On 2018-02-08 10:54, Sebastian Hahn wrote:
Hi there,
Hello!
I don't want to declare it a showstopper outright, but:
On 8. Feb 2018, at 09:42, Karsten Loesing karsten@torproject.org wrote:
These sound like variants of the first disadvantage listed above. There are two additional assumptions in here, though:
- bridge operators use the same or a similar email address as their
bridge contact information and for mailing list/forum postings or in their whois information;
- bridge operators are running their bridges close to the host they're
using to post to mailing lists/forums or close to the host where they're hosting a registered domain.
Neither is required.
Hmm? Not sure I understand.
The only assumptions are that it is possible to enumerate whois information for the entire v4 internet (which should be the case)
Right.
and that it is possible to link the email address provided in the contact line with the name that's used in whois (which might or might not be easy, in my case it'd actually be trivial because the name is a part of my email address).
Yes, but this is what I mean in assumption 1) above. You could easily have used a new address for the bridge.
I can see situations where both assumptions are met. But I think, overall, that the likelihood of locating a bridge by connecting contact information to mailing list archives, forum postings, or whois information makes this attack rather unattractive.
I'd say let's list this as another possible disadvantage, and let's compare them all to the possible advantages at the end.
Unless you thought of this as a show-stopper, in which case I'd kindly ask you to elaborate.
Thanks for the feedback, Geoff and Sebastian!
Just to summarize how the attack would work, you link the email to anything containing a real name, you crawl whois for IPs assigned to people with that name, unless they use some anonymizing technique you get a (small) list of candidate IP addresses to test.
Yes, but this only works if assumption 2) above is met. You could easily have run your bridge on a different host than the one that is connected to whois information under your name/address.
To be clear, I see how this could be used to locate some unknown fraction of bridges with relatively small effort. Similar to the first attack that I mentioned under possible disadvantages, and similar to how similar relay and bridge nicknames could give hints on bridge locations.
The question in the end will be whether we want to trade these disadvantages for the advantages from making bridge contact information available to more than a handful of people. I don't have the answer to that question yet.
Cheers Sebastian
Thanks for your input!
All the best, Karsten