apparently the developer for obfs4proxy does not want people to use his protocol because “it’s shelf-life expired years ago. No one should be using
it for anything at this point, and no one should have been using it
for anything for the past however many years since I first started
telling people to stop using it.”
Honestly, it is possible to create a better obfuscation protocol than obfs4, and it’s shelf-life expired years ago. No one should be using it for anything at this point, and no one should have been using it for anything for the past however many years since I first started telling people to stop using it.
People should also have listened when I told them repeatedly that there are massive issues in the protocol.
Do not ask me questions about this.
Do not use it in other projects.
Do not use it in anything new.
Use a prime order group instead of this nonsense especially if you are doing something new.
This issue would be better raised upstream to the Tor Project that they use a protocol not even recommended by the maintainer.
So if you write a warning about it on the bridges page, you should quote the maintainer’s rant entirely, but also note that Tor is still using it and that is why Whonix will still have the obfs4 bridge documentation.
No, it is much more probable that people will see if it is on the Bridges page.
Search for warnings through the wiki to get a reference on how to do one.
Also, I am not the one that is gonna decide if it is merged or not, it is not be Patrick, so maybe wait his response?
I think there problem here are the user expectations.
If there are strong hiding of Tor taking into account endless data retention with retroactive policing, then user expectations will not be met.
If however the expectation is a simple circumvention of ISP level censorship then many circumvention methods including obfs4 are still functional for many users.
However, when actually reading the Bridges or Hide_Tor_from_your_Internet_Service_Provider wiki page, that should already be abundantly clear. If not, please suggest why the existing wording doesn’t set the correct user expectations.
Author and maintainer of the Linux Tor Browser sandbox.
Related ticket where the maintainer is participating:
snowflake isn’t obfuscated either? Not sure if better or worse matters here. The hard question is, is snowflake claiming to be a censorship circumvention utility or a hide Tor utility? According to https://snowflake.torproject.org/ it’s a utility for censorship circumvention.
If you want to dig deeper, please ask upstream snowflake is designed be used in a threat model that includes endless data retention with retroactive policing.
The more harsh you ask, the less confident will be the answer. “I am one of the few people in North Korea with open internet access. If I get caught, I will end up in prison or worse. Do you recommend me to use snowflake?” - That’s just an example on how to ask in a very drastic way. Obviously please don’t lie about it and waste the developer’s time. I think you’ll have hard time finding a developer taking on (moral or legal) liability by saying “Sure, it’s absolutely safe.” Highly unlikely to happen.
Therefore I think “strong guarantee to hide Tor” (or any sort of traffic) or strong stenography will remain a pipe dream forever.
I already knew obfs4 was detectable for a big enough network actor, I just never read the maintainer of that project to talk about it like that. Hide Tor use from the Internet Service Provider
This seems more the correct page, yes, all good.
At time of writing obfs4 is the only obfuscation protocol listed on bridges.torproject.org/options and there are no better alternatives available for traffic obfuscation, to hide the fact that a user is using Tor.