[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: System time in anonymity oriented LiveCDs
On Mon, Jan 03, 2011 at 04:06:44PM +0100, anonym wrote:
> One issue for anonymity-oriented LiveCDs (such as T(A)ILS and Liberté
> Linux) is the system time. Tor requires a reasonably correct system
> time, otherwise no circuits will be opened. This is a major problem for
> these LiveCDs since they generally route all traffic through Tor
> transparently (using netfilter/iptables and the like) so no Tor circuits
> implies no network access for the user.
> Liberté Linux has a novel solution to this problem -- it sets the
> system time according to the Tor consensus' valid-after/until values,
> which essentially removes Tor's time skew check. We T(A)ILS developers
> are tempted to implement the same solution, but first we'd like to ask
> here if this is safe, or if it opens up for any unexpected type of
> attacks or problems.
Whether this is a good idea depends on where you got the consensus. If you
connect to a Tor directory mirror and it hands you a consensus from last
month, and you set your clock based on it, then you've opened yourself
up to exactly the attack that Tor is trying to defend against.
If your Tor fetches its consensus from a directory authority, you're
in better shape, insofar as the directory authorities are probably not
Relays do these directory fetches in the clear, though, due to an
earlier bug: https://trac.torproject.org/projects/tor/ticket/827
so we're back to the authentication and integrity question there. Clients
set up a TLS connection first and tunnel their directory fetches over it,
so they're in slightly better shape. Do your LiveCD users always have
both ORPort set to 0?
The better answer is for Tor clients to read the time out of the NETINFO
cells that are part of the v2 connection handshake we added in Tor
0.2.0.x. See section 4.2 of tor-spec.txt:
Using the data in NETINFO cells has been sitting on the todo list for
but nobody's moved it forward. Perhaps somebody wants to pick this up
and do it? :)
Also, ideally you want to get an opinion from more than one directory
authority. One design that I could imagine would be to, if we find a
directory mirror or entry guard whose time disagrees with us, connect
to a directory authority to get a stronger opinion. If the directory
authority also disagrees, connect to a threshold of directory authorities
and then memorize our relative clock skew based on the majority vote.
Potential complications include "what threshold should you require" and
"what if you can't reach the directory authorities directly because you're
in a censored area". Maybe in the latter case you should just believe
your bridge's clock, because it's the one giving you the directory
information anyway -- depends if the user wants her Tor to fail open
(reachability) or fail closed (safety).
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/