[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?
From: meejah <meejah@xxxxxxxxx>
Date: Mon, 10 Apr 2017 19:35:24 +0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 10 Apr 2017 11:36:52 -0400
In-reply-to: <573c9654-cfa1-cb02-f44c-a0ec6e567f38@riseup.net> (anonym@riseup.net's message of "Mon, 10 Apr 2017 13:53:00 +0000")
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuxh5pT8JyRFfuFi7xiOQs1_LacH60BmPkmrycfDp_piFA@mail.gmail.com> <573c9654-cfa1-cb02-f44c-a0ec6e567f38@riseup.net>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux)

anonym <anonym@xxxxxxxxxx> writes:

>> It allows "GETINFO onions/current", which can expose a list of every
>> onion service locally hosted, even those not launched through
>> onionshare.

> I think this can be disallowed; in fact, when looking at the
> onionshare and stem sources I don't see why this would ever be used by
> onionshare.

I may have said this already, but I think the original comment is wrong:
this only lists ephemeral onions created by the current control
connection so I don't believe there's any information leak here anyway.

> BTW, I guess a `restrict-onion-view` would also make sense for HS_DESC
> events [..]

Yes, I think this would be good. To determine if a control-connection
owns an onion or not, I think you could either use "GETINFO
onions/current" (to ask Tor) or just remember the answers from any
ADD_ONION on "this" connection (and then match against the args in the
HS_DESC event).

If the filter is re-started, all the control connections will be lost
at which point any non-"detached" onions will vanish anyway.

> Imagine that ControlPort can take a "RestrictedView" flag. When set,
> controllers will get a view of Tor's state (streams, circuits, onions
> etc) restricted to what "belongs" to them, e.g. it only sees streams
> for connections itself made via the SocksPort. Tor would then have to
> internally track who these things belong to, which could be done by
> PID, which is pretty weak, but I bet there are more convincing ways.

Obviously as per my other post I agree with fragmented / limited views
given to "real" applications of the control-port. However, personally I
don't see the point of implementing this in 'tor' itself -- existing
control-port filters are "fairly" limited code, typically in "safer than
C" languages anyway. So then you have the situation where there's a
single trusted application (the filter) conencted to the Tor
control-port.

Ultimately, it would probably be best if there was "a" robust
control-port filter that shipped as part of a Tor release. So if that
means "must implement it in C inside Tor" I guess so be it.

Maybe this would be a good target for "experiment with Rust" if anyone's
excited about writing control-port code in Rust...?

-- 
meejah
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?
  - From: Yawning Angel

References:
- [tor-dev] Control-port filtering: can it have a reasonable threat model?
  - From: Nick Mathewson
- Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?
  - From: anonym

Prev by Author: [tor-dev] txtorcon versioning
Next by Author: Re: [tor-dev] txtorcon versioning
Previous by thread: Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?
Next by thread: Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?
Index(es):
- Author
- Thread