[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #1938 [Tor Bridge]: UpdateBridgesFromAuthority dangerous



#1938: UpdateBridgesFromAuthority dangerous
------------------------+---------------------------------------------------
 Reporter:  arma        |          Owner:                    
     Type:  task        |         Status:  new               
 Priority:  major       |      Milestone:  Tor: 0.2.3.x-final
Component:  Tor Bridge  |        Version:                    
 Keywords:              |         Parent:                    
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------
Description changed by arma:

Old description:

> Now that we've fixed #1138, it might be tempting to start distributing
> identity fingerprints along with our bridge addresses again, so clients
> can try the bridge authority for the descriptor.
>
> In retrospect, though, the plan of "first go to the centralized place
> that is easily associated with being a Tor bridge user, then if it's
> unreachable go directly to the bridge for its descriptor" is unwise.
>
> In practice we should go to our bridges directly for their descriptor,
> and if we learn no descriptors, fail closed. Then, for the bridges that
> we've configured but didn't get a descriptor for, we can ask the bridge
> authority *via Tor* if it happens to know a newer descriptor for them.
>
> We'll have an opportunity to make things more robust once we get going on
> #1852.
>
> In the mean time, we should continue to avoid putting fingerprints on
> bridge addresses. (I believe Vidalia still sets
> UpdateBridgesFromAuthority for you when you configure a bridge.)

New description:

 Now that we've fixed #1138, it might be tempting to start distributing
 identity fingerprints along with our bridge addresses again, so clients
 can try the bridge authority for the descriptor.

 In retrospect, though, the plan of "first go to the centralized place that
 is easily associated with being a Tor bridge user, then if it's
 unreachable go directly to the bridge for its descriptor" is unwise.

 In practice we should go to our bridges directly for their descriptor, and
 if we learn no descriptors, fail closed. Then, for the bridges that we've
 configured but didn't get a descriptor for, we can ask the bridge
 authority *via Tor* if it happens to know a newer descriptor for them.

 We'll have an opportunity to make things more robust once we get going on
 #1852.

 In the mean time, we should continue to avoid putting fingerprints on
 bridge addresses. (I believe Vidalia still sets
 !UpdateBridgesFromAuthority for you when you configure a bridge.)

--

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1938#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs