There are some organizations (e.g. Emerald Onion) that list bridges publicly on their website. I assume these are probably not as useful for circumventing censorship the way regular bridges are.
Let’s say I’m not being censored though, and I trust Emerald Onion more than the average relay operator. Does it make sense for me to use “trusted” bridges like these instead of having a public guard randomly selected for me?
And if so, is this something we should encourage similar relay operators to host as well, so that people can make more of an effort to avoid potentially malicious guard nodes on their own?
Well first of all, publishing Bridges on a Website is against the purpose of these, they can’t make it easier for countries where there is Censorship to block them.
If you are in a non-censored country, there is no need to use a Bridge, in fact Tor advises against it to avoid workload.
It makes no sense to use bridges in a non-censored country, Tor already had malicious Relays at one time and they have mechanisms to detect “evil” Nodes.
If hypothetically you are not in a country with censorship, and you still want to use a Bridge to enter, my recommendation is that you deploy a non-public one on a VPS and use it only for yourself.
Taking into account that we are talking about almost 5000 Guard Nodes as of today, no, I would not make that recommendation. I think you have to trust the operators, besides it is not so easy or obvious to modify a Node to filter traffic.
I am more concerned about an unnamed surveillance organization controlling many nodes and then being able to correlate traffic.
The only recommendation or encourage I would make in case of concern about Malicious Nodes is to create a Bridge for Personal use and not make it public since in this case I see two benefits:
The Bridge is yours and you know it is totally trustworthy
If you do not control the entry point to the Tor Network, there is no way to relate traffic even if you control several nodes of a Circuit.
The solution is “entry guards”: each Tor client selects a few relays at random to use as entry points, and uses only those relays for their first hop. If those relays are not controlled or observed, the attacker can’t win, ever, and the user is secure. If those relays are observed or controlled by the attacker, the attacker sees a larger fraction of the user’s traffic - but still the user is no more profiled than before. Thus, the user has some chance (on the order of (n-c)/n) of avoiding profiling, whereas they had none before.
My theory is that there are in fact some relay operators (e.g. Emerald Onion) who are more trustworthy than others, perhaps because they operate more transparently, or for some other reason you can judge them by yourself.
I think if that’s true, then it follows that you should intentionally force your guard node to be one which is run by one of those operators you consider trustworthy, to further avoid profiling & minimize the threat of an attacker-controlled guard.
So I’m asking whether that’s a valid use-case for bridges being published on a website like in the example I gave above, or if public bridges just don’t make sense at all.
There is insufficient data for profiling if TLS encryption is involved.
So if you are visiting HTTPS websites, any browser already adds an encryption layer. That means, the request already arrives encrypted at the guard relay.
Only the destination server is able to decrypt the first layer added by the browser.
None of the relays or bridges are able to do this. That applies for the opposite direction too.
And if you are visiting unencrypted websites, it’s insecure independent of whether you are using the tor network or not.
Yes, your thoughts are correct. I do that too. Including the use of my own Guards & Bridges.
If you use vanilla bridge lines, not obsf4, then these bridges are just like guard nodes.
Trusted vanilla bridges or trusted Guards in EntryNodes are the same in your Tor circuit.
No. Emerald was a special case because they had problems with their exits.¹ And they published some bridge lines. It is also possible that these were in the bridge list of the crazy guy called ‘scriptzteam’ on Github. In that case the IPs were public anyway.
¹The Tor exits are working again.
In general for non-hidden bridges, BridgeDistribution should remain at default = any. Rdsys selects the appropriate mechanism for distributing bridges. In some cases, it also selects the countries in which the bridge line will not be delivered.