[tor-bugs] #9854 [Tor]: Removing or not sanitizing ContactInfo lines in bridge descriptors

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 30 14:56:04 UTC 2013 

#9854: Removing or not sanitizing ContactInfo lines in bridge descriptors
-------------------------+------------------------------
     Reporter:  karsten  |      Owner:
         Type:  defect   |     Status:  new
     Priority:  normal   |  Milestone:  Tor: unspecified
    Component:  Tor      |    Version:
   Resolution:           |   Keywords:  tor-bridge
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+------------------------------

Comment (by wfn):

 At least as far I (as a very-small-time bridge operator, i.e.) am
 concerned, I'm fine with option 2, i.e.

 > We decide this information is important and that we should have it
 available more easily. We don't remove the ContactInfo line when we
 sanitize bridge descriptors.

 Perhaps there's some critical vulnerability and all bridge operators
 should upgrade as soon as possible (they should of course follow Tor-vuln-
 related news anyway); etc.

 I don't know what other bridge operators put in the ContactInfo; perhaps
 someone with access to non-sanitized descriptors could try and browse
 through a representative sample, to see if anyone is including any
 critical info (e.g. perhaps there are mail addresses with a domain that
 resolves to the IP address used by the bridge; someone could scrape over
 bridges from Onionoo / descriptors (when they include ContactInfo), and
 try extracting some exit IPs; probably highly unlikely though / doesn't
 sound plausible?)

 Is any kind of harassment possible (someone extracts email addresses from
 sanitized bridge descriptors, etc.) - should bridge operators be left to
 be as anon as possible? (They should be ready for this kind of thing
 anyway, I suppose.) Many social impure parameters.

 TL;DR option 2 is worth some discussion, IMHO.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9854#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list