[tor-bugs] #9854 [Tor]: Removing or not sanitizing ContactInfo lines in bridge descriptors
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Oct 8 19:47:24 UTC 2013
#9854: Removing or not sanitizing ContactInfo lines in bridge descriptors
-------------------------+------------------------------
Reporter: karsten | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: unspecified
Component: Tor | Version:
Resolution: | Keywords: tor-bridge
Actual Points: | Parent ID:
Points: |
-------------------------+------------------------------
Comment (by karsten):
Here's what I asked a random subset of 20 bridge operators:
> What did you expect when adding your email address to your bridge's
configuration, and what did you not expect? Can you pick one of the
following three answers, please?
> 1. "I didn't expect anyone to ever see that email address!"
> 2. "I expected that only Tor people see that email address along with
users of my bridge."
> 3. "I'd actually be fine if anyone sees it, and I wouldn't mind if the
address were contained in a public archive."
> Note that there's no reply 1.5 "I expected that only Tor people see that
email address, but users of my bridge should not see it." This isn't
possible by design, because bridge users need your bridge's descriptor
which contains your contact information. So, if this was what you had
expected, please decide for either 1 or 2 above.
Here's how bridge operators replied:
1. 1 person replied 1. The operator suspects that the provided email
address was abused for spam, though I'm not convinced this is the really
the case. Probably coincidence.
2. Nobody replied 2.
3. 5 people replied 3. One referred to the default torrc already
containing a warning that Google indexes contact lines. Another one
argued that contact information is already effectively public, but only to
a class of people where they don't control membership in that class
(bridge users), so they wouldn't mind to include everyone else, too.
4. 14 people did not respond.
I'm leaning towards not sanitizing `contact` lines in bridge descriptors.
But that requires a new discussion on tor-dev@, and it possibly requires
re-processing the bridge descriptor archives. I currently lack the time
for either, but maybe I'll open a new ticket for this in a few months.
For the moment, I'd like to make it clearer to bridge operators that their
contact information is not kept secret. Users of a bridge already know
it, and should we decide to stop sanitizing that information, the whole
world will know.
How about we clarify the default torrc:
{{{
## Contact info to be published in the directory, so we can contact you
## if your relay or bridge is misconfigured or something else goes wrong.
## We archive all descriptors containing these lines, and Google indexes
## this, so spammers might also collect it.
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9854#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list