[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #9854 [Tor]: Removing or not sanitizing ContactInfo lines in bridge descriptors



#9854: Removing or not sanitizing ContactInfo lines in bridge descriptors
-------------------------+------------------------------
     Reporter:  karsten  |      Owner:
         Type:  defect   |     Status:  new
     Priority:  normal   |  Milestone:  Tor: unspecified
    Component:  Tor      |    Version:
   Resolution:           |   Keywords:  tor-bridge
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+------------------------------

Comment (by karsten):

 Here's what I asked a random subset of 20 bridge operators:

 > What did you expect when adding your email address to your bridge's
 configuration, and what did you not expect?  Can you pick one of the
 following three answers, please?
 > 1. "I didn't expect anyone to ever see that email address!"
 > 2. "I expected that only Tor people see that email address along with
 users of my bridge."
 > 3. "I'd actually be fine if anyone sees it, and I wouldn't mind if the
 address were contained in a public archive."
 > Note that there's no reply 1.5 "I expected that only Tor people see that
 email address, but users of my bridge should not see it."  This isn't
 possible by design, because bridge users need your bridge's descriptor
 which contains your contact information.  So, if this was what you had
 expected, please decide for either 1 or 2 above.

 Here's how bridge operators replied:
  1. 1 person replied 1.  The operator suspects that the provided email
 address was abused for spam, though I'm not convinced this is the really
 the case.  Probably coincidence.
  2. Nobody replied 2.
  3. 5 people replied 3.  One referred to the default torrc already
 containing a warning that Google indexes contact lines.  Another one
 argued that contact information is already effectively public, but only to
 a class of people where they don't control membership in that class
 (bridge users), so they wouldn't mind to include everyone else, too.
  4. 14 people did not respond.

 I'm leaning towards not sanitizing `contact` lines in bridge descriptors.
 But that requires a new discussion on tor-dev@, and it possibly requires
 re-processing the bridge descriptor archives.  I currently lack the time
 for either, but maybe I'll open a new ticket for this in a few months.

 For the moment, I'd like to make it clearer to bridge operators that their
 contact information is not kept secret.  Users of a bridge already know
 it, and should we decide to stop sanitizing that information, the whole
 world will know.

 How about we clarify the default torrc:

 {{{
 ## Contact info to be published in the directory, so we can contact you
 ## if your relay or bridge is misconfigured or something else goes wrong.
 ## We archive all descriptors containing these lines, and Google indexes
 ## this, so spammers might also collect it.
 }}}

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9854#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs