[tor-relays] Why should we avoid adding bridges fingerprints in MyFamily?

Roger Dingledine arma at torproject.org
Sun Jun 23 19:47:53 UTC 2024


On Sun, Jun 23, 2024 at 07:30:00PM +0000, Edward Cage via tor-relays wrote:
> Quick question about the fingerprints of our bridges. It's clearly written
> in torrc that we should not include them in MyFamily.

Correct.

> I don't well understand why, especially because:
>     - Every bridge, and their fingerprints, are publicly listed on Tor
> Metrics;

Actually it is the *hash* of the fingerprint (hash of hash of key)
that is publicly listed in Tor metrics. This way you can look up your
bridge if you know its fingerprint, but other people can't learn more
about your bridge just based on the relay-search page.

>     - The contact email is disclosed for each of them, and it allows our
> bridges and relays to be easily linked to a same operator. (or should we use
> a different email address for each bridge?)

It is fine to use the same contactinfo on your bridges and relays --
because it won't help somebody discover your bridge address or bridge
fingerprint if they don't already know it.

Ultimately the right answer is to move to a better design for declaring
families. The current best idea is Proposal 321:
https://gitlab.torproject.org/tpo/core/torspec/-/blob/HEAD/proposals/321-happy-families.md
with more details here:
https://gitlab.torproject.org/tpo/core/tor/-/issues/40134
and a suggestion at the end of that ticket by trinity that seems like
it could be a good short-term fix.

I think all of the core devs who might work on Proposal 321 are instead
working on Arti though, so at this rate it will be a long while until
the topic sees progress.

--Roger



More information about the tor-relays mailing list