[tor-dev] Looking up bridges in Globe et al. by fingerprint
Christian
me at rndm.de
Mon Feb 10 21:09:10 UTC 2014
On 09.02.2014 10:29, Karsten Loesing wrote:
> On 08/02/14 20:39, Roger Dingledine wrote:
>
> Thanks for your reply. This is very helpful! Replying to your response
> inline and summarizing the design once again at the end of this email.
>
>> On Mon, Feb 03, 2014 at 11:17:19AM +0100, Karsten Loesing wrote:
>>> 1. Globe runs full fingerprints through SHA-1 on the server.
>>> - The Globe server learns a lot of bridge fingerprints, which
>>> makes it a juicy target, because bridge fingerprints can (in the
>>> future?) be used to fetch bridge descriptors containing bridge
>>> addresses.
>>> + This variant is really easy to implement.
>>
>> This one sounds good to me. You could even check both the fingerprint
>> you get and its SHA1, so people who get the Javascript won't be sharing
>> their bridge fingerprint with you, and then this issue is limited to
>> the folks who don't want to run javascript.
>
> Good idea, I guess that's doable.
>
>> (I had no idea that Globe was doing this Javascript trick on the client
>> side, so I figured it was a straightforward security decision on my part,
>> "is it worthwhile to look up this bridge fingerprint, even though it
>> tells Globe about the fingerprint?" And I think that's a decision that
>> most people are able to make.)
>
> Agreed.
>
>> (Also, you say 'in the future?' above, but I think it can happen right
>> now -- if you ask Tonga about a bridge fingerprint, it will give you
>> the corresponding descriptor. Unless we disabled that on the Tonga side
>> when I wasn't looking.)
>
> I said "(in the future?)" because I wasn't sure about this. But I just
> looked a bit closer at the code and found that Tonga only sends out
> bridge descriptors over _encrypted_ connections, that is, requests
> coming in via Tor circuits. That's why I never observed Tonga giving
> out a descriptor when asking it using curl or wget. Makes sense now!
>
>>> 2. Globe does not run full fingerprints through SHA-1 on the server
>>> and instead forwards everything to Onionoo.
>>> - Not only the Globe server, but also the Onionoo server learns
>>> bridge fingerprints.
>>
>> Yeah, this doesn't seem like a good option.
>
> OK.
>
>>> + We teach users that they shouldn't copy their original bridge
>>> fingerprint into the Globe search window. For example, we could
>>> tell them the single line of Python they need to run their
>>> fingerprint through SHA-1. While they might have "spoiled" their
>>> first bridge, they'll know for their other bridges.
>>> - Nobody will understand the above.
>>
>> Well, I guess technically we could offer this too -- that way smart
>> users have the possibility to pre-SHA1 their fingerprint before doing
>> the search. And if Globe checks both, then it should just work either
>> way.
>
> We can combine the idea of teaching users that they shouldn't tell us
> their original fingerprint with the idea above of hashing their
> fingerprint for them: whenever the Globe server sees a fingerprint, it
> hashes it and asks Onionoo for matches. And if Onionoo returns a single
> bridge for exactly that hash, Globe knows that the fingerprint given by
> the user was not hashed and includes a warning.
>
>> (Except, what if the users pre-SHA1 their fingerprint, but then
>> they run the javascript that SHA1's it again? Does that mean Globe should
>> check two hashes deep? Hrm.)
>
> Globe doesn't have to check two hashes deep, but Onionoo already does
> that. A common use case, AIUI, is that people search for their original
> fingerprint, see the bridge details page showing the fingerprint hash,
> copy that somewhere, and next time ask for the fingerprint hash. And
> that has to return the same bridge already.
>
>>> 3. Tor prints out the SHA-1 fingerprint to its logs or to a
>>> hashed-fingerprint file.
>>> + Bridge users who know to read the fingerprint file can as well
>>> read the hashed-fingerprint file or the logs. We could even add a
>>> link "How do I search for my bridge" to the Globe page and explain
>>> to look out for that file or read the logs.
>>> - Only very few people will find that file or click the link.
>>> We'll have to do either 1 or 2 in addition to 3.
>>
>> I guess I don't object to this option, but I think you're right that
>> it isn't a big win.
>
> Okay, let's consider it in the not-too-far-away future.
>
>>> 4. Sanitized bridge descriptors contain original fingerprints.
>>> + It will be a lot easier to search for bridges if it works the
>>> same way as searching for relays.
>>> + The sanitizing process will be easier.
>>> - We lose the option to enable bridge clients to update their
>>> bridge descriptors by sending the bridge fingerprint to the bridge
>>> authority.
>>> - This is going to keep me busy for a while for updating the
>>> various metrics code that expects SHA-1 fingerprints rather than
>>> original fingerprints. I can do that though.
>>
>> That doesn't sound like a good tradeoff either.
>
> Agreed. This suggestion seemed like a better idea when I thought that
> it was just planned that Tonga returns bridge descriptors when asked for
> fingerprints. It doesn't make as much sense anymore.
>
>
> Summarizing the design:
>
> 1. Globe browser
>
> - If JavaScript is available, the browser-part of Globe computes the
> SHA-1 of any 40 hex chars given as input and sends that to the Globe
> server. It uses a different parameter than the non-JavaScript version
> of Globe though, say, "search2=<str>", so that Globe server can
> distinguish.
>
> - If JavaScript is not available, Globe browser simply sends the search
> paramter as "search=<str>" to the Globe server.
>
> - There should be a link "how do I search for my bridge", or similar,
> that explains how to find their bridge's fingerprint and run it through
> SHA-1 before searching for it in Globe.
>
If anyone wants to write a small text for this, feel free to do so.
> 2. Globe server
>
> - If asked for "search2=<str>", the Globe server simply forwards the
> request to the Onionoo server. Nothing to worry about here, Onionoo
> will handle the case of <hash> being a SHA-1 fingerprint (if the user
> put in their original fingerprint) or the SHA-1 of the SHA-1 fingerprint
> (if the user put in a fingerprint hash).
>
> - If asked for "search=<str>", the Globe server performs the same check
> as the JavaScript Globe would have done. If it detects 40 hex chars, it
> computes the SHA-1 and sends it to Onionooo. Otherwise it simply
> forwards to Onionoo. When Onionoo replies, Globe server checks if the
> response contains a single bridge with the hashed fingerprint being the
> SHA-1 that Globe server computed. In this case the <str> part that it
> was given was a non-hashed fingerprint. If so, Globe server includes a
> warning that users shouldn't put in their original fingerprint and
> suggests to use the fingerprint hash instead in the future.
>
> 1.b Globe browser
>
> - In fact, the JavaScript version of Globe browser could perform the
> same check as Globe server when receiving a response. It could teach
> users not to put in their original fingerprint, because who knows, maybe
> next time they're searching using a non-JavaScript browser. Also, they
> might wonder why the displayed fingerprint is different from what they
> typed in.
>
> 3. Tor
>
> - Once this whole fingerprint hash business is more common, because
> people are actually getting used to using their fingerprint hash in
> Globe, we discuss writing a hashed-fingerprint file and printing the
> hashed fingerprint to the logs on bridges.
>
> Christian, does this make sense to you? Shall we move these ideas to
> Trac tickets?
>
Sounds good, but you don't need to create a ticket for this. I'm almost
done with this feature.
p.s. for testing the unhashed bridge fingerprint search I need to know
an unhashed bridge fingerprint. Does anyone knows where I can get one?
Thanks,
Christian
More information about the tor-dev
mailing list