[tor-bugs] #17115 [Onionoo]: Can't search by fingerprint with spaces

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Oct 9 19:09:17 UTC 2015 

#17115: Can't search by fingerprint with spaces
-------------------------+------------------
     Reporter:  strugee  |      Owner:  phw
         Type:  defect   |     Status:  new
     Priority:  normal   |  Milestone:
    Component:  Onionoo  |    Version:
   Resolution:           |   Keywords:  easy
Actual Points:           |  Parent ID:
       Points:           |    Sponsor:
-------------------------+------------------

Comment (by karsten):

 Agreed, Atlas should sanitize fingerprints before it sends them to
 Onionoo.  In fact, Onionoo already suggests that when it says "Complete
 hex-encoded fingerprints should always be hashed using SHA-1, regardless
 of searching for a relay or a bridge, in order to not accidentally leak
 non-hashed bridge fingerprints in the URL."

 This case is a bit different, because it's not always possible to
 distinguish a 4-character hex block from other valid input like (part of)
 a nickname.  For example, should `"DEFA CB7E 7D73"` be considered the
 beginning of fingerprint `DEFACB7E7D73`, or is it supposed to be a search
 for the (existing) relay with nickname `default` and fingerprint
 `CB7E7D734E28312337DE322C1A0E4DE53578D2AE`?

 But I'm inclined to improve usability by allowing fingerprints with spaces
 even at the risk of returning false negatives for mixed searches with
 4-character hex nicknames or nickname parts.  After all, users shouldn't
 rely on nicknames anymore.

 Suggestion (not implemented yet, might be implemented differently):

  - Onionoo clients, including Atlas, are advised to remove spaces between
 any two search terms consisting of exactly 4 hex characters.  (If the
 result is a search term consisting of 40 hex characters, clients are
 advised to hash that using SHA-1.)

  - The Onionoo server performs the same operation, which would cover any
 clients that don't follow this advice.  This is a major protocol change
 that needs to be announced at least 1 month before becoming effective.

 What do you think?  What did I overlook?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17115#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list