Opened 5 years ago

Closed 3 years ago

#14841 closed defect (wontfix)

information disclosure: is a given email subscribing to any relay? (and which one?)

Reported by: cypherpunks Owned by:
Priority: Medium Milestone:
Component: Metrics/Tor Weather Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The tor weather website can be used by an attacker to find out wheater a certain email address is:

  • subscribed to any relay
  • including which relay exactly (if any)

Since subscribers are usually the operators of the given relays this can be used to find operators of relays for further targetet attacks.

This weakness is only relevant for relays where the operator choose to use a separate email address or an empty contact info (to avoid linking his identity with a relay publicly).

Reproducer:
send subscribe requests via https://weather.torproject.org/subscribe/

as soon as you get, you can tell that you found one:

Tor Weather - Oops!

You are already subscribed to receive email alerts about the node you specified.

fix:
easy: The response to the subscribe request should always look the same. Don't send out an email in case the email was subscribed already.

more user friendly:
The response to the subscribe request should always look the same.
+ Send out an email that tells the supposed subscriber that he is actually already subscribed.

Child Tickets

Change History (1)

comment:1 Changed 3 years ago by karsten

Resolution: wontfix
Status: newclosed

Tor Weather has been discontinued as of May 24, 2016: https://lists.torproject.org/pipermail/tor-relays/2016-June/009424.html. Batch-closing all remaining tickets as announced in #19382. A list of these tickets and any other Weather tickets modified after June 26, 2016 will be available here: https://trac.torproject.org/projects/tor/query?changetime=Jun+27%2C+2016..&component=^Metrics%2FTor+Weather

Note: See TracTickets for help on using tickets.