GitLab

pluggable transports mimic normal traffic like http. an adversary who is scanning all http traffic in his country could make a list of all the http servers that produce legit amounts of traffic. he then scans all the servers and exclude those which provide legit services. the only servers left now are bridges and a few hidden or password protected services.

he then can block the connection and wait if the client connects to a similar service. if he does the adversary can repeat and collect more bridges until the user gives up.

this could be prevented if the bridge provided an actual service. but this cannot be something like a generic website because it could easily be identified. if the bridge provided a reverse proxy instead then a real web service could be connected. it would look like normal load balancing or normal hosting if the site was only available under the bridge ip.

Trac:
Username: elypter