[tor-bugs] #30768 [Applications/Tor Browser]: Add hashed fingerprints to torrc when configuring bridges
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jun 6 11:56:22 UTC 2019
#30768: Add hashed fingerprints to torrc when configuring bridges
--------------------------------------+-------------------------------
Reporter: irl | Owner: tbb-team
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor: Sponsor30-can
--------------------------------------+-------------------------------
Comment (by irl):
As a sponsor got added here, I'll add a comment on priority for this.
Most users are not going to go looking in their torrc file for bridge
fingerprints to go and look up bridges on Relay Search. Of the ones that
do get the fingerprint out, they may try and use other tools like
torstatus to look up the fingerprint.
Relay Search will hash the fingerprint before sending any request, so
bridge lookups in Onionoo are actually double-hashed, but other tools
might not do this. Leaking a non-hashed fingerprint can leak the location
of the bridge in some cases.
So I think this is a low-probability risk, but with higher impact as a
single user might burn a bridge. There may be other places that users get
fingerprints from (e.g. BridgeDB/moat) where we should be adding hashed
fingerprints too.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30768#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list