[tor-relays] onionoo
Karsten Loesing
karsten at torproject.org
Tue Sep 3 08:45:09 UTC 2013
On 9/3/13 5:59 AM, eliaz wrote:
> On 9/2/2013 11:59 AM, Steve Snyder wrote:
>> On 09/02/2013 10:02 AM, Kostas Jakeliunas wrote:
>>> [1]: http://globe.rndm.de/
>>
>> Having this tool on an unencrypted HTTP site doesn't seem safe to me.
>> Anybody can sniff the bridge IP addresses that users submit for reporting.
>
> It may be different if someone compiles the program locally, but AFAICT
> no secrets are being divulged from the globe web page. From the page
> the details of no bridge can be found without knowing the name of the
> bridge in the first place; and if someone knows that she also know the
> other details. One doesn't have to go to the page to do a brute force
> attack.
Agreed, Globe doesn't divulge any secrets, mostly because Onionoo
doesn't contain any secrets. All bridge data that Onionoo has is
sanitized and doesn't contain sensitive information anymore.
> At the same time globe is useful in helping lower-level bridge operators
> such as myself get a better sense of what the information windows in the
> browser bundle are actually telling us.
I agree.
> If I'm wrong in any of the above, please do correct me.
No need to. Thanks for running a bridge!
Best,
Karsten
More information about the tor-relays
mailing list