Tor only tries the first bridge in the stack
Current design
In the current design, we're using a mix of "bridge" singular (because only 1 bridge can be used at a time) and "bridges" plural (because we allow entering several possible bridges).
Connection | Bridges | Bot | Add |
---|---|---|---|
In practice, Tor only tries using the first bridge of the list. If this bridge line doesn't work, it does not fallback on the second line.
This behavior is consistent in Tor VPN and Tor Browser.
For example, both fail to connect with these 2 bridge lines:
obfs4 6.6.6.6:666 5EDAC3B810E12B01F6FD8050D2FD3E277B289A08 cert=2uplIpLQ0q9+0qMFrK5pkaYRDOe460LL9WHBvatgkuRr/SL31wBOEupaMMJ6koRE6Ld0ew iat-mode=0
obfs4 51.222.13.177:80 5EDAC3B810E12B01F6FD8050D2FD3E277B289A08 cert=2uplIpLQ0q9+0qMFrK5pkaYRDOe460LL9WHBvatgkuRr/SL31wBOEupaMMJ6koRE6Ld0ew iat-mode=0
The tor client, unlike Tor Browser, tries to use the use the last bridge line in /etc/torrc
and falls back on the previous bridge line only if the last bridge line is malformed; not if the last bridge line is a well-formed but nonexistent bridge.
The following configuration fails:
Bridge obfs4 51.222.13.177:80 5EDAC3B810E12B01F6FD8050D2FD3E277B289A08 cert=2uplIpLQ0q9+0qMFrK5pkaYRDOe460LL9WHBvatgkuRr/SL31wBOEupaMMJ6koRE6Ld0ew iat-mode=0
Bridge obfs4 6.6.6.6:666 5EDAC3B810E12B01F6FD8050D2FD3E277B289A08 cert=2uplIpLQ0q9+0qMFrK5pkaYRDOe460LL9WHBvatgkuRr/SL31wBOEupaMMJ6koRE6Ld0ew iat-mode=0
The following configuration falls back on using 51.222.13.177:80:
Bridge obfs4 51.222.13.177:80 5EDAC3B810E12B01F6FD8050D2FD3E277B289A08 cert=2uplIpLQ0q9+0qMFrK5pkaYRDOe460LL9WHBvatgkuRr/SL31wBOEupaMMJ6koRE6Ld0ew iat-mode=0
Bridge obfs4 6.6.6.6:666
So, in practice, there is no real benefit for the user to enter several bridge lines right now.
User research findings
During the usability tests of Tor VPN 0.6.2 (#tpo/ux/research#69 (closed)), 3/6 participants thought that all the relays were bridges. 2 of them didn't understand that Tor uses several intermediaries, but 1 already knew that Tor used 3 intermediaries and still call them all "bridges".
More in general, the network model of Tor was very badly understood. The simpler the language and UI around bridges, the easier it will be for users to succeed circumventing censorship.
Idea
What about talking about a single bridge consistently and only allow configuring a single bridge at a time?
It would simplify the language (singular vs. plural) and help people understand that there is a single bridge in practice.
If their bridge doesn't work, we should make it very easy to replace (just like we should make it very easy to get a bridge in the first place).