Opened 6 weeks ago

Closed 3 weeks ago

Last modified 3 weeks ago

#30499 closed defect (not a bug)

In Tor Metrics / Relay Search, users are able to enter the digital fingerprint of a bridge to run a successful search and display the data about that bridge, but the Relay Search page states, "If you are searching for a bridge, you will need to search by the hashed fingerprint. This prevents leaking the fingerprint of the bridge when searching."

Reported by: monmire Owned by: metrics-team
Priority: Medium Milestone:
Component: Metrics/Relay Search Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

At https://metrics.torproject.org/rs.html, the page contains the caveat, "If you are searching for a bridge, you will need to search by the hashed fingerprint. This prevents leaking the fingerprint of the bridge when searching."

However, when users enter the digital fingerprint (not the hashed fingerprint) of the bridge in the Relay Search / Query bar, the search successfully will display data about the bridge.

If Relay Search leaks bridge fingerprints when users use digital fingerprints (not hashed fingerprints) to run successful searches, we need to reconfigure Relay Search so that it will be restricted to using only hashed fingerprints to search for bridge data.

Furthermore, the hashed fingerprint of a bridge must be made visible to the user by appearing in the torrc file, i.e., the hashed fingerprint is not visible and does not appear in the torrc file when using Tor Browser 8.0.8 on macOS Yosemite 10.10.5. Only the digital fingerprint is visible, appearing in the torrc file.

Child Tickets

Change History (3)

comment:1 Changed 3 weeks ago by irl

Keywords: Relay-Search-accepts-bridge-digital-signature issue removed
Priority: HighMedium
Resolution: not a bug
Status: newclosed

If a user is going to type in a non-hashed bridge fingerprint, or any other secret, then there's not much we can do to stop them.

Relay Search actually does hash fingerprints before looking them up, so even searching for a non-hashed fingerprint doesn't actually send that fingerprint to the server.

Regarding the torrc thing, perhaps we can add comments to the file with the relay search links. This wouldn't be a problem with relay search though.

comment:2 Changed 3 weeks ago by irl

#30768 filed for adding comments to the torrc.

comment:3 Changed 3 weeks ago by cypherpunks

wait, the bridge configline in torrc does not include the hashed fingerprint ? I only provide ip port combination, tor bridge client would accept any bridge (hashed fingerprint) at this destination..

Note: See TracTickets for help on using tickets.