[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Bridge status website



Hi Karsten,

first of all, I really like this proposal. Giving bridge users some
information on usage to play with will likely encourage them to keep
it running.

On Wed, May 26, 2010 at 1:02 PM, Karsten Loesing
<karsten.loesing@xxxxxxx> wrote:

> Bridge operators find a non-secret identifier in their logs or Tor data
> directory. This identifier is the bridge identity hash. They can enter
> this identifier on a public website and learn (a) whether their bridge
> is marked in the most recent bridge network status as
> Running/Stable/etc., (b) how many users the bridge had from which
> countries in the past 24 hours, (c) whether the bridge is given out via
> https/email/etc., (d) how much bandwidth was utilized in the past 24
> hours, and so on. The assumption is that all of this information is
> already public or will be made public in the future. The website may
> contain the most recent information plus, say, a 30-day history
> displayed in graphs. Bridge operators can bookmark this website and
> share it with others without revealing the IP address or raw identity of
> their bridge.

I wonder whether (b) is a good idea. Say I am Sir John McEvil and I
want to learn something about which IP address belongs to which
bridge: All I gotta do is iterate connections from some obscure
countries to certain bridges and check the stats later on.

Similar reasoning could go for (d) but I think bandwidth usage is
harder to track.

> - Can we publish the pool assignments from BridgeDB saying which bridge
> identity hashes are contained in which pool? This information would also
> be useful for researchers to learn more about blockings. What risks are
> there in making this information public?

By intuition I don't really like disclosing pool assignments.
"Researchers" learning about blockings could also be Chinese firewall
engineers. They shouldn't be able to tell if that mail traffic they
listened in on just now that contained some IP address/port
combinations actually helped them block 5 bridges from the 'private'
pool.

I guess I'd like to keep the information we give out as small as
possible, e.g. only give out bandwidth usage (d) and network status
infos (a) from that list above.

I'd like to add something else instead: Giving out information about
which bridge is known to be blocked in which country maybe? I know
that feature isn't in BridgeDB yet, but it is on my TODO-list for it.
I don't see much risk in disclosing this information, but it'd bring
some sort of awareness and also offers data for researchers.

Thanks,
/C