This repository has been archived by the owner on Jun 4, 2021. It is now read-only.
Use random ports for Tor ORPort and obfs4 port #1610
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is my attempt to address the issue raised in #101 to mitigate Streisand Tor bridges being discoverable by Internet-wide scans on ports 9443/8443 by randomizing Tor's listening ports. The original issue and dev post to the mailing list mostly talks about port 9001 which is apparently the most commonly used ORPort (Tor recommends changing it in their obfs4 setup guide). These days whenever I see public Tor bridges I'm usually seeing 9443, 8443, or 443 in many cases too. I wrote these changes to avoid using any of those ports (it chooses a random port between 1024-32768, while excluding commonly used ports and Streisand's services ports) and hopefully discourage at least some percentage of Internet-wide scans checking for Tor bridges on those ports. Though I'd imagine a scan/fingerprinting is still feasible, it'd be at least somewhat more cost-prohibitive since you'd have a much larger list of ports to probe, especially if you're only targeting "Tor" bridges and not "A-Streisand-Server-possibly-running-Tor".
Thinking about something like this more longterm though, I thought about maybe making changes to (optionally?) randomize all of Streisand's ports (SSH, VPNs/tunnels, etc.) to try and reduce the overall "Streisand" fingerprint even more, and perhaps make that a prompt/option for users. I don't know if such an option would be desired but I'm more than happy to take a stab at it if anyone has any thoughts around that!