SafeLog: have a notion of "Semi-scrubbed" values.
Right now, if you want to tell the user about (say) a bridge in a safe way, our SafeLogging code forces them to decide between:
[192.0.2.55 via obfs4 $CAFEF00D1234567890AB] is not working.
[...] is not working.
The first is risky to log, and requires that they disable SafeLogging entirely. The second is useless.
Would it be reasonable to have another level of safety that display something like:
-
[192.xxx via obfs4 $CA...] is not working.
?
Before we figure out the best API, we should figure out whether this is even a good idea. It would help usability a lot, I think, but it would also create some danger: An adversary might be able to gain a surprising amount of advantage by e.g. learning that your guards are $12...
and $34...
, or that you have recently exited from $56...
, if people go around pasting that stuff into public forums.