[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #16260 [Tor]: HS can repick an expired intro points or one that we've already picked



#16260: HS can repick an expired intro points or one that we've already picked
-------------------------+--------------------------------
     Reporter:  dgoulet  |      Owner:
         Type:  defect   |     Status:  closed
     Priority:  normal   |  Milestone:  Tor: 0.2.7.x-final
    Component:  Tor      |    Version:
   Resolution:  fixed    |   Keywords:  SponsorR, tor-hs
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+--------------------------------

Comment (by arma):

 Status from Roger: I think the performance penalty from a 4-hop intro
 point is never worth it. So we could either a) only cannibalize a circuit
 if it ends at the intro point we picked, and otherwise build a new one, or
 b) simply not even check for cannibalization, since it'll almost never
 work, or c) check, even before we pick our new intro point, whether
 there's an adequate circuit to use, and if so, use it and pretend that's
 the intro point we would have picked.

 I would argue for 'a' or 'b' since they're simpler and don't involve
 subtle anonymity questions. In particular, here is the subtle anonymity
 question for 'c': let's say we built a preemptive circuit 50 minutes ago,
 and since then we fetched a new consensus document with wildly different
 weights for the last hop on that circuit. If we re-used it as our intro
 point, we would end up with different behavior than if we had picked a new
 intro point with our new weights. How bad is that? For almost all cases it
 will be roughly the same. For a few cases we'll leak...what...whether we
 had a preemptive circuit and used it? It's possible that we just lost our
 network connection for a while, leading to all our preemptive circuits
 being closed. So in a small fraction of cases we'd leak whether that was
 true? Is that a big deal?

 David argues for cannibalization because of the upcoming Usenix Security
 paper that describes cannibalization in this case as a security
 improvement. I haven't read the paper yet, but my intuition says that
 there are many ways to distinguish hidden service circuits from other
 types of circuits at the client side, since we never aimed to protect
 that. But (uninformed) intuition is a terrible thing to use when making
 these decisions.

 Anyway, there we are. :)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16260#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs