[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Few questions about bridges ?


#1
  1. Is there a way to see the IP of bridge I’m connecting to ?
  2. Anon connection wizard have preinstalled bridges, you can click obfs4,obfs3 or meek. Does the list of bridges that whonix use differs from that one that Tor Browser use or they are same? If they are different whonix users can be identified. Should I consider changing bridges to non-default bridges ?
  3. Should I use different bridges for different identities ?

#2

Hi ToxicTaco

  1. If you’re using Whonix 14 you can use Onion Circuits to check the status of Tor and see the relays/brige in use.
  2. The list of bridges do differ from any other bridges used with Tor.
  3. You should using multiple Whonix-Workstations to separate your different identities

There are certain corner cases in which different bridges should be used.

https://whonix.org/wiki/Tor#Guard_Fingerprinting


#3

Hi ToxicTaco!

The obfs3/4 bridges used by anon-connection-wizard is a subset of bridges used by TBB with all the IPv6 bridges removed.

The meek bridge used by anon-connection-wizard is using the same bridge server as TBB, but with the different implementation of protocol called meek_lite rather than meek.

Both arm and onion circuits will not display the IP of a bridge, but will display the IP of a Tor vanilla replay. I guess you may need to use a network traffic monitor to see the IP of a bridge when a set of bridges are configured to be used.


#4

I should have been more specific in my answer. When using onion circuits, the first entry under “circuits” is the bridge you’re using. If you click on that, you will see the bridge fingerprint in the right hand side. You can compare that fingerprint, to that of the bridge lines in /usr/local/etc/torrc.d/40_anon_connection_wizard.conf. Since each bridge line comes with an IP address, just match the fingerprint to the bridge line and the corresponding IP address.


#5

0brand:

I should have been more specific in my answer. When using onion circuits, the first entry under “circuits” is the bridge you’re using. If you click on that, you will see the bridge fingerprint in the right hand side. You can compare that fingerprint, to that of the bridge lines in /usr/local/etc/torrc.d/40_anon_connection_wizard.conf. Since each bridge line comes with an IP address, just match the fingerprint to the bridge line and the corresponding IP address.

Great point, 0brand! It was my mistake that I didn’t take the
fingerprint into account!

The process you described can be compacted into one command in
Whonix-Gateway 14:

anon-verify -v | grep "FINGERPRINT"


#6

No, the mistake was all mine. The way I answered the question wasn’t helpful and didn’t answer the OP’s question. Thanks for pointing that out. :+1:


#7

Thank you for your help.

What is Tor vanilla relay ?

Does bridges change every 10 minutes just like the exit note ?


#8

This is a term I made up. It is just that Tor entry relay that is publicly known, contrary to the Tor bridges that are not listed in public.

My understanding is only one bridge is specified, you will it forever until the bridge server is down. If multiply bridges are set, then the Tor will try to find one that is accessible (though I don’t know the specific algorithm used to select the bridge from a set of them).


#9

If multiply bridges are set then Tor will choose one bridge until the end of session or it will change the bridge after some time ? What bridge Tor will get net time(another session) same bridge or a different one ?

Should I change bridges to custom public known bridges or better stay with default one so my bridges don’t differ from bridges of a regular Tor user ?


#10

Hi ToxicTaco

iry answered that

The bridges used in anon-connection-wizard by are publicly know bridges.

Are you referring to (custom) private obfs bridges? These bridge addresses are not published to the bridge authority. You would have to either:

  • Know someone (a trusted friend) who runs a private bridge and is willing to allow you access.
  • Set up a VPS and run your own private obfs bridges.

Private obfs bridges are better able to circumvent censorship since they are not published. If you run your own bridge or have a trusted friend it may be safer i.e. not a malicious bridge. However, if you or your friend don’t know what you are doing (configuration, locking down VPS, location, hosting company etc.) it could be a security issue.


#11

I’m referring to public bridges from torproject website. Or it’s better to use default Tor Browser/Whonix bridges because most of people are using them?

In documentation it says a ISP or a Global Adversary see when user is connected to Tor and might be able when user is connecting to bridges. Is there a chance that ISP/Global adversary might be able to see connections to private obfs bridges ?

But you need to trust the hosting, so here it’s exact situation like with VPN>Tor. Here you need to trust hosting company, VPN>Tor you need to trust company that sells VPN


#12
  • Built-in bridges: worst, best usability if they work
  • torproject.org bridges: worse, ok usability if they work
  • private (unlisted) bridges: best if they work, worst usability

ToxicTaco:

Is there a chance that ISP/Global adversary might be able to see connections to private obfs bridges ?