[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] bridge:// URI and QR codes

To: tor-dev <tor-dev@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-dev] bridge:// URI and QR codes
From: "Nathan Freitas" <nathan@xxxxxxxxxxx>
Date: Wed, 20 Jul 2022 13:15:29 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 20 Jul 2022 13:16:08 -0400
Feedback-id: i6a1040f5:Fastmail
In-reply-to: <165831850633.4475.7557438809114375670@localhost>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <165816284178.3197.11555974087175189132@localhost> <2171285.DyMDfk1abI@com> <165831850633.4475.7557438809114375670@localhost>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Cyrus-JMAP/3.7.0-alpha0-755-g3e1da8b93f-fm-20220708.002-g3e1da8b9


On Wed, Jul 20, 2022, at 8:01 AM, meskio wrote:
> Quoting Torsten Grote (2022-07-19 14:54:01)
>> On Monday, 18 July 2022 13:47:21 -03 meskio wrote:
>> > What do you think of the proposal? How can we improve it?
>> 
>> A slightly unrelated question:
>> 
>> Was there any consideration about deanonymization attacks by giving the user a 
>> bridge controlled by the attacker? I worry that those get more likely when 
>> getting bridges via links and QR codes becomes normalized.
>> 
>> Apart from the source IP address of the user and their Tor traffic pattern, is 
>> there anything else an attacker can learn from operating the bridge?
>
> At least from my side there was not consideration on this topic yet. Thank you 
> for bringing it, I think is a pretty valid concern and we should do some 
> planning on it.
>
> I wonder if we should only accept bridge URIs/QR codes when the user 
> clicks on 
> 'add bridges' inside the tor related app. Or will be enough to accept 
> bridge 
> URIs on any moment but communicate to the user clearly what is 
> happening and ask 
> them for confirmation. We should never change the bridge configuration 
> silently 
> from a bridge URI without any user intervention.
>
> I think we should add something about it to the "Recommendations to 
> implementers" on the proposal.

I believe in Orbot today we do promote the user after they scan a code or click on a bridge link. Definitely agree there should be that step.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] bridge:// URI and QR codes
  - From: Nathan Freitas

References:
- [tor-dev] bridge:// URI and QR codes
  - From: meskio
- Re: [tor-dev] bridge:// URI and QR codes
  - From: Torsten Grote
- Re: [tor-dev] bridge:// URI and QR codes
  - From: meskio

Prev by Author: [tor-dev] bridge:// URI and QR codes
Next by Author: Re: [tor-dev] bridge:// URI and QR codes
Previous by thread: Re: [tor-dev] bridge:// URI and QR codes
Next by thread: Re: [tor-dev] bridge:// URI and QR codes
Index(es):
- Author
- Thread