Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#12536 closed enhancement (wontfix)

BridgeDB e-mails should be encrypted when possible

Reported by: andrea Owned by: isis
Priority: Medium Milestone:
Component: Circumvention/BridgeDB Version:
Severity: Keywords: bridgedb-email, bridgedb-2.0.x
Cc: isis, sysrqb Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Looks like the opposition is using BridgeDB e-mails to enumerate bridges:

/**
 * Database Tor bridge information extracted from confirmation emails.
 */
fingerprint('anonymizer/tor/bridge/email') =
email_address('bridges@torproject.org')
  and email_body('https://bridges.torproject.org/' : c++
  extractors: {{
    bridges[] = /bridge\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):?([0-9]{2,4}?[^0-9])/;
  }}
  init: {{
    xks::undefine_name("anonymizer/tor/torbridges/emailconfirmation");
  }}
  main: {{
    static const std::string SCHEMA_OLD = "tor_bridges";
    static const std::string SCHEMA_NEW = "tor_routers";
    static const std::string FLAGS = "Bridge";
    if (bridges) {
      for (size_t i=0; i < bridges.size(); ++i) {
        std::string address = bridges[i][0] + ":" + bridges[i][1];
        DB[SCHEMA_OLD]["tor_bridge"] = address;
        DB.apply();
        DB[SCHEMA_NEW]["tor_ip"] = bridges[i][0];
        DB[SCHEMA_NEW]["tor_port_or"] = bridges[i][1];
        DB[SCHEMA_NEW]["tor_flags"] = FLAGS;
        DB.apply();
      }
      xks::fire_fingerprint("anonymizer/tor/directory/bridge");
    }
    return true;
  }});
// END_DEFINITION

(from http://daserste.ndr.de/panorama/xkeyscorerules100.txt)

There should be a way users requesting bridges can supply a PGP key to which the response should be encrypted.

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by bastik

I'm just copying here, what I said on ticket #12537 since it belongs here. (And I get updates on this)

(I don't want to open another ticket, because I think it's not worth it, but it is related. Since Tor users are expected to check the signature of their Tor (or TB) copy with PGP, bridge requesting users could provide their public-key in the message body or as attachment and BridgeDB sends an encrypted email to them. It's not worth it in my eyes, because PGP has to be deployed on the server and fed with user-provided input, in normal case the key, which has to be stored at least temporary, what's not making me that sad since the adversary would be able to extract the key from the email in the first place. The major downside is that if it is optional, the adversary will get the bridges from those that do not make use of this feature. And if it is forced, this makes it much more difficult for people to get bridges. [...])

Last edited 5 years ago by bastik (previous) (diff)

comment:2 Changed 5 years ago by isis

Cc: isis sysrqb added
Keywords: bridgedb-email bridgedb-2.0.x added
Resolution: wontfix
Status: newclosed

So... as much as I would love to offer this feature, it's not safe to have the server which has the BridgeDB databases on it parse arbitrary OpenPGP packets, due to the complication of the specification of those packets and the fact that no implementation of RFC4880 yet-to-date has followed the spec (they've all diverged from it in slightly different incompatible ways).

For a different version of what you're asking for, see ticket #9332. This feature would not extend to general users, however. Perhaps if/when the email distributor runs on a separate machine, then we can safely consider implementing this feature. For now, I won't do it because it risks giving an adversary access to the entire bridge database.

comment:3 Changed 5 years ago by isis

Type: defectenhancement
Note: See TracTickets for help on using tickets.