Opened 5 years ago

Closed 3 years ago

#13504 closed defect (fixed)

Bridges in Tor Browser Bundles should be public so that we have metrics on them

Reported by: isis Owned by: isis
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-bridges, tbb-pref, bridgedb-dist
Cc: isis, karsten, mikeperry, gk, arma, asn, mo, gamambel, kpdyer, yawning Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In a conversation on the tor-dev@… mailing list, Karsten successfully convinced me that all bridges included in the default bridge list in Tor Browser builds should be public bridges (i.e. the bridges should be submitting their descriptors to the BridgeAuthority and to BridgeDB, so that those descriptors go into Metrics).

The primary reason for this is to have more accurate metrics on bridge use, which would make it easier for people like me to get funders to sponsor my work. As such, I'm particularly interested in seeing this get done, and willing to take on the responsibility of checking that bundled bridges are public (and otherwise shaking down the bridge operators who aren't providing descriptors yet).

Any potential security/privacy benefits achieved by keeping a bridge private are nullified for bundled bridges, since their addresses are trivially, publicly accessible by grepping our source code. Obviously, an adversary enumerating BridgeDB bridges is significantly less probable than gaining the same information by grepping public data, so keeping the bundled bridges private doesn't provide any feasible security/privacy benefits.


Additionally, if bridge operators wish to give us metrics but are firmly against their bridges being distributed by BridgeDB, I can either:

  1. Create a torbrowser bridge pool in BridgeDB, which is never distributed.

This would only be a short-term doesn't-require-little-t-tor-patches hack. I don't really want to do this. However, if the bridge operators for Tor Browser bundle bridges really don't want to be distributed by BridgeDB, I am willing to do it.

  1. Add a torrc option, BridgeDistribution [https|email|any|none], as described on the mailing list and BridgeDB patches to disable distribution for bridges whose descriptors say BridgeDistribution none.

This would allow bridge operators to provide metrics without being publicly distributed by BridgeDB, and would likely only effect bridges running tor-0.2.6.x.

The default would be BridgeDistribution any, which would allow BridgeDB to choose how your bridge is distributed.

Using BridgeDistribution [https|email] would allow a bridge operator to override BridgeDB's decision.

Using BridgeDistribution none would instruct BridgeDB to either toss out your bridge's descriptor rather than putting them into the databases (or adding them to the 'unallocated' pool, depending on how we wish to implement this).



Either of the above, if desired, would need separate tickets.

Child Tickets

Attachments (1)

check-bundled-bridges-are-public.sh (992 bytes) - added by isis 5 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 Changed 5 years ago by isis

In the tor-browser-bundle repo, doing:

git log -p -- \
  Bundle-Data/PTConfigs/bridge_prefs.js Bundle-Data/beta/bridge_prefs.js | \
  grep [-+]pref | cut -d ' ' -f 2- | sed -e 's/");//' | sed -e 's/"//' | \
  sort | uniq > bundled-bridges.txt

gives me the list of all 44 public bridges which have been used in Tor Browser.

I then removed:

  • fte DNS-based bridge lines (which were committed and then immediately reverted)
  • flashproxy lines
  • meek lines
  • a random line which just has obfs3 and nothing else on it

by doing:

cat bundled-bridges.txt | \
  sed -e 's/fte [a-z].*//' | \
  sed -re  's/^(flashproxy|meek).*//' | \
  sed -e 's/^obfs3$//' > bundled-bridges.txt

That left 28 bridges total. For many of them, the same fingerprint is given for different ports on the same IP. To get the all the deduplicated bridge fingeprints which have been in use over time (there are currently 21), do:

cat bundled-bridges.txt | cut -d ' ' -f 3-3 | sort | uniq

To see which ones Metrics knows about and which it does not do:

torsocks curl -o bundled-bridges-details https://onionoo.torproject.org/details?type=bridge&fields=hashed_fingerprint ;
for fpr in `cat bundled-bridges-amended.txt | cut -d ' ' -f 3-3 | sort | uniq`; do {
    hashedfpr=`python3 -c "import hashlib,binascii;print(hashlib.sha1(binascii.a2b_hex('$fpr')).hexdigest().upper());"`;
    public=`grep -i $hashedfpr bundled-bridges-details`;
    printf "%s -> %s" "$fpr" "$hashedfpr " ;
    if test -n "$public" ; then
      printf "yes\n";
    else
      printf "no\n";
    fi } ;
  done

you'll get a pretty output of which Tor Browser bridges Metrics knows about, and which it does not, in the form FINGERPRINT_HEX -> HASHED_FINGERPRINT [yes|no]. Attached is a script to do all this for you.

