New release: BridgeDB 0.7.1

by phw | June 10, 2019

Our users rely on bridges if their ISPs or governments block access to the Tor network. In essence, bridges are just private Tor relays that we hand out to users who need them. The difficulty lies in handing out bridges to censored users but not to censors. We are tackling this problem with the tool BridgeDB, which makes it easy to get some bridges, but hard to get many. BridgeDB allows users to request bridges over a web page, over email, and directly in Tor Browser.

We just released BridgeDB version 0.7.1, which comes with the following improvements:

  • From now on, users can no longer request bridges from a Yahoo email account, which fixes issue #28496. We believe that Yahoo fell behind in making it hard for spammers to create many email accounts, and it also has a feature that allows the creation of up to 500 disposable email addresses, which makes it easy for a censor to request a disproportionately large number of bridges.  We therefore deactivated Yahoo, which leaves us with Gmail and Riseup as the email providers from which users can request bridges.
  • When the Great Firewall's active probing attack discovered a bridge, the GFW used to block the bridge by its IP address and port, which conveniently left other transport protocols that ran on the same IP address, say obfs4, reachable. This behavior changed recently, and bridges are now blocked by their IP address. This means that a protocol that is vulnerable to the GFW’s active probing attack (e.g., vanilla Tor, fte, and obfs3) can get the entire bridge blocked—including obfs4, which is resistant to active probing! The new BridgeDB release addresses this issue by only handing out a bridge’s probing-resistant protocols if the bridge supports protocols that are both vulnerable and resistant to active probing. For example, if a bridge supports both vanilla Tor and obfs4, then we only hand obfs4 to users.
  • We added new translations for BridgeDB and updated existing ones. Thanks to everybody who helped translate BridgeDB!

Unrelated to version 0.7.1, we heard that BridgeDB occasionally hands out bridges that are offline. We diagnosed this problem and noticed that several dozen obfs4 bridges are unreachable. If you’re running an obfs4 bridge, please make sure that both your vanilla Tor port and your obfs4 port are reachable. We set up a service that allows you to test if your obfs4 port is reachable.

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

June 10, 2019

Permalink

And so the Great Arms Race continues. I don't use bridges but just want to say a MASSIVE THANKS to all the ToR Team again for great and hard work on them and everything else.

Xianggang Jiayou (not verified) said:

June 12, 2019

Permalink

Thanks to all involved in this urgently necessary work!

BTW, The Guardian (theguardian.com) has been running an excellent series on the huge protests in Hong Kong over the extradition bill, which violates the treaty under which UK returned HK to CN, and will effectively ruin the rule of law in the former British colony. I hope these bridge improvements will help the protesters to tell their stories directly by reaching social media outside China.

Joe (not verified) said:

June 13, 2019

Permalink

I never needed to use bridges, but today discovered that T-Mobile is blocking the bridges that Orbot on Android is using by default, as well as the cloud server options. I needed to use bridgedb to be able to connect successfully. Thank you for the work in keeping privacy and censorship prevention alive!

A.L. MK (not verified) said:

June 14, 2019

Permalink

Urgent.

Please exclude and remove all relays and bridges that were setup in Hong Kong. Because Hong Kong has been totally under controlled by CCP. All of relays and bridges may be disguised by Gov-controlled people. HKgers are being closely monitored and surveillance from CCP. Hong Kong is no longer safe.

How is that different from other countries? Your local copy of tor encrypts 3 layers before sending to a guard or bridge. They can't see the contents, and the directory relays check them for consistency. Your exit nodes see the contents. Just make sure the first and last nodes are not monitored by the same people. Click the grey buttons on the diagram here: https://www.eff.org/pages/tor-and-https

Anonymous (not verified) said:

June 19, 2019

Permalink

> For example, if a bridge supports both vanilla Tor and obfs4, then we only hand obfs4 to users.

IMO, this shouldn't be allowed. Bridges rely on secrecy. If I knew my bridge IP was also a normal guard, I would think the operator is ignorant or malicious.

Although, it brings up an interesting question. If the bridge was not also a middle relay, then malicious middle relays could log the IPs that connect to it and compare the log to a list of public relays. IPs not in the list are likely bridges. To prevent such a comparison, maybe bridges should be middle relays but not guards. But then middle relays are public and could be blocked immediately. And relay flags can be checked. Ahh, complicated.

To be clear, a "vanilla Tor" bridge is still a bridge, meaning that it's not publicly distributed. "Vanilla Tor" only refers to the protocol that it speaks. Bridges can speak multiple protocols over different ports: vanilla Tor, obfs2, obfs3, obfs4, FTE, ...

Teo Samarzija (not verified) said:

June 21, 2019

Permalink

Can't wait until DNS over TLS and ESNI become widely accepted. Then the Internet censorship by the governments is basically over.

Я изучил это некоторое время назад. Я считаю, что Protonmail позволяет довольно легко создавать учетные записи, что заставляет меня беспокоиться о том, что его можно использовать для получения большого количества мостов. С другой стороны, я понимаю, что то же самое возможно с Gmail. Можно купить много аккаунтов Gmail за небольшие деньги. Я все еще не определился.

I looked into this a while ago. I believe Protonmail makes it quite easy to create accounts, which makes me worried that it can be abused to get a large number of bridges. Then again, I realise that the same is possible with Gmail. One can buy plenty of Gmail accounts for little money. I am still undecided.

Есть еще вопрос.....У меня часто Tor превращается в Firefox, причем очень часто.....То есть, исчезает значок луковицы.....Приходится его удалять и перекачивать....В чем может быть причина? На данный момент пробовал с этого новоявленного Firefox перейти на Ваш сайт и ничего не вышло - "Прокси-сервер отказывается принимать соединения

Firefox настроен на использование прокси-сервера, который отказывает в соединении.

Проверьте настройки прокси-сервера и убедитесь, что они верны.
Свяжитесь с вашим системным администратором и убедитесь, что прокси-сервер работает." Почему так происходит и что делать?

jm (not verified) said:

June 30, 2019

Permalink

Very nice information, this inspired be to update my 3 year old obfs4proxy binary. Not sure it that was needed, but just to be safe. Upgrading obfs4proxy is now quit easy these days :)
(I do not use a RedHat or Debain based Linux)

persian boy (not verified) said:

July 25, 2019

Permalink

I am resident in Iran
I hope that you will be happy throughout your life
I would love to help you
But I can not send money to you from my country
Nevertheless, I would love to help you with this humanitarian project in any area you would like
My job is to build promotional clips, repair computer parts and support.
In the end I wish the best for all those in the project
Happy and good luck