Connecting to my own bridge

Motivation: reduce risk of malicious guard relays.
Suggestion: Run my own bridge. On a VPS, purchased anonymously. Then configure Whonix Gateway to connect through that bridge.

Pros and cons?

This is great idea. But the malicious guard relays risk is insignificant. IMHO.

In this way you will be able to use your stable bridge and obfuscate traffic (hide Tor usage).

1 Like

Your bridge will not become part of the pulbic list of Tor bridges. That can be helpful for censorship circumvention i.e. adversary not able to see your bridge on public list.

2 Likes

Correct @xuy, but when the same malicious entity also controls a few exit relays (or any kind of site reached by the user) and performs correlation attacks, over time the risk of deanonymization is I believe significant.

For example, an operator of an onion site that requires registration, who also runs say 10 guard nodes. Over say 2 years, IPs of a significant percentage of the users might be discovered.

Now with Whonix the risk is probably less severe.

I don’t need any gui so ssh will do.

You could also just run a normal (non-exit) relay. iirc it takes a while to become an official guard node but you could probably still force tor to use your entry node. When running a relay there are also more people using the connection compared to a bridge which maybe only you use.
Also when you host your stuff somewhere else the operator can see at least where you come from and that you use tor. Of course on a VPS it is also easy to see everything whats going on your machine. So it also depends if you trust your vps provider.

1 Like

Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards.

Read more and sources: Configure (Private) (Obfuscated) Tor Bridges

Do you think hosting your own Tor bridge is kinda transforming your Tor middle relay into your “Tor entry guard”?

Related to Vanguards briefly multiple layers of guards were mentioned.

//cc @HulaHoop


@barbara:

Some rhetoric questions. How do you select a trustworthy VPS provider? And how do you pay for it without having that linked to you? See:

I don’t trust anyone, ISPs, VPNs, VPS providers etc. I don’t assume the VPS provider doesn’t peek into what I do, but I assume they are different and unrelated to any malicious entity running guard / exit Tor nodes. Just based on the large number of hosting services.

Anonymous payment: I am aware of the issues and am actually quite confident about this point. For the sake of discussion let’s assume this point is covered.

I’m not sure I understand your point here.

It’s probably not a smart thing to use one’s own bridge, because it defeats the purpose of circumventing censorship. However it can be good for plausible deniability if the guard is compromised.

In fact it was discussed on tor dev list that using bridges are a good technique to protect oneself from malicious guards generally even if they don’t belong to you.

On the other hand, if you are also running a middle node and you chose it as your bridge then there is a chance you are exposing more of your traffic to a network chokepoint affecting your anonymity.

2 Likes

Perhaps it’s a stupid or obvious question:

If you set up a Tor Bridge on a VPS, can you connect to Tor using this bridge from the VPS?

No gui, so, for example:

torsocks wget someoniionsite.onion

Whonix → (using SSN) → VPS → Tor (using our bridge)

Tor → VPS → Tor

Looks like Tor over Tor. But say, just for testing purposes that the bridge works? Say if you don’t want to expose your IP to the VPS just yet? Not touching Whonix gateway configuration.