On Mon, Feb 03, 2014 at 11:17:19AM +0100, Karsten Loesing wrote:
- Globe runs full fingerprints through SHA-1 on the server.
- The Globe server learns a lot of bridge fingerprints, which
makes it a juicy target, because bridge fingerprints can (in the future?) be used to fetch bridge descriptors containing bridge addresses.
- This variant is really easy to implement.
This one sounds good to me. You could even check both the fingerprint you get and its SHA1, so people who get the Javascript won't be sharing their bridge fingerprint with you, and then this issue is limited to the folks who don't want to run javascript.
(I had no idea that Globe was doing this Javascript trick on the client side, so I figured it was a straightforward security decision on my part, "is it worthwhile to look up this bridge fingerprint, even though it tells Globe about the fingerprint?" And I think that's a decision that most people are able to make.)
(Also, you say 'in the future?' above, but I think it can happen right now -- if you ask Tonga about a bridge fingerprint, it will give you the corresponding descriptor. Unless we disabled that on the Tonga side when I wasn't looking.)
- Globe does not run full fingerprints through SHA-1 on the server
and instead forwards everything to Onionoo.
- Not only the Globe server, but also the Onionoo server learns
bridge fingerprints.
Yeah, this doesn't seem like a good option.
- We teach users that they shouldn't copy their original bridge
fingerprint into the Globe search window. For example, we could tell them the single line of Python they need to run their fingerprint through SHA-1. While they might have "spoiled" their first bridge, they'll know for their other bridges.
- Nobody will understand the above.
Well, I guess technically we could offer this too -- that way smart users have the possibility to pre-SHA1 their fingerprint before doing the search. And if Globe checks both, then it should just work either way. (Except, what if the users pre-SHA1 their fingerprint, but then they run the javascript that SHA1's it again? Does that mean Globe should check two hashes deep? Hrm.)
- Tor prints out the SHA-1 fingerprint to its logs or to a
hashed-fingerprint file.
- Bridge users who know to read the fingerprint file can as well
read the hashed-fingerprint file or the logs. We could even add a link "How do I search for my bridge" to the Globe page and explain to look out for that file or read the logs.
- Only very few people will find that file or click the link.
We'll have to do either 1 or 2 in addition to 3.
I guess I don't object to this option, but I think you're right that it isn't a big win.
- Sanitized bridge descriptors contain original fingerprints.
- It will be a lot easier to search for bridges if it works the
same way as searching for relays.
- The sanitizing process will be easier.
- We lose the option to enable bridge clients to update their
bridge descriptors by sending the bridge fingerprint to the bridge authority.
- This is going to keep me busy for a while for updating the
various metrics code that expects SHA-1 fingerprints rather than original fingerprints. I can do that though.
That doesn't sound like a good tradeoff either.
Thanks! --Roger