[tor-relays] We need bridges with iat-mode set to 1 and especially 2 as well!

Hi,

Setting up more and more obfs4 bridges is fine, but it literally took me 1 hour to get a bridge supporting iat-mode=2 through https://bridges.torproject.org (that is knowing how to circumvent the fingerprinting measures on that site, which are intended to make it harder for adversaries to get bridge IP’s), this is unacceptable as this is the only way I can connect to Tor in my country.

obfs4 has the possibility to obfuscate the packet size and timing of the underlying protocol it obfuscates, so why is almost no bridge using it?

A call for action is needed, additionally, please also add information about this to the “How to set up a Relay / Bridge” pages.

Please do something.

Regards,
Anonymous

Hi Anonymous,

I'm curious about in which country iat_mode is useful. Could you tell us?

You may have missed this discussion on the tor-relays mailing list:
https://lists.torproject.org/pipermail/tor-relays/2021-February/019370.html

best,
Gus

···

On Thu, Jan 20, 2022 at 01:52:28PM +0100, juckiuscaesar@web.de wrote:

<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>Hi,</div>

<div>&nbsp;</div>

<div>Setting up more and more obfs4 bridges is fine, but it literally took me 1 hour to get a bridge supporting iat-mode=2 through https://bridges.torproject.org (that is knowing how to circumvent the fingerprinting measures on that site, which are intended to make it harder for adversaries to get bridge IP&#39;s), this is unacceptable as this is the only way I can connect to Tor in my country.</div>

<div>&nbsp;</div>

<div>obfs4 has the possibility to obfuscate the packet size and timing of the underlying protocol it obfuscates, so why is almost no bridge using it?</div>

<div>&nbsp;</div>

<div>A call for action is needed, additionally, please also add information about this to the &quot;How to set up a Relay / Bridge&quot; pages.</div>

<div>&nbsp;</div>

<div>Please do something.</div>

<div>&nbsp;</div>

<div>Regards,</div>

<div>Anonymous</div>
</div></div></body></html>

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

--
The Tor Project
Community Team Lead

1 Like

juckiuscaesar@web.de wrote:

Hi,
Setting up more and more obfs4 bridges is fine, but it literally took me 1 hour to get a bridge supporting iat-mode=2 through https://bridges.torproject.org (that is knowing how to circumvent the fingerprinting measures on that site, which are intended to make it harder for adversaries to get bridge IP's), this is unacceptable as this is the only way I can connect to Tor in my country.
obfs4 has the possibility to obfuscate the packet size and timing of the underlying protocol it obfuscates, so why is almost no bridge using it?
A call for action is needed, additionally, please also add information about this to the "How to set up a Relay / Bridge" pages.
Please do something.
Regards,
Anonymous

Running in iat-mode=2 requires more than editing the obfs4 bridge config in $DATADIRECTORY/pt_state ?

I wonder why it is not possible to have the bridge client negotiating the iat-mode when connecting to a bridge. So that all obfs4 bridges could run in iat-mode 0, 1 and 2. By reading the obfs4 spec I can see only these 3 possible values for iat-mode, is there any other?

1 Like

Hey,

I live in Iran. Can't disclose my ISP because one person using Tor was sent to jail recently even though he did nothing wrong.

For all Bridge Admins:

You can turn change iat-mode with this config entry in your torrc:

ServerTransportOptions obfs4 iat-mode=2

Good Luck.

···

Gesendet: Donnerstag, 20. Januar 2022 um 14:32 Uhr
Von: "gus" <gus@torproject.org>
An: tor-relays@lists.torproject.org
Betreff: Re: [tor-relays] We need bridges with iat-mode set to 1 and especially 2 as well!
Hi Anonymous,

I'm curious about in which country iat_mode is useful. Could you tell us?

