Opened 7 years ago

Closed 5 years ago

#7523 closed task (invalid)

Decide whether reputation should be tracked between accounts

Reported by: aagbsn Owned by: isis
Priority: Medium Milestone:
Component: Circumvention/BridgeDB Version:
Severity: Keywords: BadIdea™
Cc: isis Actual Points:
Parent ID: #7520 Points:
Reviewer: Sponsor:

Description

From https://svn.torproject.org/svn/projects/design-paper/blocking.html#tth_sEc7.4:

We could track reputation between accounts (if you delegate to somebody who screws up, it impacts you too), or we could use blinded delegation tokens [5] to prevent the website from mapping the seeds' social network. We put off deeper discussion of the social network reputation strategy for future work.

There are some clear advantages to being able to link accounts. For example, if accounts are *not* linked, a simple attack would be to use one account to harvest tokens (invites) and use subsequently activated accounts to enumerate bridges.

However, we might not want to the liability of storing the social graph, in case the database were compromised. Perhaps we could consider an approach where links between accounts degrade (are removed) over time, or we only track a few links of the account chain.

Child Tickets

Change History (2)

comment:1 Changed 5 years ago by isis

Cc: isis added
Owner: set to isis
Status: newassigned

comment:2 Changed 5 years ago by isis

Keywords: BadIdea™ added
Resolution: invalid
Status: assignedclosed

We definitely do not ever want a social graph of all the activists worldwide who use Tor bridges. That is extremely sensitive and dangerous information, and would make BridgeDB and its operator much higher priority targets. Never never never.

Note: See TracTickets for help on using tickets.