Flaw in bridge descriptor sanitizing process
Karsten Loesing
karsten.loesing at gmx.net
Tue Jan 11 08:12:36 UTC 2011
Hi everyone,
back in Nov 2009, I posted our approach to sanitize bridge descriptors
before publishing them for everyone to analyze:
http://archives.seul.org/or/dev/Nov-2009/msg00000.html
Now I found a flaw in this process that affects roughly 2.5 % of bridge
descriptors: When a bridge is configured to use the default exit policy,
it adds a reject line containing its own IP address which we don't
sanitize. Here's an example of a sanitized bridge descriptor. Note that
I manually sanitized part of the bridge's IP address with '---' here!
router Unnamed 127.0.0.1 9001 0 8030
platform Tor 0.2.1.28 (r6e5496a2407ee589) on FreeBSD i386
opt protocols Link 1 2 Circuit 1
published 2010-12-21 17:59:41
opt fingerprint 16D6 49EA 83CF 23A1 BAD3 90DC 921E E83F 310A CC7F
uptime 64
bandwidth 51200 102400 0
opt extra-info-digest F2BD0C7AB741648D9CFC982C790B9221B8C04516
opt hidden-service-dir
contact somebody
reject 0.0.0.0/8:*
reject 169.254.0.0/16:*
reject 127.0.0.0/8:*
reject 192.168.0.0/16:*
reject 10.0.0.0/8:*
reject 172.16.0.0/12:*
reject 80.---.--.---:* <--- bridge's IP address
accept *:21
accept *:23
accept *:80
accept *:110
accept *:143
accept *:443
reject *:*
The fix is to replace the bridge's IP address in reject lines with
127.0.0.1, too. See this commit for details:
https://gitweb.torproject.org/metrics-db.git/commitdiff/e9d42a8
I started sanitizing the bridge descriptors since May 2008 once again, but
this takes at least another week to finish. Here are the newly sanitized
bridge descriptors:
https://metrics.torproject.org/data.html#bridgedesc
Can other people look at the sanitized descriptors and try to find other
sensitive parts (IP addresses, fingerprints, contact information, etc.)
that we should remove? It took me 1 year to find this flaw, and I only
found it by chance when refactoring the code. More eyes needed!
Thanks,
Karsten
More information about the tor-dev
mailing list