[tor-bugs] #12537 [BridgeDB]: Perhaps BridgeDB should supply decoys

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jul 5 19:18:17 UTC 2014 

#12537: Perhaps BridgeDB should supply decoys
--------------------------+------------------
     Reporter:  andrea    |      Owner:  isis
         Type:  defect    |     Status:  new
     Priority:  normal    |  Milestone:
    Component:  BridgeDB  |    Version:
   Resolution:            |   Keywords:
Actual Points:            |  Parent ID:
       Points:            |
--------------------------+------------------

Comment (by bastik):

 As I see it, the user requesting the bridges can't tell the decoys apart
 from the actual bridges or the extracting adversary would be able do to
 the same.

 (I was expecting China to do this extraction, but not the USA. China might
 still do it, too.)

 What's the clients (probably only relevant for TB) current behavior for
 entering decoys (as well as working bridges)? Like, will there be a
 warning to the user that 3 out of 6 bridges didn't respond?

 Some of the randomly generated addresses (most in IPv4 will, in IPv6 not
 so much) will be actually in use. Is it nice to put the machines (and
 operators/owners) behind those IP addresses in a database?

 Considering the adversary is adapting its filter by only keeping entires
 in the database that get repeatedly extracted, since the real addresses
 aren't changing all that often, but random addresses are possibly random
 all the time, I think that BridgeDB should generated decoys at random and
 send the same decoys to multiple users. It shouldn't refresh the decoys
 too often.

 End of ticket related content.

 (The NSA and whoever else might watch me for posting to the Tor mailing
 lists, or running bridges, which got my name attached to them, or just for
 connecting to the network or simply visiting this website, but that's what
 I put myself into.)

 (I don't want to open another ticket, because I think it's not worth it,
 but it is related. Since Tor users are expected to check the signature of
 their Tor (or TB) copy with PGP, bridge requesting users could provide
 their public-key in the message body or as attachment and BridgeDB sends
 an encrypted email to them. It's not worth it in my eyes, because PGP has
 to be deployed on the server and fed with user-provided input, in normal
 case the key, which has to be stored at least temporary, what's not making
 me that sad since the adversary would be able to extract the key from the
 email in the first place. The major downside is that if it is optional,
 the adversary will get the bridges from those that do not make use of this
 feature. And if it is forced, this makes it much more difficult for people
 to get bridges. In the case someone things this is still a good idea, I
 don't think that, but I would not mind to open a ticket.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12537#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list