Opened 9 years ago

Closed 5 years ago

#1610 closed enhancement (wontfix)

Turn mail requests into ’subscriptions’

Reported by: phobos Owned by: isis
Priority: Medium Milestone:
Component: Circumvention/BridgeDB Version:
Severity: Keywords: bridgedb-email
Cc: isis Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Turn mail requests into ’subscriptions’: People mail ’subscribe bridges’ to us, we put them in a database and send them bridges periodically. To not send mails to users that long have forgotten about their subscription, make them re-subscribe periodically by putting a ”Reply to this mail or you won’t get any more bridges” text somewhere in a mail we send them with fresh bridges

Child Tickets

Change History (12)

comment:1 Changed 9 years ago by phobos

Component: Tor - DistributionTor - BridgeDB

comment:2 Changed 8 years ago by karsten

Milestone: BridgeDB Upgrades Phase 1
Parent ID: #4380

Assigning as a child ticket to the project ticket that replaces the "BridgeDB Upgrades Phase 1" milestone.

comment:3 Changed 7 years ago by phobos

Keywords: SponsorL added

comment:4 Changed 6 years ago by sysrqb

Is BridgeDB a good place to have a database of email addresses (more than it already is)? Would having a subscription system make it more of a target for an adversary?

comment:5 in reply to:  4 ; Changed 6 years ago by arma

Replying to sysrqb:

Is BridgeDB a good place to have a database of email addresses (more than it already is)?

Yes, I think so. Otherwise we have a separate place that has a database of email addresses, *and* we add some protocol for it to speak to bridgedb to learn what it should give out.

Would having a subscription system make it more of a target for an adversary?

Also yes.

comment:6 in reply to:  description ; Changed 6 years ago by arma

Replying to phobos:

Turn mail requests into ’subscriptions’: People mail ’subscribe bridges’ to us, we put them in a database and send them bridges periodically.

We could get smarter about 'periodically' and only mail them when a threshold of the bridges they know about (based on what we've sent them) have gone away.

Without current bridge churn, that could be quite frequent. But all the more reason to do it.

comment:7 in reply to:  6 Changed 6 years ago by arma

Replying to arma:

Without current bridge churn, that could be quite frequent. But all the more reason to do it.

S/Without/With/

comment:8 in reply to:  5 Changed 6 years ago by sysrqb

Replying to arma:

Replying to sysrqb:

Is BridgeDB a good place to have a database of email addresses (more than it already is)?

Yes, I think so. Otherwise we have a separate place that has a database of email addresses, *and* we add some protocol for it to speak to bridgedb to learn what it should give out.

My question was actually a misleading one (which you answered, thanks!). What I really should have asked was:

Should BridgeDB really be storing email addresses at all? There are ways that it can link requests from an email address without comparing the actual email addresses. However, by not storing the real email address, this makes it difficult to have a subscription-based system.

I guess this is another security vs usability issue :)

comment:9 Changed 6 years ago by arma

Note that these days, this ticket isn't really about adapting to censorship.

It was an idea from a time where the arms race was "change IP addresses quicker than the adversary can enumerate them". The arms race these days is "do some trick to be able to recognize bridges when they're used". This new arms race scales a lot better, and would result in this subscription approach basically sending you a mail saying "oops, no bridges left for you".

That doesn't make it totally pointless though -- it is still useful to send an automated follow-up when your current bridge addresses churn away naturally.

comment:10 Changed 5 years ago by isis

Parent ID: #4380

comment:11 Changed 5 years ago by isis

Cc: isis added
Keywords: bridgedb-email added; SponsorL removed
Owner: set to isis
Status: newaccepted

I am against the idea of sending plaintext subscription emails to users for several reasons.

  1. I don't want a database of bridge users on the server. I would prefer not to have any information at all on BridgeDB's users. The SocialDistributor, a.k.a. rBridge, (see #7520) would be a significantly safer way -- for the bridges, bridge users, and for me maintaining the BridgeDB server and service -- to implement automatic bridge retrieval.
  1. In light of the recent revelations of XKEYSCORE targeting of BridgeDB and various torproject.org servers, I would prefer to send less emails. Not more. The idea now is "send only enough emails to get the user's Tor working, then encourage them to use the web interface".
  1. As arma pointed out, we don't really churn bridges like we used to, so with this approach, all the bridge in the email hashring would likely eventually get emailed to everyone, and they'd have the entire hashring. (And due to point #2, so would the NSA and several other intelligence agencies.)


comment:12 Changed 5 years ago by isis

Resolution: wontfix
Status: acceptedclosed
Type: taskenhancement

I'm closing as "wontfix". However, feel free to continue arguing for adding this feature, and I might listen if there's some new, compelling rationale.

Note: See TracTickets for help on using tickets.