Our users rely on bridges if their ISPs or governments block access to the Tor network. In essence, bridges are just private Tor relays that we hand out to users who need them. The difficulty lies in handing out bridges to censored users but not to censors. We are tackling this problem with the tool BridgeDB, which makes it easy to get some bridges, but hard to get many. BridgeDB allows users to request bridges over a web page, over email, and directly in Tor Browser.

We just released BridgeDB version 0.7.1, which comes with the following improvements:

From now on, users can no longer request bridges from a Yahoo email account, which fixes issue #28496. We believe that Yahoo fell behind in making it hard for spammers to create many email accounts, and it also has a feature that allows the creation of up to 500 disposable email addresses, which makes it easy for a censor to request a disproportionately large number of bridges. We therefore deactivated Yahoo, which leaves us with Gmail and Riseup as the email providers from which users can request bridges.

When the Great Firewall's active probing attack discovered a bridge, the GFW used to block the bridge by its IP address and port, which conveniently left other transport protocols that ran on the same IP address, say obfs4, reachable. This behavior changed recently, and bridges are now blocked by their IP address. This means that a protocol that is vulnerable to the GFW’s active probing attack (e.g., vanilla Tor, fte, and obfs3) can get the entire bridge blocked—including obfs4, which is resistant to active probing! The new BridgeDB release addresses this issue by only handing out a bridge’s probing-resistant protocols if the bridge supports protocols that are both vulnerable and resistant to active probing. For example, if a bridge supports both vanilla Tor and obfs4, then we only hand obfs4 to users.

We added new translations for BridgeDB and updated existing ones. Thanks to everybody who helped translate BridgeDB!

Unrelated to version 0.7.1, we heard that BridgeDB occasionally hands out bridges that are offline. We diagnosed this problem and noticed that several dozen obfs4 bridges are unreachable. If you’re running an obfs4 bridge, please make sure that both your vanilla Tor port and your obfs4 port are reachable. We set up a service that allows you to test if your obfs4 port is reachable.