Hi bridge address distribution people, hi bridge status website developers, hi bridge operators,
here's a problem that recently came up when Christian and I discussed making Globe a JavaScript-free website.
The current Globe uses client-side JavaScript to detect if the user entered a 40-character hex fingerprint. In that case, it runs the input through SHA-1 and sends only the digest to the Onionoo service. That's why Onionoo supports four cases and does not support a fifth case (number 3 below): 1. original relay fingerprint: return the matching relay, because it might have been a different client than Globe that sent the request and did not run the fingerprint through SHA-1; 2. SHA-1 of relay fingerprint: return the matching relay, too, because this could have been Globe running the original relay fingerprint through SHA-1; 3. original bridge fingerprint: don't return anything, because Onionoo should not see original bridge fingerprints at all; 4. SHA-1 of bridge fingerprint: return the matching bridge, because not all clients are like Globe and might not run fingerprints through SHA-1; and 5. SHA-1 of SHA-1 of bridge fingerprint: return the matching bridge that the user was looking for when they put in the SHA-1 fingerprint which was then converted to the SHA-1 of the SHA-1.
That's what the current Globe can do, because it uses JavaScript on the client side. But the new server-side Globe cannot do that! And I don't have a good solution yet. Here are some ideas, each of them having pros (-) and cons (+):
1. Globe runs full fingerprints through SHA-1 on the server. - The Globe server learns a lot of bridge fingerprints, which makes it a juicy target, because bridge fingerprints can (in the future?) be used to fetch bridge descriptors containing bridge addresses. + This variant is really easy to implement.
2. Globe does not run full fingerprints through SHA-1 on the server and instead forwards everything to Onionoo. - Not only the Globe server, but also the Onionoo server learns bridge fingerprints. + We teach users that they shouldn't copy their original bridge fingerprint into the Globe search window. For example, we could tell them the single line of Python they need to run their fingerprint through SHA-1. While they might have "spoiled" their first bridge, they'll know for their other bridges. - Nobody will understand the above.
3. Tor prints out the SHA-1 fingerprint to its logs or to a hashed-fingerprint file. + Bridge users who know to read the fingerprint file can as well read the hashed-fingerprint file or the logs. We could even add a link "How do I search for my bridge" to the Globe page and explain to look out for that file or read the logs. - Only very few people will find that file or click the link. We'll have to do either 1 or 2 in addition to 3.
4. Sanitized bridge descriptors contain original fingerprints. + It will be a lot easier to search for bridges if it works the same way as searching for relays. + The sanitizing process will be easier. - We lose the option to enable bridge clients to update their bridge descriptors by sending the bridge fingerprint to the bridge authority. - This is going to keep me busy for a while for updating the various metrics code that expects SHA-1 fingerprints rather than original fingerprints. I can do that though.
What do you think?
All the best, Karsten