[tor-bugs] #26778 [Core Tor/Tor]: Enable supporting multiple bridge authorities

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 19 15:47:41 UTC 2018 

#26778: Enable supporting multiple bridge authorities
-------------------------------------------------+-------------------------
 Reporter:  chelseakomlo                         |          Owner:  (none)
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  unspecified
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-bridges needs-testing? needs-    |  Actual Points:
  proposal?                                      |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by chelseakomlo):

 Replying to [comment:5 gman999]:
 > >A bridge should be able to select a bridge authority from the list of
 authorities, where multiple >bridge authorities can be represented, and
 try one at a time until it is able to successfully upload >its descriptor.
 >
 > I thought the data was being *pushed* by the bridge authority, not
 pulled.

 The bridge authority pushes data to BridgeDB, but bridges themselves push
 data to the bridge authority, iiuc.


 > Ultimately, if I'm reading this right, it's:
 >
 > * a single bridge authority, which lessens opportunity for bridge
 discovery, yet becomes a single point of failure.

 I would add a single bridge authority increases probability for single
 point of failure. This could have any number of causes- maybe the plug is
 pulled on the server, the operator gets run over by a bus (hopefully not),
 or the server is DDOSed/attacked/etc. Regardless, having some spread in
 case of failure, IMO, would be ideal.


 > * multiple bridge authorities, with increases chance of bridge
 discovery, but decentralized and more resilient.

 I'm not sure I understand how multiple bridge authorities increases the
 chance of bridge discovery. If an adversary can discover/query one bridge
 authority, how does this limit bridge discovery as opposed to an adversary
 being able to discover/query multiple authorities? As I understand, we
 want to minimize the number of entities which hold the complete list of
 bridges as holding this data in itself is risky, but adding more
 authorities shouldn't make bridges more discoverable to external entities
 (as I understand, please correct me if I'm wrong).


 > Maybe reworking through the threat model on bridge discovery and past
 experiences could be worthwhile to make a more informed decision on this?

 That sounds good to me, I would be interested to hear about past
 experiences as well.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26778#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list