Opened 6 years ago

Closed 2 years ago

#3292 closed task (wontfix)

Let bridge users specify that they don't care if their bridge changes fingerprint

Reported by: arma Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Keywords: tor-bridge flashproxy
Cc: ln5, dcf@…, isis Actual Points:
Parent ID: #4624 Points:
Reviewer: Sponsor:


We have an increasing set of situations where the user configures a bridge address that isn't actually the address of the place running the Tor program.

In scenario 1, we have a bridge running at point X, but addresses A and B both route to it, and the user types either A or B into her Vidalia bridge list.

In scenario 2, there's a bridge at point X and another bridge at point Y, and addresses A and B point to one of these bridges and fallback to the other as needed.

That sounds great for robustness, but if you configure your bridge at address A, and it forwards traffic to the bridge at address X which has fingerprint X, and then later it starts forwarding its traffic to address Y which has fingerprint Y, your Tor client will scream murder and stop using the bridge you've configured as A.

What exactly are we protecting against by refusing to use the network when A's fingerprint changes? Is that something we want to keep allowing users to protect against, or can we just change Tor to ignore wrong fingerprints on its bridge?

As a bonus, relaxing our security requirements here would let us tolerate SSL cert replacement attacks at the firewall -- so long as the attacks still allow us to talk our Tor protocol underneath.

This topic is related to #2764.

Child Tickets

Change History (11)

comment:1 Changed 6 years ago by arma

This discussion ties into Sebastian's blog post:

If you're using a bridge for reachability rather than security, we should remove as many barriers to continuing to use the bridge as we can.

comment:2 Changed 6 years ago by arma

Parent ID: #4624

comment:3 Changed 6 years ago by arma

Component: AnalysisTor Bridge
Milestone: Tor: unspecified
Summary: Should bridge users care if their bridge changes fingerprint?Let bridge users specify that they don't care if their bridge changes fingerprint

comment:4 Changed 6 years ago by ln5

Cc: ln5 added

comment:5 Changed 5 years ago by nickm

Keywords: tor-bridge added

comment:6 Changed 5 years ago by nickm

Component: Tor BridgeTor

comment:7 Changed 5 years ago by dcf

Cc: dcf@… added

comment:8 Changed 3 years ago by dcf

Keywords: flashproxy added

comment:9 Changed 3 years ago by isis

Cc: isis added

comment:10 Changed 2 years ago by isis

Status: newneeds_information

Is this still something we want to implement?

I'm inclined to say that it's unnecessary, given that most users have at least a few bridges, and if one changes fingerprints then the next one will be used. Further, if the user doesn't care if BridgeA changes its fingerprints, and they do not specify a fingerprint on the bridge line for BridgeA, then tor will use whichever fingerprint it discovers upon process (re)start… so changing fingerprints when no fingerprint was specified only means that the bridge is unusable until the next restart.

comment:11 Changed 2 years ago by nickm

Resolution: wontfix
Status: needs_informationclosed

I agree. This is another direction that bridges might have gone but I don't think it's in our current design trajectory.

Note: See TracTickets for help on using tickets.