[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] UDP Application Support in Tor

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] UDP Application Support in Tor
From: Roger Dingledine <arma@xxxxxxxxxxxxxx>
Date: Tue, 13 Feb 2024 05:15:00 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 13 Feb 2024 05:15:14 -0500
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=torproject.org; s=2022-eugeni; t=1707819308; bh=VoMHODcKgTrL4IfwYWCGhMf8XHn6CPYytA7ck33WBGE=; h=Date:From:To:References:In-Reply-To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Reply-To:From; b=J8NR1cOvOtIQQTB6VyAwMp5KTD40bjmQVNST8GWG29UaYzN9bZK/rEv0ZUzzXTRaf +JrqCG+BRW0kegPoQST3yCkTZYbMf18It3mgH16bT+nLNDxw5siSAiJwKGT1bXjDM7 ndbYOJlj+JxkdyISyDt10i6rpgn1UpDXYDZwSYYuNnwTOVORZBW1xNX+JOOy8mIhZE sROt3xWxVu32289ioHVK7TIjRnd92NV7xl1LU4tRIn9Lyv5MztGYBPjfhdll1YC2yo oiikGn9ajYCEZ18S0yZ7qqNLCE9gW7K/TiY6W38Pu/y9uqVF2k523+NwHIxVfwdTcw ptUiGNKZGo1Ww==
In-reply-to: <650b7caf-b4e5-402a-9621-c27c2d06bb5a@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <Cg-x-18D0Pe-nYcYm_TcVPkHWVTXhBNbRpacnngkyi6SGNCKiv_pfqjxZmO8L4HlpKZpPnKSPUWT2dSiMQ8iSxOBcSbCa_Jnv13ragYrLlw=@protonmail.com> <650b7caf-b4e5-402a-9621-c27c2d06bb5a@torproject.org>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Mon, Feb 12, 2024 at 10:34:21AM -0800, Micah Elizabeth Scott wrote:
> The "normal process" of sending traffic through tor does not directly
> involve TCP or TCP headers, nor are there boundaries preserved which would
> correspond to TCP segments. Individual streams are encapsulated within
> multiple other layers (tor streams and circuits, then TLS) before we
> encounter any real TCP segments.

Right -- and this is a feature in the sense that it removes a bunch of
end-to-end information that would otherwise leak.

For example, if the exit relay or the destination server can look at
the TCP headers that the client generates, they could examine how they
are constructed and how they respond to errors to make a good guess
about which operating system, and even which kernel version, the client
is running.

And there are more esoteric attacks, like knowing that the rate of clock
skew change is a physical characteristic of the hardware clock and then
using "change in skew" (looking at the timestamp in each TCP header)
as a cookie-like feature to distinguish users:
https://2019.www.torproject.org/docs/faq#RemotePhysicalDeviceFingerprinting
https://www.caida.org/catalog/papers/2005_fingerprinting/KohnoBroidoClaffy05-devicefingerprinting.pdf
(I bet there are many more papers published after that one, but our
design means we have mercifully not needed to keep up with the remote
device fingerprint literature.)

--Roger

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- Re: [tor-dev] UDP Application Support in Tor
  - From: Vilgot Bergquist via tor-dev
- Re: [tor-dev] UDP Application Support in Tor
  - From: Micah Elizabeth Scott

Prev by Author: [tor-dev] Announcing Onionspray 1.6.0 with a SECURITY fix for Onion Services rewriting proxies
Next by Author: Re: [tor-dev] Fact-checking a claim about relay/bridge fingerprint authentication
Previous by thread: Re: [tor-dev] UDP Application Support in Tor
Next by thread: [tor-dev] Announcing Onionspray 1.6.0 with a SECURITY fix for Onion Services rewriting proxies
Index(es):
- Author
- Thread