[tor-bugs] #26240 [Core Tor/Tor]: Check Maxmind GeoIPLocation Database before distributing

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jun 16 00:13:49 UTC 2018 

#26240: Check Maxmind GeoIPLocation Database before distributing
--------------------------------------------+------------------------------
 Reporter:  jvsg                            |          Owner:  (none)
     Type:  defect                          |         Status:  new
 Priority:  Medium                          |      Milestone:  Tor:
                                            |  unspecified
Component:  Core Tor/Tor                    |        Version:
 Severity:  Normal                          |     Resolution:
 Keywords:  GeoIP, Geoipdb, needs-proposal  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:
--------------------------------------------+------------------------------
Changes (by teor):

 * keywords:  GeoIP, Geoipdb => GeoIP, Geoipdb, needs-proposal


Comment:

 This idea needs a proposal. Here is our proposals process:
 https://gitweb.torproject.org/torspec.git/tree/proposals/001-process.txt

 Here is my feedback on your idea:

 I don't believe we can make an unreliable database into a reliable
 database, using other unreliable databases. The definition of "location"
 is ambiguous: it can mean the location of any company in the chain of
 companies owning the data center, or the physical location of the data
 center. Until providers fix the definition, the data will never be
 accurate.

 Also, providers don't care about server locations, because they're not
 used for advertising to consumers.

 Some providers will want you to pay for any use of their data, even if you
 only replace one maxmind location. So you should get a lawyer to read
 their licensing terms before you write your proposal.

 I have an alternative proposal:
 * stop relying on GeoIP for security-sensitive activities:
   * remove support for country codes in torrc options, or document them as
 unreliable
   * stop relying on countries in Sybil scanning
 * document all other uses (for example, in statistics and relay search) as
 informational only

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26240#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list