Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#19060 closed defect (wontfix)

Should SafeLogging hide bridge IP addresses in logs?

Reported by: teor Owned by: arma
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 029-proposed, easy, 029-nickm-unsure, 029-teor-no TorCoreTeam201606
Cc: Actual Points:
Parent ID: Points: small
Reviewer: Sponsor:


Bridge relay operators sometimes post logs containing their bridge's IP address.

We could make this less likely by making SafeLogging 1 (the default) filter bridge IP addresses in messages like:

  • "Your server (%s:%d) has not managed to confirm that its ORPort is reachable" ...
  • "Your server (%s:%d) has not managed to confirm that its DirPort is reachable" ...
  • "Now checking whether ORPort %s:%d"...
  • "and DirPort %s:%d"
  • anything else that lists a bridge's IP or fingerprint

This could be implemented by creating safe_str_bridge and escaped_safe_str_bridge similar to safe_str and escaped_safe_str, but with a check if BridgeRelay is 1 as well. It would also need a tor manual page update that says that we escape bridge information when SafeLogging is anything besides "0".

Or, we could add "bridge" to the options for SafeLogging, but that seems over-complicated, because we'd have to define 1 vs relay vs bridge semantics in a way that makes sense.

Child Tickets

Change History (7)

comment:1 Changed 3 years ago by arma

I'm wary of crippling log lines like these. We put the IP:port in there specifically so operators (who, like most humans, are notoriously bad at debugging or questioning assumptions) would be forced to confront that it's a different one than they thought it would be. If we give them another hoop to jump through, most of them won't, and we might as well just rip out the log line.

comment:2 Changed 3 years ago by nickm

Keywords: 029-nickm-unsure added

comment:3 Changed 3 years ago by teor

Keywords: 029-teor-no added

As arma points out, the drawbacks of bridge operators not seeing IP addresses by default outweigh the leaking of the occasional bridge address.

comment:4 Changed 3 years ago by arma

Keywords: TorCoreTeam201606 added
Owner: set to arma
Status: newaccepted

I'm grabbing this one to make sure it gets a resolution.

teor, do you still want this feature, or should we close the ticket as wontfix?

comment:5 Changed 3 years ago by teor

Resolution: wontfix
Status: acceptedclosed

I say wontfix

comment:6 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:7 Changed 3 years ago by nickm

Milestone: Tor: 0.3.???

Milestone deleted

Note: See TracTickets for help on using tickets.