[tor-relays] Publishing bridge contact information

Karsten Loesing karsten at torproject.org
Thu Feb 8 11:12:50 UTC 2018 

On 2018-02-08 10:54, Sebastian Hahn wrote:
> Hi there,

Hello!

> I don't want to declare it a showstopper outright, but:
> 
>> On 8. Feb 2018, at 09:42, Karsten Loesing <karsten at torproject.org> wrote:
>>
>> These sound like variants of the first disadvantage listed above. There
>> are two additional assumptions in here, though:
>>
>> 1) bridge operators use the same or a similar email address as their
>> bridge contact information and for mailing list/forum postings or in
>> their whois information;
>>
>> 2) bridge operators are running their bridges close to the host they're
>> using to post to mailing lists/forums or close to the host where they're
>> hosting a registered domain.
> 
> Neither is required.

Hmm? Not sure I understand.

> The only assumptions are that it is possible to enumerate
> whois information for the entire v4 internet (which should be the case)

Right.

> and
> that it is possible to link the email address provided in the contact line
> with the name that's used in whois (which might or might not be easy, in my
> case it'd actually be trivial because the name is a part of my email address).

Yes, but this is what I mean in assumption 1) above. You could easily
have used a new address for the bridge.

>> I can see situations where both assumptions are met. But I think,
>> overall, that the likelihood of locating a bridge by connecting contact
>> information to mailing list archives, forum postings, or whois
>> information makes this attack rather unattractive.
>>
>> I'd say let's list this as another possible disadvantage, and let's
>> compare them all to the possible advantages at the end.
>>
>> Unless you thought of this as a show-stopper, in which case I'd kindly
>> ask you to elaborate.
>>
>> Thanks for the feedback, Geoff and Sebastian!
> 
> Just to summarize how the attack would work, you link the email to anything
> containing a real name, you crawl whois for IPs assigned to people with that
> name, unless they use some anonymizing technique you get a (small) list of
> candidate IP addresses to test.

Yes, but this only works if assumption 2) above is met. You could easily
have run your bridge on a different host than the one that is connected
to whois information under your name/address.

To be clear, I see how this could be used to locate some unknown
fraction of bridges with relatively small effort. Similar to the first
attack that I mentioned under possible disadvantages, and similar to how
similar relay and bridge nicknames could give hints on bridge locations.

The question in the end will be whether we want to trade these
disadvantages for the advantages from making bridge contact information
available to more than a handful of people. I don't have the answer to
that question yet.

> Cheers
> Sebastian

Thanks for your input!

All the best,
Karsten

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 528 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180208/1f358f00/attachment.sig>

More information about the tor-relays mailing list