[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] protecting users from known relay groups with end-to-end correlation capabilities

To: "tor-dev@xxxxxxxxxxxxxxxxxxxx" <tor-dev@xxxxxxxxxxxxxxxxxxxx>
Subject: [tor-dev] protecting users from known relay groups with end-to-end correlation capabilities
From: nusenu <nusenu@xxxxxxxxxxxxxxx>
Date: Fri, 02 Dec 2016 21:50:00 +0000
Cc: abuse@xxxxxxxxxxxx, tor@xxxxxxxxxx, vnikolov@xxxxxxxxxxx, bad-relays@xxxxxxxxxxxxxxxxxxxx, nick@xxxxxxxxx, bungeetaco@xxxxxxxxxxxxxx, demfloro@xxxxxxxxxxx, abuse@xxxxxxxxxxxxxxxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 02 Dec 2016 16:51:46 -0500
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1480715484; bh=xwm/jyQKg0M6w0Zx0ba4KrBvOz6bMRuazGWYBsdS198=; h=To:Cc:From:Subject:Date:From; b=QGEPFPVXVEfoeGyOIA+awT4cDtEAbFRj3It6HvvGkLNE0CzbA640GTqMCNZwBx8CO T3+K8COGkBcdogvEKBWDhJicDwAdor0nUxBV66lJUUYlK+V+2f0N9nUsYFUwzo6OJy iEfWRfwhkeZXdqDcxSWEqCb0DM2nafV8ilRJ92io=
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1480715476; bh=xwm/jyQKg0M6w0Zx0ba4KrBvOz6bMRuazGWYBsdS198=; h=To:Cc:From:Subject:Date:From; b=rwsaAeSkP02z0YpTuEMYniRzb2D8Wyuqwtvu6tzY/ZIjUZYO++U234BUgXvtzJCGO B02bq0Ekth7IEln/ITRtt/nVv8g4GIPxwXglMfV7wVytIVrUYVUhhM/ms4f8Gy16zQ KCRKzvG1Fu0skDq1uSSDLt9xWi+YMm8EF2ZDgxW4=
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi,

it is a well known fact that MyFamily is a largely ignored setting,
luckily this is not a problem in most cases because

- all relevant relays are run in a single /16
or
- are only guard relays (exit probability = 0*)
or
- are only exit relays (guard probability = 0*)

but there is a limited number of relay groups** that have actual
end-to-end correlation capabilities, meaning they are potentially chosen
by tor clients for the guard _and_ exit position, even if the odds are
(hopefully) not very high.

These potentially dangerous relay groups
- are run in multiple /16 netblocks
- have an exit _and_ guard probability of > 0 (because they run exits
and guards)

Examples (generated daily):
https://raw.githubusercontent.com/ornetstats/stats/master/o/potentially_dangerous_relaygroups.txt
(see CC)

How could the risk for tor clients be reduced?
(options after enough dir auths came to the conclusion that these relays
are in fact operated by a single entity)

1) try to contact the operators and give them time to fix it
I've done that multiple times but haven't been successful [1]

2) build tools to easily/automatically manage MyFamily
done[2], but it is unlikely to be used

3) assign them the badexit flag
since exits are a scarce resource, not very wise

4) assign them the badguard flag
there is no such thing ;)

5) blacklist the entry guards (that are outside the configured family)

6) change tor's path selection algorithm to never choose more than one
relay with a given non-empty non-default contact string?
This would basically turn the ContactInfo field into the PoS token
mentioned by Mike in [3]. Since there are a few common contactInfo
strings this is probably not the best option without excluding them.




[1]
https://lists.torproject.org/pipermail/tor-relays/2016-November/010965.html
[2] https://github.com/nusenu/ansible-relayor
[3] https://trac.torproject.org/projects/tor/ticket/5565
* if we can assume onionoo's values to be accurate and realistic
** they are considered to be operated by a single group due to their
contactInfo descriptor field. This string is not verified in any way and
can therefore result in false-positives.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] protecting users from known relay groups with end-to-end correlation capabilities
  - From: teor

Prev by Author: Re: [tor-dev] blacklisting relays with end-to-end correlation capabilities?
Next by Author: [tor-dev] blacklisting relays with end-to-end correlation capabilities?
Previous by thread: Re: [tor-dev] sketch: An alternative prop224 authentication mechanism based on curve25519
Next by thread: Re: [tor-dev] protecting users from known relay groups with end-to-end correlation capabilities
Index(es):
- Author
- Thread