[tor-bugs] #19060 [Core Tor/Tor]: Should SafeLogging hide bridge IP addresses in logs?

Sun May 15 19:22:37 UTC 2016

#19060: Should SafeLogging hide bridge IP addresses in logs?
------------------------------+--------------------------------
     Reporter:  teor          |      Owner:
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: 0.2.???
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  029-proposed, easy
Actual Points:                |  Parent ID:
       Points:  small         |   Reviewer:
      Sponsor:                |
------------------------------+--------------------------------
 Bridge relay operators sometimes post logs containing their bridge's IP
 address.

 We could make this less likely by making `SafeLogging 1` (the default)
 filter bridge IP addresses in messages like:
 * "Your server (%s:%d) has not managed to confirm that its ORPort is
 reachable" ...
 * "Your server (%s:%d) has not managed to confirm that its DirPort is
 reachable" ...
 * "Now checking whether ORPort %s:%d"...
 * "and DirPort %s:%d"
 * anything else that lists a bridge's IP or fingerprint

 This could be implemented by creating safe_str_bridge and
 escaped_safe_str_bridge similar to safe_str and escaped_safe_str, but with
 a check if BridgeRelay is 1 as well. It would also need a tor manual page
 update that says that we escape bridge information when SafeLogging is
 anything besides "0".

 Or, we could add "bridge" to the options for SafeLogging, but that seems
 over-complicated, because we'd have to define 1 vs relay vs bridge
 semantics in a way that makes sense.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19060>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online