent malicious dirauths, unlike
how Bitcoin could get manipulated by bad actors with a decentralized
authority system.

Respectfully,

Gary

-Neel

8

I know it might be a fundamental change to the Tor network, but would
it be possible to obfuscate the Tor bridge/relay addresses with their
respective fingerprints; similar, to the I2P network? I've often
thought that this aspect of the I2P network is one that is implemented
well. Perhaps Directory Authorities could preform fingerprint to
address resolution? I think it would be extremely beneficial if
neither bridge or relay addresses were published in the wild. It would
make great strides in further buffering the Tor network from various
black-listing/censorship techniques.

The thing is, while Tor itself is decentralized, the directory authorities and fallback directories are not.

For a Tor client to bootstrap, you need a list of relays to be able to connect to. And in turn you have to contact the dirauths or the fallbacks.

While you could use an I2P-style or more recently blockchain-style setup, I believe there was a reason for Tor to use centralized dirauths.

I can't seem to find the article/FAQ right now, even though I had it a few years ago. I'm guessing it's to prevent malicious dirauths, unlike how Bitcoin could get manipulated by bad actors with a decentralized authority system.

Respectfully,

Gary

-Neel

···

On 2021-12-22 22:42, Gary C. New via tor-relays wrote:
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

9

I guess I'm not sure how this would work, for me as a user, when I launch tor browser? How do I obtain a bridge or an initial relay?

And as a trivially simple example, what stops an organization with government level resources from offering $10-$100 (in appropriate currency) to any citizen that adds a newly discovered bridge to their list?

···

On 2021-12-22 23:42, Gary C. New via tor-relays wrote:

I know it might be a fundamental change to the Tor network, but would it be possible to obfuscate the Tor bridge/relay addresses with their respective fingerprints; similar, to the I2P network? I've often thought that this aspect of the I2P network is one that is implemented well. Perhaps Directory Authorities could preform fingerprint to address resolution? I think it would be extremely beneficial if neither bridge or relay addresses were published in the wild. It would make great strides in further buffering the Tor network from various black-listing/censorship techniques.

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

10

Regarding:

And as a trivially simple example, what stops an organization with government level resources from offering $10-$100 (in appropriate currency) to any citizen that adds a newly discovered bridge to their list?

=> It’s basically an arms race. If bridges get burned fast, we can re-deploy them fast. I don’t have many bridges and they are still used well, but if they were getting flagged fast I’d have no problem to deploy a double-digit number of bridges and change all of their public IPs automatically weekly, daily, hourly or at whatever frequency is needed.

You can automatically deploy stuff like that quite easily with any large Cloud provider - preferably with multiple at the same time. They’d need to block entire IP ranges (hitting a significant portion of the internet) or keep fighting our automation with a lot of manual effort. Not sure who would be interested to play this game for an extended period of time. Even government level of funding has to show some kind of effect or the campaign will get shut down sooner or later.

Dec 27, 2021, 04:42 by dw@thedave.ca:

···

On 2021-12-22 23:42, Gary C. New via tor-relays wrote:

I know it might be a fundamental change to the Tor network, but would it be possible to obfuscate the Tor bridge/relay addresses with their respective fingerprints; similar, to the I2P network? I’ve often thought that this aspect of the I2P network is one that is implemented well. Perhaps Directory Authorities could preform fingerprint to address resolution? I think it would be extremely beneficial if neither bridge or relay addresses were published in the wild. It would make great strides in further buffering the Tor network from various black-listing/censorship techniques.

I guess I’m not sure how this would work, for me as a user, when I launch tor browser? How do I obtain a bridge or an initial relay?

And as a trivially simple example, what stops an organization with government level resources from offering $10-$100 (in appropriate currency) to any citizen that adds a newly discovered bridge to their list?

tor-relays mailing list

tor-relays@lists.torproject.org

tor-relays Info Page

11

Dave,

After corresponding with Neel and reviewing I2P’s obfuscating techniques, in more detail, it does appear that I2P is blockchaining the fingerprint-to-host database to all garlic routers. What is not clear is whether said database is encrypted and secured from operators and only accessable by the garlic routers themselves?

My thoughts are… What if the Tor Network distributed encrypted fingerprint-to-host databases to browsers/bridges/relays during the bootstrap process, with Directory Authorities, that operators did not have access? Such a process could be further segmented, so only a fraction of the browser/bridge/relay population would have a portion of the fingerprint-to-host database at any given time.

While you are correct in surmising that such obfuscation techniques still wouldn’t prevent organizations, with adequate resources, from eventually discovering browser/bridge/relay addresses, over the wire, it might slow their blacklisting/censorship efforts and provide browsers/bridges/relays with a longer shelf-life.

These thoughts are predicated on the Tor Network satisfying questions of security vs usability and opportunity vs cost.

I hope this sheds some light on my previous comment.

Respectfully,

Gary

“It seems to be an inherent obstacle in design attempting to anonymize a sub-network within an established known super-network.” –Gary C. New

···

On Monday, December 27, 2021, 7:03:34 AM MST, Dave Warren dw@thedave.ca wrote:

On 2021-12-22 23:42, Gary C. New via tor-relays wrote:

I know it might be a fundamental change to the Tor network, but would it
be possible to obfuscate the Tor bridge/relay addresses with their
respective fingerprints; similar, to the I2P network? I’ve often thought
that this aspect of the I2P network is one that is implemented well.
Perhaps Directory Authorities could preform fingerprint to address
resolution? I think it would be extremely beneficial if neither bridge
or relay addresses were published in the wild. It would make great
strides in further buffering the Tor network from various
black-listing/censorship techniques.

I guess I’m not sure how this would work, for me as a user, when I
launch tor browser? How do I obtain a bridge or an initial relay?

And as a trivially simple example, what stops an organization with
government level resources from offering $10-$100 (in appropriate
currency) to any citizen that adds a newly discovered bridge to their list?

tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays