[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #30472 [Circumvention/Pluggable transport]: Implement a mechanism for PT reachability testing

#30472: Implement a mechanism for PT reachability testing
-----------------------------------------------+---------------------------
 Reporter:  phw                                |          Owner:  phw
     Type:  project                            |         Status:
                                               |  needs_review
 Priority:  High                               |      Milestone:
Component:  Circumvention/Pluggable transport  |        Version:
 Severity:  Major                              |     Resolution:
 Keywords:  reachability                       |  Actual Points:
Parent ID:  #30471                             |         Points:
 Reviewer:                                     |        Sponsor:  Sponsor19
-----------------------------------------------+---------------------------

Comment (by cohosh):

 Replying to [comment:7 phw]:
 > Replying to [comment:6 cohosh]:
 > > - A nicer way to express the timeout
 [https://github.com/NullHypothesis/obfs4PortScan/blob/master/handlers.go#L43
 here] would be
 > >  {{{ timeout := 3* time.Second }}}, but even better would be to set a
 commented constant at the beginning of the file.
 > [[br]]
 > Good point, fixed in the following branch:
 https://github.com/NullHypothesis/obfs4PortScan/tree/fix/30472
 I think the `timeout` input to
 [https://github.com/NullHypothesis/obfs4PortScan/blob/fix/30472/handlers.go#L70
 isTCPPortReachable] is redudant now.
 > [[br]]
 > > - Do you also want timestamps in your logs?
 > [[br]]
 > I would like to keep timestamps because they tell us how much (ab)use
 the service is seeing. Do you see any issues with timestamps?
 >
 As long as you're not logging IP addresses, this seems fine to me. You're
 also not exporting the data, it's mostly a consideration in the case that
 the machine or service is compromised. I don't see issues with an attacker
 getting ahold of the number of requests made and the times at which they
 are made. There are probably easier ways to find out whatever information
 they would hope to find out from these logs anyway.
 > On a related note: I noticed that the http package can log error
 messages that include the client's IP address. I included snowflake's safe
 logger to prevent this from happening.
 > [[br]]
 Oh good point, I'm glad the package is useful here.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30472#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs