BridgeDB's get-tor-exits script doesn't account for IPv6
As Arlo pointed out on the tor-dev mailing list, the exit-addresses
script running on check.torproject.org doesn't include IPv6 exit addresses, making anything that relies upon the list unreliable. BridgeDB's scripts/get-tor-exits
downloads the output of exit-addresses
, and uses it to treat clients using Tor to request bridges as coming from the same address. Not taking IPv6 addresses into account will allow an adversary to use IPv6-capable tor exits to get additional bridges during a time period.
Some new script should be written to generate a list of IPv6 (optionally also IPv4 addresses, so that everything is in one document) exit addresses to fix this issue.