[tor-bugs] #7550 [BridgeDB]: BridgeDB email responder is not interactive
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jun 29 14:17:52 UTC 2013
#7550: BridgeDB email responder is not interactive
----------------------+-----------------------------------------------------
Reporter: aagbsn | Owner:
Type: defect | Status: needs_information
Priority: normal | Milestone:
Component: BridgeDB | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------+-----------------------------------------------------
Comment(by aagbsn):
Replying to [comment:7 sysrqb]:
> Replying to [comment:6 aagbsn]:
> > Replying to [comment:5 sysrqb]:
> > > Replying to [comment:4 asn]:
> > > > Also, what is the point of rate limiting in BridgeDB? A user with
a single IP shouldn't be able to get more than a bunch of bridges anyway,
right?
> > >
> > > Right, maybe aagbsn (or arma, nickm, Karsten) have a better answer,
because within a single time period we should return the same bridges.
That being said, maybe the rate limiting is to reduce the number of emails
bridgedb needs to process by disincentivizing users spamming it? I don't
see a reason for bridgedb to respond to multiple emails within the time
period if it will be responding with the same bridges each time.
> >
> > This. We also see a barrage of requests over HTTPS.
> >
> > Sadly, the attackers/scrapers simply register "creative" names
(somename0001 at gmail.com, somename0002 at gmail.com .. somename0020 at gmail.com)
and keep at it.
> >
> > Any ideas? Text CAPTCHA? ASCII-art cats?
> >
> > --Aaron
>
> Hrm, I do like the ASCII-art catz idea, that might do the trick.
>
> OTOH, I think if we make some progress with #7520 (however it's
designed) and require some sort of earned token/credit, then I think this
is a step in the right direction. If we assume accounts for this social
distributor are a limited resource, then (short of compromised
account/impersonation/malicious users) we'll be able to drop all
unauthenticated requests and spamming/abuse will be linkable. Originally,
restricting requests to specific domains *was* an okay solution, but the
justification really is not as applicable anymore, afaict. I feel like
this is veering OT for this ticket, however. (sorry)
>
> So, thoughts? More interactive email responder is good/bad? (choose one)
I think that #7520 is likely to be a longer term project (several months
at least), and would be a separate distributor from the current email
distributor -- BridgeDB allocates fractions of its bridges to different
distribution strategies, we evaluate which bridges see more use, and in
turn allocate larger amounts of bridges to those strategies.
Any strategy for making bridge scraping harder buys a window of time and
we learn what the response time of the scrapers (and, their abilities).
Btw, another item we might want to add is exposing the rate that bridges
are served via each distributor, so we can graph the data and see how
effective any scraping mitigation actually are.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7550#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list