[tor-bugs] #3292 [Analysis]: Should bridge users care if their bridge changes fingerprint?
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu May 26 08:17:39 UTC 2011
#3292: Should bridge users care if their bridge changes fingerprint?
----------------------+-----------------------------------------------------
Reporter: arma | Owner:
Type: task | Status: new
Priority: normal | Milestone:
Component: Analysis | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------+-----------------------------------------------------
We have an increasing set of situations where the user configures a bridge
address that isn't actually the address of the place running the Tor
program.
In scenario 1, we have a bridge running at point X, but addresses A and B
both route to it, and the user types either A or B into her Vidalia bridge
list.
In scenario 2, there's a bridge at point X and another bridge at point Y,
and addresses A and B point to one of these bridges and fallback to the
other as needed.
That sounds great for robustness, but if you configure your bridge at
address A, and it forwards traffic to the bridge at address X which has
fingerprint X, and then later it starts forwarding its traffic to address
Y which has fingerprint Y, your Tor client will scream murder and stop
using the bridge you've configured as A.
What exactly are we protecting against by refusing to use the network when
A's fingerprint changes? Is that something we want to keep allowing users
to protect against, or can we just change Tor to ignore wrong fingerprints
on its bridge?
As a bonus, relaxing our security requirements here would let us tolerate
SSL cert replacement attacks at the firewall -- so long as the attacks
still allow us to talk our Tor protocol underneath.
This topic is related to #2764.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3292>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list