This repository has been archived by the owner on Jun 4, 2021. It is now read-only.
Use random ports for Tor ORPort and obfs4 port #1610
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Addresses the issue raised in StreisandEffect#101 to try and mitigate Tor bridges being easily discoverable by Internet-wide scans (Tor bridges usually use port 9001, Streisand installs have been using 9443/8443 for a while and have somewhat of a "fingerprint")
… into randomize-tor-ports
nopdotcom
added
area/tor
kind/feature
kind/privacy
status/needs-testing
Frichetten
approved these changes
Aug 12, 2019
|
bump since this was modified after approval. i'd really like this change merged:). @Frichetten ping? |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is my attempt to address the issue raised in #101 to mitigate Streisand Tor bridges being discoverable by Internet-wide scans on ports 9443/8443 by randomizing Tor's listening ports. The original issue and dev post to the mailing list mostly talks about port 9001 which is apparently the most commonly used ORPort (Tor recommends changing it in their obfs4 setup guide). These days whenever I see public Tor bridges I'm usually seeing 9443, 8443, or 443 in many cases too. I wrote these changes to avoid using any of those ports (it chooses a random port between 1024-32768, while excluding commonly used ports and Streisand's services ports) and hopefully discourage at least some percentage of Internet-wide scans checking for Tor bridges on those ports. Though I'd imagine a scan/fingerprinting is still feasible, it'd be at least somewhat more cost-prohibitive since you'd have a much larger list of ports to probe, especially if you're only targeting "Tor" bridges and not "A-Streisand-Server-possibly-running-Tor".
Thinking about something like this more longterm though, I thought about maybe making changes to (optionally?) randomize all of Streisand's ports (SSH, VPNs/tunnels, etc.) to try and reduce the overall "Streisand" fingerprint even more, and perhaps make that a prompt/option for users. I don't know if such an option would be desired but I'm more than happy to take a stab at it if anyone has any thoughts around that!