[tor-bugs] #29448 [Obfuscation/BridgeDB]: Provide a dir-spec implementation that serves sanitised descriptors
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Feb 12 15:12:25 UTC 2019
#29448: Provide a dir-spec implementation that serves sanitised descriptors
----------------------------------+-----------------------------------
Reporter: irl | Owner: sysrqb
Type: project | Status: needs_information
Priority: Low | Milestone:
Component: Obfuscation/BridgeDB | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------+-----------------------------------
Comment (by karsten):
Replying to [comment:2 irl]:
> Is it currently possible for someone to operate their own CollecTor
instance and archive bridge descriptors? The answer is no unless they are
syncing from our CollecTor instance.
That's true, but it's also an okay answer. If we wanted to fix just this,
we could run a separate CollecTor instance with just the bridge descriptor
sanitize on a separate host and have everyone (including us) sync from
that. (I'm not suggesting we do that.)
> We have access to bridge IPs, which is sensitive information, regardless
of whether or not we publish that information. This is a violation of not
handling sensitive information.
While I'd prefer not to handle sensitive information, I don't consider
this a violation of a principle. Of course, if the BridgeDB folks would
run this sanitizing code, that would mean that fewer people have access to
sensitive information. While this is preferable, I wouldn't say that the
current setup is bad per se.
> > So, the goal here is basically to extract the sanitizing code from
CollecTor and put it on the BridgeDB host, probably rewritten in a
different language. Right?
>
> Yes.
>
> > However, I can also see the downsides: code complexity of BridgeDB
will suddenly increase, and whoever runs BridgeDB has one more complex
thing to take care of.
>
> We do get the benefit that we no longer have to handle bridge IPs and
things are more reproducible. It is also easier for people to run testing
BridgeDBs with a testing CollecTor instance. It is also easier for people
to run their own production BridgeDBs that we can see statistics of (which
is a goal that has been previously discussed, to reduce reliance on the
single BridgeDB instance and allow orgs to set up their own).
Agreed on these.
However, in the course of adding more pros and cons, I'd like to add
another aspect: years ago we had to give up on collecting bridge pool
assignments because the BridgeDB folks back then didn't care enough. It
would be sad to lose sanitized bridge descriptors because BridgeDB
suddenly gets less attention than it should. Syncing unsanitized
descriptors seems like a minimal thing that BridgeDB folks can keep up
over a long time. If they need to do more, maybe they'll at some point
stop doing it at all.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29448#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list