[tor-bugs] #31460 [Circumvention/Snowflake]: Don't reveal proxy IDs in broker /debug
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Aug 23 15:18:38 UTC 2019
#31460: Don't reveal proxy IDs in broker /debug
-------------------------------------+--------------------------
Reporter: phw | Owner: cohosh
Type: defect | Status: assigned
Priority: Medium | Milestone:
Component: Circumvention/Snowflake | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------+--------------------------
Comment (by cohosh):
Here's a fix that does the short term solution described above:
https://github.com/cohosh/snowflake/pull/6
I want to note that distinguishing between browser proxies and standalones
is somewhat of a hack and I think that's okay for now. The browser-based
proxies generate IDs as follows:
{{{
static genSnowflakeID() {
return Math.random().toString(36).substring(2);
}
}}}
The standalone instances generate IDs as follows:
{{{
func genSessionID() string {
buf := make([]byte, sessionIDLength)
_, err := rand.Read(buf)
if err != nil {
panic(err.Error())
}
return strings.TrimRight(base64.StdEncoding.EncodeToString(buf),
"=")
}
}}}
The strings for both are of variable length. The browser-based proxy ID
length depends on the IEEE 754 floating point number chosen and the
standalone ID length depends on what the 16 byte session ID's base64
encoding is (note: this is generally more than 16 characters long and the
browser proxies are typically less than 12). I think 16 bytes is a
reasonable cutoff.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31460#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list