[tor-bugs] #1938 [Tor Bridge]: UpdateBridgesFromAuthority dangerous
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Feb 23 00:24:43 UTC 2011
#1938: UpdateBridgesFromAuthority dangerous
------------------------+---------------------------------------------------
Reporter: arma | Owner:
Type: task | Status: new
Priority: major | Milestone: Tor: 0.2.3.x-final
Component: Tor Bridge | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Description changed by arma:
Old description:
> Now that we've fixed #1138, it might be tempting to start distributing
> identity fingerprints along with our bridge addresses again, so clients
> can try the bridge authority for the descriptor.
>
> In retrospect, though, the plan of "first go to the centralized place
> that is easily associated with being a Tor bridge user, then if it's
> unreachable go directly to the bridge for its descriptor" is unwise.
>
> In practice we should go to our bridges directly for their descriptor,
> and if we learn no descriptors, fail closed. Then, for the bridges that
> we've configured but didn't get a descriptor for, we can ask the bridge
> authority *via Tor* if it happens to know a newer descriptor for them.
>
> We'll have an opportunity to make things more robust once we get going on
> #1852.
>
> In the mean time, we should continue to avoid putting fingerprints on
> bridge addresses. (I believe Vidalia still sets
> UpdateBridgesFromAuthority for you when you configure a bridge.)
New description:
Now that we've fixed #1138, it might be tempting to start distributing
identity fingerprints along with our bridge addresses again, so clients
can try the bridge authority for the descriptor.
In retrospect, though, the plan of "first go to the centralized place that
is easily associated with being a Tor bridge user, then if it's
unreachable go directly to the bridge for its descriptor" is unwise.
In practice we should go to our bridges directly for their descriptor, and
if we learn no descriptors, fail closed. Then, for the bridges that we've
configured but didn't get a descriptor for, we can ask the bridge
authority *via Tor* if it happens to know a newer descriptor for them.
We'll have an opportunity to make things more robust once we get going on
#1852.
In the mean time, we should continue to avoid putting fingerprints on
bridge addresses. (I believe Vidalia still sets
!UpdateBridgesFromAuthority for you when you configure a bridge.)
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1938#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list