Opened 13 months ago

Closed 6 months ago

Last modified 3 months ago

#28496 closed enhancement (fixed)

Consider dropping yahoo from the bridgedb email domains

Reported by: arma Owned by: phw
Priority: Medium Milestone:
Component: Circumvention/BridgeDB Version:
Severity: Normal Keywords: anti-censorship-roadmap-2019
Cc: irl, phw Actual Points: 0.5
Parent ID: #31280 Points: 1
Reviewer: sysrqb Sponsor: Sponsor30-can

Description

As I understand it, right now bridgedb will respond to email bridge requests from three domains: riseup, gmail, and yahoo.

We chose those three originally since they all seemed to have pretty good sybil protection for account creation.

But I bet yahoo has fallen behind the other two on its account creation protections.

We should explore how much use we're seeing from each of the three domains we allow, just to get a handle on the current situation. But even if we see a lot of use, that doesn't mean it's used by a lot of users, since high activity could also indicate high use by an enumerating attacker.

But we might also see little use from yahoo, in which case this is an easier call.

And then we should consider disabling the yahoo part.

(We might also want to add a few more domains -- and for that we should first look at what countries (a) need non-default bridges, and (b) censor the bridges.torproject.org website. And then open separate tickets.)

Child Tickets

Attachments (1)

yahoo.png (16.8 KB) - added by phw 7 months ago.
Yahoo disposable email addresses

Download all attachments as: .zip

Change History (16)

comment:1 Changed 12 months ago by gaba

Keywords: bridgedb added

comment:2 Changed 11 months ago by gaba

Owner: sysrqb deleted
Points: 1
Status: newassigned

comment:3 Changed 10 months ago by dgoulet

Owner: set to dgoulet

comment:4 Changed 9 months ago by irl

Cc: irl added

comment:5 Changed 8 months ago by phw

Cc: phw added

Over at #9316, we're thinking about what statistics BridgeDB should keep track of. The number of email requests per provider should be one of them, which will help with this ticket.

comment:6 Changed 7 months ago by gaba

Keywords: anti-censorship-roadmap-2019 added; bridgedb removed

comment:7 Changed 7 months ago by cohosh

This is related to an issue brought up by pili recently due to conversation in #tor. A bridge user was complaining that the accepted email providers required giving up personal information (a phone number) in order to make an account so they could get bridges.

I wonder if it's possible to assess what kind of sybil detection each of these providers have? For example, they might also be doing it by IP address which would be transparent to us but still effective (though maybe not against an ISP that access to many IPs).

Somewhat relatedly, we could do tests as partially described in our obfs4 testing ticket ##29279 that check how quickly the bridges handed out via different providers and different methods are being enumerated in a few target regions. I think this would give us information separate from #9316. This would be a good thing to do consistently I think, both before and after we make changes to how we do our distribution.

Changed 7 months ago by phw

Attachment: yahoo.png added

Yahoo disposable email addresses

comment:8 Changed 7 months ago by phw

I learned from a researcher that Yahoo lets you create up to 500 disposable email addresses, which are intended for third-party newsletters:

Yahoo disposable email addresses

BridgeDB interprets these disposable addresses as unique users, which makes it easy for an attacker to get a disproportionately large number of bridges. We could teach BridgeDB to recognise disposable Yahoo addresses but at this point the better way forward may be to just disable Yahoo altogether.

comment:9 Changed 7 months ago by arma

I say we drop it then.

Would have been nice to have some measurements of how much each email domain is actually used, first, but, better to drop it than to leave it in place and wait more on those measurements.

comment:10 Changed 6 months ago by phw

Sponsor: Sponsor19Sponsor30-can

Moving from Sponsor 19 to Sponsor 30.

comment:11 Changed 6 months ago by phw

Owner: changed from dgoulet to phw

comment:12 Changed 6 months ago by phw

Reviewer: sysrqb
Status: assignedneeds_review

I have a fix for both bridgedb and bridgedb-admin:
https://gitweb.torproject.org/user/phw/bridgedb.git/log/?h=fix/28496
https://gitweb.torproject.org/user/phw/bridgedb-admin.git/log/?h=fix/28496

I would have liked to see BridgeDB's email usage statistics before dropping Yahoo support but #9316 is still blocking on Tor's safety board. And if we drop Yahoo, we should do it before #30777, so it's probably best to move forward with this.

comment:13 Changed 6 months ago by sysrqb

Status: needs_reviewmerge_ready

Those are some nice hard-coded strings (for something that is considered configurable). That said, it all looks good.

comment:14 Changed 6 months ago by phw

Actual Points: 0.5
Resolution: fixed
Status: merge_readyclosed

Thanks for the review, sysrqb! Merged and deployed in 7a42b9.

comment:15 Changed 3 months ago by gaba

Parent ID: #31280
Note: See TracTickets for help on using tickets.