[tor-dev] Can we stop sanitizing nicknames in bridge descriptors?

Karsten Loesing karsten at torproject.org
Fri May 4 10:31:19 UTC 2012

On 5/3/12 7:22 PM, Sebastian G. <bastik.tor> wrote:
> The safest way is to ensure that bridge and relay operators are aware of
> the fact that their naming scheme should avoid correlations, wherever
> both are actually located. The question here is on how to ensure it?!

This is a usability question.  Telling bridge operators that they should
use a very different nickname for their bridge than what they used for
their relays could be useful.  But it's yet one more thing to tell them.
 We should also tell them not to run their bridge on the same IP address
where they ran a relay before.  Or they shouldn't re-use their relay
identity key for running a bridge.  And we could even test these cases
automatically.  But my sense is that we'd only confuse potential bridge
operators, either by telling them these things in a howto or by
notifying them when they do one of these things.  We'd probably overload
poor Runa who has to answer the support questions coming out of this.
Probably not worth it.

>> So, while we have the data to see these correlations, I think that
>> whatever similarity algorithm we come up with, somebody else might come
>> up with something smarter.  If we do the analysis you suggest and learn
>> that it's safe to include nicknames, that doesn't say very much.  Only
>> because we have the data to confirm how well our attack would works
>> doesn't automatically mean we're in a good position to design the attack.
> If I remember correctly Bruce Schneier "once" said that it's easy to
> built/invent your own cipher which you are unable to break, but that you
> can't be sure that no one else can.

I fully agree.  That's why I want to avoid doing the analysis and
telling people everything's good.

> I'm not able to use any mathematical function on the data. And I have no
> "skill" to do that in a batch. I as an adversary would "crowdsource" the
> similarity since humans might have a better understanding what might
> belong together.
> All I could do is look through the list manually and compare them with
> the list of relays. I don't think I'm going to do this as I don't
> believe that I'm going to find anything.

Sounds like a fine approach.  Want to do it (when the 2008 tarball is
available)?  It would be interesting to see a) what fraction of bridges
you think you can derive IP addresses for and b) how accurate your
guesses are.


More information about the tor-dev mailing list