You may have missed this discussion on the tor-relays mailing list:
https://lists.torproject.org/pipermail/tor-relays/2021-February/019370.html

best,
Gus

On Thu, Jan 20, 2022 at 01:52:28PM +0100, juckiuscaesar@web.de wrote:

<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>Hi,</div>

<div>&nbsp;</div>

<div>Setting up more and more obfs4 bridges is fine, but it literally took me 1 hour to get a bridge supporting iat-mode=2 through https://bridges.torproject.org (that is knowing how to circumvent the fingerprinting measures on that site, which are intended to make it harder for adversaries to get bridge IP&#39;s), this is unacceptable as this is the only way I can connect to Tor in my country.</div>

<div>&nbsp;</div>

<div>obfs4 has the possibility to obfuscate the packet size and timing of the underlying protocol it obfuscates, so why is almost no bridge using it?</div>

<div>&nbsp;</div>

<div>A call for action is needed, additionally, please also add information about this to the &quot;How to set up a Relay / Bridge&quot; pages.</div>

<div>&nbsp;</div>

<div>Please do something.</div>

<div>&nbsp;</div>

<div>Regards,</div>

<div>Anonymous</div>
</div></div></body></html>

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

--
The Tor Project
Community Team Lead
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like

juckiuscaesar@web.de wrote:

Hey,
  I live in Iran. Can't disclose my ISP because one person using Tor was sent to jail recently even though he did nothing wrong.

For all Bridge Admins:

You can turn change iat-mode with this config entry in your torrc:

ServerTransportOptions obfs4 iat-mode=2

Good Luck.

Hello,

Wasn't that iat-mode can be used either at one side either at both sides?

E.g. if you use only at your side (client) iat-mode=2 but the bridge runs with iat-mode=0, then only your client will inject traffic but it might still be enough to bypass the filters of the censor.

Of course if both sides (client and bridge) use iat-mode=2 both sides contribute and offering a higher degree of obfuscation, but still, worth trying with just client set to iat-mode=2 and bridge set to iat-mode=0 just so we know here.

So, could you please get an obfs4 bridge from the usual location (bridges.torproject.org) that has a iat-mode=0 (like tha majority of course) and run it in your client with an overwritten iat-mode=2 setting, then tell us if it connects to Tor? This will let us know how helpful the current iat-mode=0 obfs4 bridges are for Iran.

I am spinning 10 new bridges within 24 hours with obfs4, ipv6, low ports and iat-mode=2 natively for Iran anyway, just because you mailed us, but still if you could try what I suggested and let us know it would be great.

Thank you, stay safe!

1 Like

Hey juckiuscaesar,

> because one person using Tor was sent to jail recently even though he did nothing wrong.

From the point of view of law or sharia, all people are guilty. But there is no law to criminalize those who use Tor. Unless there is evidence of criminal content in their device.

You should not store anything on your device. If this is not the case or the person has not set up a proxy on a server, and the trial only mentions the use of Tor, can you give me more information about him? Maybe I can help.

best regards,

Darvari

···

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

2 Likes

Hi,

I live in Iran. Can't disclose my ISP because one person using Tor was sent to jail recently even though he did nothing wrong.

This look very serious. Can you share more information? There are many
HRD organizations from Iran that we can contact to follow up this case.

From where you get the advice that using bridges 'iat-mode=2' will
protect you? Can you link here?

Gus

···

On Mon, Jan 24, 2022 at 11:30:47PM +0100, juckiuscaesar@web.de wrote:

Hey,

I live in Iran. Can't disclose my ISP because one person using Tor was sent to jail recently even though he did nothing wrong.

For all Bridge Admins:

You can turn change iat-mode with this config entry in your torrc:

ServerTransportOptions obfs4 iat-mode=2

Good Luck.

Gesendet: Donnerstag, 20. Januar 2022 um 14:32 Uhr
Von: "gus" <gus@torproject.org>
An: tor-relays@lists.torproject.org
Betreff: Re: [tor-relays] We need bridges with iat-mode set to 1 and especially 2 as well!
Hi Anonymous,

I'm curious about in which country iat_mode is useful. Could you tell us?

