[tor-bugs] #31011 [Core Tor/Tor]: Make the bridge authority reject private PT addresses when DirAllowPrivateAddresses is 0

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Dec 15 09:08:39 UTC 2019 

#31011: Make the bridge authority reject private PT addresses when
DirAllowPrivateAddresses is 0
-----------------------------------------------+---------------------------
 Reporter:  teor                               |          Owner:  (none)
     Type:  defect                             |         Status:  new
 Priority:  Medium                             |      Milestone:  Tor:
                                               |  unspecified
Component:  Core Tor/Tor                       |        Version:
 Severity:  Normal                             |     Resolution:
 Keywords:  anti-censorship-roadmap-september  |  Actual Points:
Parent ID:  #31009                             |         Points:  1
 Reviewer:                                     |        Sponsor:
                                               |  Sponsor28-can
-----------------------------------------------+---------------------------
Changes (by teor):

 * cc: phw (added)


Comment:

 I think we need to know how many bridges are affected by this issue,
 before we can make this decision.

 Replying to [comment:7 cjb]:
 > Replying to [comment:1 arma]:
 > > Another option here is to leave the bridge authority alone, and teach
 bridgedb that if there's an internal address in the extrainfo descriptor,
 it should swap it out in favor of the public address in the descriptor.
 > >
 > > Then once the #31009 fix is sufficiently deployed, it shouldn't matter
 anymore.
 > >
 > > (That way we could make use of the current obfs4 bridges even if they
 haven't upgraded yet.)
 >
 > I think I could volunteer to work on this ticket, but it looks like we
 still need to decide what to do.  Options:

 There's a tradeoff here, so maybe we should ask the anti-censorship team
 what they'd like.

 > 1) as in the summary, bridgeauth just refuses descriptors with internal
 addresses

 Rejecting descriptors means we have fewer bridges, until those bridges
 upgrade tor versions.
 But those bridges are more likely to have correct addresses.
 (Changing to an address the operator didn't provide means that port
 forwarding might not be set up.)

 > 2) arma's suggestion, bridgedb transforms internal addresses to external

 This option has the opposite tradeoff: more bridges, fast to deploy,
 potentially wrong data.

 > 3) Could we also consider having bridgeauth itself, rather than bridgedb
 downstream, perform that transformation?  Or perhaps there's a reason why
 that's not a good idea?

 I'm not sure if we can do this, because extra-info descriptors are signed
 by the bridge.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31011#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list