[bridgedb/master] Don't insert bridges in NO_DISTRIBUTION_COUNTRIES into the hashrings. - tor-commits

21 Mar 2015

commit f80033f8496b8cda8f032932c0200a7c8f7fe825
Author: Isis Lovecruft isis@torproject.org
Date:   Sat Feb 21 23:05:32 2015 +0000
Don't insert bridges in NO_DISTRIBUTION_COUNTRIES into the hashrings.
When two-letter country codes are given in the bridgedb.conf option
    NO_DISTRIBUTION_COUNTRIES, e.g.:
NO_DISTRIBUTION_COUNTRIES = ['IR', 'SY']
and a Bridge parsed from the descriptor files is found to be geolocated
    in one of these countries, we skip adding that Bridge to the hashrings
    entirely.
* FIXES #12843 https://bugs.torproject.org/12843
* TODO We could add these blacklisted Bridges to their own hashring of
       Undistributables which are never to be distributed to real clients.
Potentially, we could distribute these Undistributables to
       adversaries which are definitely not real clients, as a form of
       supplying adversaries with decoys (see #12537).  By doing so, we
       would be handing an adversary which is probably some intelligence
       agency's bridge enumeration program (e.g. part of the NSA and GCHQ's
       HOMING TROLL and XKEYSCORE programmes) bridges which are run by
       another intelligence agency (presumedly واجا (VAJA) and/or إدارة
       الأمن العام) in order to gather information about the clients
       connecting to them (presumedly hoping that someone from their
       jurisdiction would use the bridge).  Thus, in the best case scenario,
       feeding each agency false (albeit trivially discoverable as false)
       information on the other and — in the worst case scenario — simply
       being an annoyance by breaking things for both parties.
However, the current organisation of the hashring structures is not
       really amenable to adding hashrings for Undistributables — at least
       not in any way that safely guarantees that they wouldn't end up in
       some bucket or such intended for real clients (which would defeat the
       whole purpose of this patch).  Because of this concern, using
       Undistributables as decoys is not yet feasible.
---
 lib/bridgedb/Main.py |   15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/lib/bridgedb/Main.py b/lib/bridgedb/Main.py
index 9317760..d0698c0 100644
--- a/lib/bridgedb/Main.py
+++ b/lib/bridgedb/Main.py
@@ -198,10 +198,17 @@ def load(state, splitter, clear=False):
     inserted = 0
     logging.info("Inserting %d bridges into splitter..." % len(bridges))
     for fingerprint, bridge in bridges.items():
-        # We attempt to insert all bridges. If the bridge is not running, then
-        # it is skipped during the insertion process.
-        splitter.insert(bridge)
-        inserted += 1
+        # Skip insertion of bridges which are geolocated to be in one of the
+        # NO_DISTRIBUTION_COUNTRIES, a.k.a. the countries we don't distribute
+        # bridges from:
+        if bridge.country in state.NO_DISTRIBUTION_COUNTRIES:
+            logging.warn("Not distributing Bridge %s %s:%s in country %s!" %
+                         (bridge, bridge.address, bridge.orPort, bridge.country))
+        else:
+            # If the bridge is not running, then it is skipped during the
+            # insertion process.
+            splitter.insert(bridge)
+            inserted += 1
     logging.info("Done inserting %d bridges into splitter." % inserted)
if state.COLLECT_TIMESTAMPS:

    