[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #5684 [Metrics Data Processor]: Should we stop sanitizing nicknames in bridge descriptors?



#5684: Should we stop sanitizing nicknames in bridge descriptors?
------------------------------------+---------------------------------------
 Reporter:  karsten                 |          Owner:     
     Type:  enhancement             |         Status:  new
 Priority:  normal                  |      Milestone:     
Component:  Metrics Data Processor  |        Version:     
 Keywords:                          |         Parent:     
   Points:                          |   Actualpoints:     
------------------------------------+---------------------------------------

Comment(by karsten):

 Replying to [comment:6 bastik]:
 > Replying to [comment:5 karsten]:
 > > How can a user decide if a dev cannot?
 >
 > They would know if relay and bridge name share a naming scheme.

 In order to make this decision, operators would have to understand that
 they should use a different scheme for naming their bridges than for their
 relays.  As I said on tor-dev, that's yet one more thing to tell them, and
 it's likely going to generate support requests for no good reason.

 > > I'd guess that 95% of bridge operators would never see this option and
 the remaining 5% wouldn't know how to set it right. That would make the
 data almost unusable for counting EC2 bridges and for Atlas, and we'd
 generate support requests for no good reason.

 This is the case for newly created EC2 images.  It doesn't apply to
 existing EC2 images which are not updated.  We'd also not learn about past
 statistics, and this wouldn't help Atlas at all.  All in all, this config
 option is a usability nightmare that leaves us with mostly useless
 statistics.

 > > No, we should decide whether we can safely include all original
 nicknames, and if not, we should keep sanitizing all of them.
 >
 > For my understanding you, the Tor people, can't do that. Names can be
 changed. How to define safe?

 I think this is something developers ''have'' to decide, not users.  Note
 that this isn't about a single bridge that can be located via nickname
 similarity.  It's about not letting the attack become successful enough to
 make it attractive.  If the adversary could locate 1% of bridges via
 nickname similarity, they probably wouldn't care.  Also, if we can double
 the number of bridges by getting more funding for EC2 bridges and making
 it easier for operators to check how their bridge is doing via Atlas,
 that's a win.

 > Please don't feel "forced" to reply. I really don't want to start a
 discussion here.

 Oh, discussion is good.  Please feel free to post any thoughts you have
 either here or on tor-dev.  I'm not at all trying to kill the discussion.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5684#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs