[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #15482 [Tor]: Don't surprise users with new circuits in the middle of browsing
#15482: Don't surprise users with new circuits in the middle of browsing
-------------------------+-------------------------------------------------
Reporter: | Owner: yawning
mikeperry | Status: assigned
Type: | Milestone: Tor: 0.2.7.x-final
enhancement | Version: Tor: unspecified
Priority: normal | Keywords: tbb-usability, tbb-wants, tor-core,
Component: Tor | TorCoreTeam201508
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by mikeperry):
FWIW, I like the idea behind rustybird's second patch
(https://trac.torproject.org/projects/tor/attachment/ticket/15482/IsolateKeepAliveSOCKSAuth.patch)
minus the needless whitespace changes.
I think any form of max lifespan opens up the user to both guard discovery
attacks as well as increased exit node and correlation exposure (because a
max lifespan allows an application to be induced to continually reconnect
until a compromised middle or exit node is chosen on a new circuit).
Beyond the security concerns (which should be sufficient by themselves),
it also terrible for usability. The lifespan of HTTP connections is a
relic of the shittiness of HTTP/1.x. Both HTTP/2 and QUIC fix this, and
keep connections opened forever, because that is how sessions actually
work on the web. To drive home the usability impact of enforcing this max
lifespan: would we ever force people to reconnect to their SSH servers
every X minutes/hours/days through Tor? If we're not willing to do that,
we shouldn't to the equivalent to the web.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15482#comment:31>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs