Should SafeLogging hide bridge IP addresses in logs?
Bridge relay operators sometimes post logs containing their bridge's IP address.
We could make this less likely by making SafeLogging 1 (the default) filter bridge IP addresses in messages like:
- "Your server (%s:%d) has not managed to confirm that its ORPort is reachable" ...
- "Your server (%s:%d) has not managed to confirm that its DirPort is reachable" ...
- "Now checking whether ORPort %s:%d"...
- "and DirPort %s:%d"
- anything else that lists a bridge's IP or fingerprint
This could be implemented by creating safe_str_bridge and escaped_safe_str_bridge similar to safe_str and escaped_safe_str, but with a check if BridgeRelay is 1 as well. It would also need a tor manual page update that says that we escape bridge information when SafeLogging is anything besides "0".
Or, we could add "bridge" to the options for SafeLogging, but that seems over-complicated, because we'd have to define 1 vs relay vs bridge semantics in a way that makes sense.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information