TORZON GATEWAY — NETWORK SECURITY REFERENCE
Defending the connectivity layer. ISP-level traffic analysis is what catches most users in restrictive jurisdictions, long before any application-layer concern enters the picture. This page documents what the Gateway does at the network edge — and what you should add to harden your own circuit.
Current Censorship Pressure
April–May 2026 saw an uptick in obfs4 IP enumeration in three high-censorship regions. Users in those areas should default to snowflake until the bridge directory rotation catches up.
FOUR LAYERS OF NETWORK DEFENCE
Each layer assumes the layer below has already been broken. Compose them and the upstream observer is left with opaque encrypted noise.
Pluggable Transport
obfs4 / snowflake / meek-azure rewrites the on-the-wire fingerprint of Tor traffic so DPI cannot identify it
Outer VPN Wrapper
A no-log VPN underneath Tor hides the bridge endpoint from your ISP and replaces it with generic VPN traffic
PGP-Signed Bridges
Every bridge bundle and mirror address is signed against fingerprint 8C71 4F25 … — no signature, no trust
Geographic Mirror Rotation
Three independent endpoints in disjoint AS paths — single-region throttling cannot take the marketplace offline
ONION ADDRESS & BRIDGE LINE VERIFICATION
Four checks before pasting anything into Tor Browser — and yes, all four are necessary in censored networks where phishing pressure spikes.
Verification Protocol
Onion addresses and bridge lines come only from torzon-gateway.guide. Bridge directories, "fresh link" paste sites, and censorship-help chatrooms are routinely seeded with malicious replacements that are activated the moment a national firewall rolls out new blocking.
A v3 onion address is exactly 56 base32 characters before .onion. A bridge line begins with the transport name (obfs4, snowflake or meek) followed by an IP, port, fingerprint and transport-specific arguments. Anything shorter or with extraneous fields is fake.
Apply our public key against the signed bundle. gpg --verify torzon-mirrors.txt.asc must report a good signature from fingerprint 8C71 4F25 6A93 D182 E574 B91C 3D67 8F45 A2D6 C918 — no other key is authorized.
Once the circuit completes, the marketplace login page should match the screenshots distributed in past news bulletins. Subtle phishing pages skim credentials before forwarding to the real site — close the tab on any visual anomaly and re-verify the address.
- "Fresh working bridge" posts in censorship-help chatrooms — bridge IPs that route through hostile guards
- QR-coded bridge bundles distributed without a PGP signature
- Clone Gateway sites at typosquatted domains (onion-torzon.cli, onion-tor2on.click)
- "Helpful" private messages offering a one-click bridge import file
PGP — THE CHAIN OF TRUST
The Gateway's PGP key is the anchor of every other claim on this site. If the fingerprint below does not match what your GnuPG client computes, do not trust anything else.
Why PGP Matters Here
Pretty Good Privacy is a public-key signing and encryption protocol. The Gateway uses it for two things: authenticating bridge bundles and onion address lists so a censored user can know they came from us, and encrypting support correspondence so even our mailbox provider cannot read sensitive connectivity reports. Within the marketplace itself, vendors and buyers use their own PGP keys for end-to-end messaging — that is documented separately under marketplace features.
Setting Up PGP for Verification
Windows: Gpg4win from gpg4win.org · macOS: GPG Suite from gpgtools.org · Linux: already installed (gpg --version)
Save the public key from this page to torzon-gateway.asc, then run gpg --import torzon-gateway.asc.
gpg --fingerprint <keyid> must print 8C71 4F25 6A93 D182 E574 B91C 3D67 8F45 A2D6 C918. Any mismatch means the key was tampered with — re-fetch the file before continuing.
Each bridge or mirror bundle ships as a detached signature. Run gpg --verify bundle.asc bundle.txt and only use bundles that report a good signature from the fingerprint above.
Torzon Gateway PGP Fingerprint
This fingerprint is the singular anchor of trust. It is reproduced on every page of this Gateway and on the marketplace login page once you reach it. Anywhere it does not match, treat the source as hostile.
SIX NETWORK-LAYER HABITS
What separates users who stay reachable from users who keep getting blocked.
Probe Before Each Session
Run a short Tor bootstrap test before paying attention to anything else. The blocking method on your network may have shifted since yesterday — what worked then may not now.
Keep a Backup Transport
Configure obfs4 as your primary and snowflake as a one-click fallback. Switching transports mid-session takes seconds; troubleshooting a single dead transport for an hour is unnecessary.
Verify Before You Paste
Every onion address, every bridge line, every bundle — validate the PGP signature against fingerprint 8C71 4F25 … before pasting it into Tor Browser. The minute you skip this is the minute phishing wins.
Consistent Identity Hygiene
A unique username for the marketplace, never reused on the surface internet. A fresh PGP key dedicated to Torzon. Any cross-contamination is a deanonymization vector regardless of how good the network layer is.
VPN Underneath Tor
In hostile jurisdictions a no-log VPN as outer wrapper is non-negotiable. The ISP sees only generic VPN traffic to a generic provider — not Tor-shaped traffic to a single odd endpoint for hours at a time.
Read the News Page
When a national firewall changes blocking technique, the Gateway news bulletin documents it within hours. Subscribing to the RSS feed is the fastest way to learn what transport stopped working and which one took its place.
SECURE THE CIRCUIT, REACH THE MARKETPLACE
The Gateway gives you the tools — bridge curation, transport coverage, signing keys. The discipline of using them every session is yours.