Publishing sanitized bridge pool assignments

Karsten Loesing karsten.loesing at
Tue Feb 8 14:42:39 UTC 2011

(Just in case people have difficulties following this thread, because we
discussed different things about sanitizing bridge descriptors, all having
to do with adding secrets to hash functions:  This suggestion had to do
with replacing bridge identity fingerprints with H(secret | fingerprint)
instead of the current H(fingerprint).)

On Thu, Feb 03, 2011 at 11:19:31PM -0800, Robert Ransom wrote:
> > On Wed, Feb 02, 2011 at 03:50:25PM +0100, Karsten Loesing wrote:
> > > Your call.  If you think adding a secret X is important here, we can
> > > change the process.  Note that this change affects all published sanitized
> > > bridge descriptors, because they contain these hashed fingerprints, too.
> > > We should be consistent with the fingerprints we put into bridge pool
> > > assignments and bridge descriptors.  That doesn't exactly make this a
> > > cheap change, because I'll have to sanitize two years of descriptors
> > > again.  But if it's important, I can do it.
> > 
> > Argh!  There's one major problem about adding a secret X.  We're comparing
> > hashed bridge identites to hashed relay identities to exclude bridges that
> > have been running as relays from the bridge usage statistics.  The reason
> > is that bridges that have been running as relays before report much higher
> > user numbers than other bridges, which are very likely direct Tor users.
> > 
> > If we now include a secret X in the sanitizing process, we'd either have
> > to include the same secret in the calculation of bridge usage statistics,
> > or we wouldn't be able to remove former relays.  I really want to avoid
> > the former, because we're trying to only make use of data for statistics
> > that we're giving out to everyone.  And the latter would make our bridge
> > usage statistics useless.
> > 
> > So, I'm afraid we cannot include a secret X easily. :(
> Publish lists of relay identities sanitized using the same function
> used to sanitize bridge identities.

Right, that would work, even though it involves even more work.  It's
still unclear to me whether we need to act here.  Are we really concerned
that censors crawl certificates and fetch our sanitized bridge descriptor
archives to find out whether nodes are running bridges?


More information about the tor-dev mailing list