Opened 21 months ago

#19997 new defect

BridgeDB's get-tor-exits script doesn't account for IPv6

Reported by: isis Owned by: isis
Priority: Medium Milestone:
Component: Obfuscation/BridgeDB Version:
Severity: Major Keywords: bridge-enumeration
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

As Arlo pointed out on the tor-dev mailing list, the exit-addresses script running on check.torproject.org doesn't include IPv6 exit addresses, making anything that relies upon the list unreliable. BridgeDB's scripts/get-tor-exits downloads the output of exit-addresses, and uses it to treat clients using Tor to request bridges as coming from the same address. Not taking IPv6 addresses into account will allow an adversary to use IPv6-capable tor exits to get additional bridges during a time period.

Some new script should be written to generate a list of IPv6 (optionally also IPv4 addresses, so that everything is in one document) exit addresses to fix this issue.

Child Tickets

Change History (0)

Note: See TracTickets for help on using tickets.