[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Flaw in bridge descriptor sanitizing process

To: or-dev@xxxxxxxxxxxxx
Subject: Flaw in bridge descriptor sanitizing process
From: Karsten Loesing <karsten.loesing@xxxxxxx>
Date: Tue, 11 Jan 2011 09:12:36 +0100
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Tue, 11 Jan 2011 03:12:44 -0500
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx
User-agent: Mutt/1.5.18 (2008-05-17)

Hi everyone,

back in Nov 2009, I posted our approach to sanitize bridge descriptors
before publishing them for everyone to analyze:

  http://archives.seul.org/or/dev/Nov-2009/msg00000.html

Now I found a flaw in this process that affects roughly 2.5 % of bridge
descriptors:  When a bridge is configured to use the default exit policy,
it adds a reject line containing its own IP address which we don't
sanitize.  Here's an example of a sanitized bridge descriptor.  Note that
I manually sanitized part of the bridge's IP address with '---' here!

  router Unnamed 127.0.0.1 9001 0 8030
  platform Tor 0.2.1.28 (r6e5496a2407ee589) on FreeBSD i386
  opt protocols Link 1 2 Circuit 1
  published 2010-12-21 17:59:41
  opt fingerprint 16D6 49EA 83CF 23A1 BAD3 90DC 921E E83F 310A CC7F
  uptime 64
  bandwidth 51200 102400 0
  opt extra-info-digest F2BD0C7AB741648D9CFC982C790B9221B8C04516
  opt hidden-service-dir
  contact somebody
  reject 0.0.0.0/8:*
  reject 169.254.0.0/16:*
  reject 127.0.0.0/8:*
  reject 192.168.0.0/16:*
  reject 10.0.0.0/8:*
  reject 172.16.0.0/12:*
  reject 80.---.--.---:*       <--- bridge's IP address
  accept *:21
  accept *:23
  accept *:80
  accept *:110
  accept *:143
  accept *:443
  reject *:*

The fix is to replace the bridge's IP address in reject lines with
127.0.0.1, too.  See this commit for details:

  https://gitweb.torproject.org/metrics-db.git/commitdiff/e9d42a8

I started sanitizing the bridge descriptors since May 2008 once again, but
this takes at least another week to finish.  Here are the newly sanitized
bridge descriptors:

  https://metrics.torproject.org/data.html#bridgedesc

Can other people look at the sanitized descriptors and try to find other
sensitive parts (IP addresses, fingerprints, contact information, etc.)
that we should remove?  It took me 1 year to find this flaw, and I only
found it by chance when refactoring the code.  More eyes needed!

Thanks,
Karsten

Prev by Author: Re: RFC/proposal for Thandy changes
Next by Author: Publishing sanitized bridge pool assignments
Previous by thread: Re: Draft document and notes from rransom: requirements for circuit crypto
Next by thread: Re: Arm Release 1.4.1
Index(es):
- Author
- Thread