You may have missed this discussion on the tor-relays mailing list:
[tor-relays] Bridge operator iat_mode setting

best,
Gus

On Thu, Jan 20, 2022 at 01:52:28PM +0100, juckiuscaesar@web.de wrote:
> <html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
> <div>Hi,</div>
>
> <div>&nbsp;</div>
>
> <div>Setting up more and more obfs4 bridges is fine, but it literally took me 1 hour to get a bridge supporting iat-mode=2 through https://bridges.torproject.org (that is knowing how to circumvent the fingerprinting measures on that site, which are intended to make it harder for adversaries to get bridge IP&#39;s), this is unacceptable as this is the only way I can connect to Tor in my country.</div>
>
> <div>&nbsp;</div>
>
> <div>obfs4 has the possibility to obfuscate the packet size and timing of the underlying protocol it obfuscates, so why is almost no bridge using it?</div>
>
> <div>&nbsp;</div>
>
> <div>A call for action is needed, additionally, please also add information about this to the &quot;How to set up a Relay / Bridge&quot; pages.</div>
>
> <div>&nbsp;</div>
>
> <div>Please do something.</div>
>
> <div>&nbsp;</div>
>
> <div>Regards,</div>
>
> <div>Anonymous</div>
> </div></div></body></html>

> _______________________________________________
> tor-relays mailing list
> tor-relays@lists.torproject.org
> tor-relays Info Page

--
The Tor Project
Community Team Lead
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

--
The Tor Project
Community Team Lead

2 Likes

Yes is true, but this does not work, I think they use DPI devices and if obfs4 / underlying Tor signature is detected, a permanent block for that bridge is added to firewall rules. I tried this many times, only when both side have iat-mode=1 or 2, it is undetected.

If one side has iat-mode=0, internet service provider permanently blocks access to the subnet of the bridge IP (/24), even ICMP / ping don't work anymore for all 255 ip's.. it's sad.

Thank you for hosting bridges, really!! Please make 5 with iat-mode 1 and 5 with iat-mode 2, just in case one iat-mode get's blocked.

خداحافظ

···

Gesendet: Dienstag, 25. Januar 2022 um 12:36 Uhr
Von: "s7r" <s7r@sky-ip.org>
An: tor-relays@lists.torproject.org
Betreff: Re: [tor-relays] We need bridges with iat-mode set to 1 and especially 2 as well!
juckiuscaesar@web.de wrote:

Hey,

I live in Iran. Can't disclose my ISP because one person using Tor was sent to jail recently even though he did nothing wrong.

For all Bridge Admins:

You can turn change iat-mode with this config entry in your torrc:

ServerTransportOptions obfs4 iat-mode=2

Good Luck.

Hello,

Wasn't that iat-mode can be used either at one side either at both sides?

E.g. if you use only at your side (client) iat-mode=2 but the bridge
runs with iat-mode=0, then only your client will inject traffic but it
might still be enough to bypass the filters of the censor.

Of course if both sides (client and bridge) use iat-mode=2 both sides
contribute and offering a higher degree of obfuscation, but still, worth
trying with just client set to iat-mode=2 and bridge set to iat-mode=0
just so we know here.

So, could you please get an obfs4 bridge from the usual location
(bridges.torproject.org) that has a iat-mode=0 (like tha majority of
course) and run it in your client with an overwritten iat-mode=2
setting, then tell us if it connects to Tor? This will let us know how
helpful the current iat-mode=0 obfs4 bridges are for Iran.

I am spinning 10 new bridges within 24 hours with obfs4, ipv6, low ports
and iat-mode=2 natively for Iran anyway, just because you mailed us, but
still if you could try what I suggested and let us know it would be great.

Thank you, stay safe!
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like

Hello,

today I heared he was released because his devices did not contain حَرَام / haram contents.

Thanks very much but I have to leave this mailing list now, I might re-join under a different e-mail provider I don't want to get detected and use tor only as little as possible to get uncensored news.

Bye bye brothers, peace for all.

···

Gesendet: Dienstag, 25. Januar 2022 um 14:51 Uhr
Von: "gus" <gus@torproject.org>
An: tor-relays@lists.torproject.org
Betreff: Re: [tor-relays] We need bridges with iat-mode set to 1 and especially 2 as well!
Hi,

I live in Iran. Can't disclose my ISP because one person using Tor was sent to jail recently even though he did nothing wrong.

This look very serious. Can you share more information? There are many
HRD organizations from Iran that we can contact to follow up this case.

From where you get the advice that using bridges 'iat-mode=2' will
protect you? Can you link here?

Gus

On Mon, Jan 24, 2022 at 11:30:47PM +0100, juckiuscaesar@web.de wrote:

Hey,

I live in Iran. Can't disclose my ISP because one person using Tor was sent to jail recently even though he did nothing wrong.

For all Bridge Admins:

You can turn change iat-mode with this config entry in your torrc:

ServerTransportOptions obfs4 iat-mode=2

Good Luck.

Gesendet: Donnerstag, 20. Januar 2022 um 14:32 Uhr
Von: "gus" <gus@torproject.org>
An: tor-relays@lists.torproject.org
Betreff: Re: [tor-relays] We need bridges with iat-mode set to 1 and especially 2 as well!
Hi Anonymous,

I'm curious about in which country iat_mode is useful. Could you tell us?

You may have missed this discussion on the tor-relays mailing list:
[tor-relays] Bridge operator iat_mode setting

best,
Gus

On Thu, Jan 20, 2022 at 01:52:28PM +0100, juckiuscaesar@web.de wrote:
> <html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
> <div>Hi,</div>
>
> <div>&nbsp;</div>
>
> <div>Setting up more and more obfs4 bridges is fine, but it literally took me 1 hour to get a bridge supporting iat-mode=2 through https://bridges.torproject.org[https://bridges.torproject.org] (that is knowing how to circumvent the fingerprinting measures on that site, which are intended to make it harder for adversaries to get bridge IP&#39;s), this is unacceptable as this is the only way I can connect to Tor in my country.</div>
>
> <div>&nbsp;</div>
>
> <div>obfs4 has the possibility to obfuscate the packet size and timing of the underlying protocol it obfuscates, so why is almost no bridge using it?</div>
>
> <div>&nbsp;</div>
>
> <div>A call for action is needed, additionally, please also add information about this to the &quot;How to set up a Relay / Bridge&quot; pages.</div>
>
> <div>&nbsp;</div>
>
> <div>Please do something.</div>
>
> <div>&nbsp;</div>
>
> <div>Regards,</div>
>
> <div>Anonymous</div>
> </div></div></body></html>

> _______________________________________________
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays[https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays]

--
The Tor Project
Community Team Lead
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays[https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays]
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

--
The Tor Project
Community Team Lead
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like

Yes is true, but this does not work, I think they use DPI devices and if
obfs4 / underlying Tor signature is detected, a permanent block for that
bridge is added to firewall rules. I tried this many times, only when both
side have iat-mode=1 or 2, it is undetected.

If one side has iat-mode=0, internet service provider permanently blocks
access to the subnet of the bridge IP (/24), even ICMP / ping don't work
anymore for all 255 ip's.. it's sad.

Thank you for hosting bridges, really!! Please make 5 with iat-mode 1 and 5
with iat-mode 2, just in case one iat-mode get's blocked.

Done, 16 days ago. :wink:
A few dozen more are coming in 2-3 weeks.

···

On Tuesday, January 25, 2022 11:29:31 PM CET juckiuscaesar@web.de wrote:

خداحاف

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

1 Like