The bridges which have never given descriptors are:

fte 79.125.3.12:8080 17AF9F9F4E57614A060B7221DCCEDB8BB546DD73
17AF9F9F4E57614A060B7221DCCEDB8BB546DD73 -> 6E908B1D132737A936DAB532B563CD55B0A25894 no

fte 131.252.210.150:8080 271EC1874E40FE65C145C6397AA34FFF7008E50E
271EC1874E40FE65C145C6397AA34FFF7008E50E -> E0998F86F554E8AB27FCD7AA114CDB35A4E77B8A no

fte 79.125.3.12:8080 272465348803EE2546A9BB8EE37D462915531F09
272465348803EE2546A9BB8EE37D462915531F09 -> F17CBC91439C53E2A2B6A3DDF05C88DA7117CAD7 no

obfs3 209.141.36.236:45496 58D91C3A631F910F32E18A55441D5A0463BA66E2
58D91C3A631F910F32E18A55441D5A0463BA66E2 -> FAEABF422ECB91C1D96492B06DE2539EDD6BFB0E no

scramblesuit 188.40.121.112:39707 5DE8D363D8F150C99E1A2D7237368D614838132C password=L5POGQONBPS2HZUR6GXBIDS4CMIYYOTI
5DE8D363D8F150C99E1A2D7237368D614838132C -> F2A827673111FEC4957FBF1D2D3B32E5073BB61B no

fte 2620:108:700f::36d6:163f:80 6E6298B85B171FEA4E36ADB15D6FF95DA0B37C89
fte 2620:108:700f::36f5:f95b:80 6E6298B85B171FEA4E36ADB15D6FF95DA0B37C89
fte 54.244.94.118:80 6E6298B85B171FEA4E36ADB15D6FF95DA0B37C89
6E6298B85B171FEA4E36ADB15D6FF95DA0B37C89 -> 516A850EA57678E48FFFA157449AEA0542B5CD73 no

obfs3 109.105.109.163:47779 844B1F53FFD548C998F8D3B01B7E19FA07C3396E
844B1F53FFD548C998F8D3B01B7E19FA07C3396E -> DE6397A047ABE5F78B4C87AF725047831B221AAB no

obfs3 109.105.109.163:38980 9D7259A696F7DAB073043B28114112A46D36CFFD
9D7259A696F7DAB073043B28114112A46D36CFFD -> FBD4950C1ACEE99E73A24AB2A6341A85A88ACB7B no

obfs3 208.79.90.242:35658 BA61757846841D64A83EA2514C766CB92F1FB41F
BA61757846841D64A83EA2514C766CB92F1FB41F -> 231E2DE81DC4314F2035D2C0D0D043A425FF8999 no

Of those, only the following are currently within tor-browser-bundle.git/Bundle-Data/PTConfigs/bridge_prefs.js:

obfs3 208.79.90.242:35658 BA61757846841D64A83EA2514C766CB92F1FB41F
obfs3 209.141.36.236:45496 58D91C3A631F910F32E18A55441D5A0463BA66E2
scramblesuit 188.40.121.112:39707 5DE8D363D8F150C99E1A2D7237368D614838132C password=L5POGQONBPS2HZUR6GXBIDS4CMIYYOTI
Last edited 5 years ago by isis (previous) (diff)

Changed 5 years ago by isis

comment:2 Changed 5 years ago by isis

Those last three bridges are not even running.

obfs3 208.79.90.242:35658 BA61757846841D64A83EA2514C766CB92F1FB41F
obfs3 209.141.36.236:45496 58D91C3A631F910F32E18A55441D5A0463BA66E2
scramblesuit 188.40.121.112:39707 5DE8D363D8F150C99E1A2D7237368D614838132C password=L5POGQONBPS2HZUR6GXBIDS4CMIYYOTI

Why are these in the bundle if they are unreliable and not public? Here's a patch to remove them. It's a single commit in the bug13504 branch of my tor-browser-bundle repo.

comment:3 Changed 3 years ago by dcf

Resolution: fixed
Severity: Normal
Status: newclosed

I think that all the default bridges report metrics these days. The three listed in comment:2 have been removed.

I hacked attachment:check-bundled-bridges-are-public.sh to only look at current bridges. The only "no" output was for mercurius4, 104.131.108.182:56880, and I think it's because it's not running.

#!/bin/bash

cat Bundle-Data/PTConfigs/bridge_prefs.js | \
    grep '^pref("extensions\.torlauncher\.default_bridge\.' | cut -d ' ' -f 2- | sed -e 's/");//' | sed -e 's/"//' | \
    sort | uniq > bundled-bridges.txt

if ! test -f "bundled-bridges-details" ; then
    torsocks curl -o bundled-bridges-details \
        "https://onionoo.torproject.org/details?type=bridge&fields=hashed_fingerprint"
fi

for fpr in `cat bundled-bridges.txt | cut -d ' ' -f 3-3 | sort | uniq`; do
    hashedfpr=`python3 -c "import hashlib,binascii;print(hashlib.sha1(binascii.a2b_hex('$fpr')).hexdigest().upper());"`
    public=`grep -i $hashedfpr bundled-bridges-details`
    bridgeline=`grep -i $fpr bundled-bridges.txt`
    printf "%s\n" "$bridgeline"
    printf "%s -> %s" "$fpr" "$hashedfpr "
    if test -n "$public" ; then
        printf "yes\n\n"
    else
        printf "no\n\n"
    fi
done
Note: See TracTickets for help on using tickets.