Publishing sanitized bridge pool assignments

Karsten Loesing karsten.loesing at
Wed Feb 2 15:08:51 UTC 2011

On Wed, Feb 02, 2011 at 03:50:25PM +0100, Karsten Loesing wrote:
> Your call.  If you think adding a secret X is important here, we can
> change the process.  Note that this change affects all published sanitized
> bridge descriptors, because they contain these hashed fingerprints, too.
> We should be consistent with the fingerprints we put into bridge pool
> assignments and bridge descriptors.  That doesn't exactly make this a
> cheap change, because I'll have to sanitize two years of descriptors
> again.  But if it's important, I can do it.

Argh!  There's one major problem about adding a secret X.  We're comparing
hashed bridge identites to hashed relay identities to exclude bridges that
have been running as relays from the bridge usage statistics.  The reason
is that bridges that have been running as relays before report much higher
user numbers than other bridges, which are very likely direct Tor users.

If we now include a secret X in the sanitizing process, we'd either have
to include the same secret in the calculation of bridge usage statistics,
or we wouldn't be able to remove former relays.  I really want to avoid
the former, because we're trying to only make use of data for statistics
that we're giving out to everyone.  And the latter would make our bridge
usage statistics useless.

So, I'm afraid we cannot include a secret X easily. :(

> Speaking of sanitizing bridge descriptors, there's a related change to the
> current sanitizing process discussed in Trac ticket #2435.  I'd really
> like to hear your opinions to that ticket (either here or as comments to
> the ticket), because that change is about preserving hashed IP addresses
> in sanitized bridge descriptors:

(This question is unaffected from the discussion of secret X above.)


More information about the tor-dev mailing list