Authentication for proxy--bridge connections
An DDoS attack surface was brought up in discussion on IRC yesterday (and has been talked about to some extent before).
To summarize the issue: The Snowflake bridge accepts websocket connections from any other endpoint (this is in part necessary because anyone can be a proxy and we want as many proxies as possible and the more ephemeral they are, the harder it is for a censor to block all of them)
This means that an malicious party with the ability to distribute malicious javascript can have unsuspecting clients execute javascript that makes a websocket connection to the bridge and use the Tor network to upgrade their websocket connection to a plain TCP connection.
This basically allows someone to use Tor in order to perform DDoS attacks on TCP services, using malicious javascript as the attack vector. While the effectiveness of this attack probably wouldn't be that good (all the attack traffic would be congested through the single Snowflake bridge), it could provide a way for a censor to more easily DDoS Snowflake itself.
We could provide some kind of authentication step involving the bridge, broker, and snowflake proxy.