[tor-dev] Looking up bridges in Globe et al. by fingerprint
Karsten Loesing
karsten at torproject.org
Mon Feb 3 10:17:19 UTC 2014
Hi bridge address distribution people,
hi bridge status website developers,
hi bridge operators,
here's a problem that recently came up when Christian and I discussed
making Globe a JavaScript-free website.
The current Globe uses client-side JavaScript to detect if the user
entered a 40-character hex fingerprint. In that case, it runs the input
through SHA-1 and sends only the digest to the Onionoo service. That's
why Onionoo supports four cases and does not support a fifth case
(number 3 below):
1. original relay fingerprint: return the matching relay, because it
might have been a different client than Globe that sent the request and
did not run the fingerprint through SHA-1;
2. SHA-1 of relay fingerprint: return the matching relay, too, because
this could have been Globe running the original relay fingerprint
through SHA-1;
3. original bridge fingerprint: don't return anything, because Onionoo
should not see original bridge fingerprints at all;
4. SHA-1 of bridge fingerprint: return the matching bridge, because
not all clients are like Globe and might not run fingerprints through
SHA-1; and
5. SHA-1 of SHA-1 of bridge fingerprint: return the matching bridge
that the user was looking for when they put in the SHA-1 fingerprint
which was then converted to the SHA-1 of the SHA-1.
That's what the current Globe can do, because it uses JavaScript on the
client side. But the new server-side Globe cannot do that! And I don't
have a good solution yet. Here are some ideas, each of them having pros
(-) and cons (+):
1. Globe runs full fingerprints through SHA-1 on the server.
- The Globe server learns a lot of bridge fingerprints, which makes
it a juicy target, because bridge fingerprints can (in the future?) be
used to fetch bridge descriptors containing bridge addresses.
+ This variant is really easy to implement.
2. Globe does not run full fingerprints through SHA-1 on the server
and instead forwards everything to Onionoo.
- Not only the Globe server, but also the Onionoo server learns
bridge fingerprints.
+ We teach users that they shouldn't copy their original bridge
fingerprint into the Globe search window. For example, we could tell
them the single line of Python they need to run their fingerprint
through SHA-1. While they might have "spoiled" their first bridge,
they'll know for their other bridges.
- Nobody will understand the above.
3. Tor prints out the SHA-1 fingerprint to its logs or to a
hashed-fingerprint file.
+ Bridge users who know to read the fingerprint file can as well
read the hashed-fingerprint file or the logs. We could even add a link
"How do I search for my bridge" to the Globe page and explain to look
out for that file or read the logs.
- Only very few people will find that file or click the link. We'll
have to do either 1 or 2 in addition to 3.
4. Sanitized bridge descriptors contain original fingerprints.
+ It will be a lot easier to search for bridges if it works the same
way as searching for relays.
+ The sanitizing process will be easier.
- We lose the option to enable bridge clients to update their bridge
descriptors by sending the bridge fingerprint to the bridge authority.
- This is going to keep me busy for a while for updating the various
metrics code that expects SHA-1 fingerprints rather than original
fingerprints. I can do that though.
What do you think?
All the best,
Karsten
More information about the tor-dev
mailing list