[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] Snowflake server and traffic analysis questions
- To: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [tor-dev] Snowflake server and traffic analysis questions
- From: Cecylia Bocovich <cohosh@xxxxxxxxxxxxxx>
- Date: Wed, 15 Jan 2020 14:36:03 -0500
- Autocrypt: addr=cohosh@xxxxxxxxxxxxxx; keydata= xsFNBFxBMzEBEACUU0GfXEj3NF7+JL82kTUDF9BWemn4laK+9169nro8eg1aG445A2MyShvu /EOhvpHGRC2380IikbqyGqiLsQr0T3gB/DMAFAi1aJ9win7TTq/XYK0GEDWGdDmKAEhwDJNx oKtYLFlM5yIqNAN6yPwmspTDZ3uliQToiHJwg90fPDzbN0vtgU4UJn6vLFfAQiyMW+c/iFWv HRcz7LaOQtTFsbjY6tclnPwGrH/GA0Rt5y0jmHDIfRyeM/yILyOBIf7xedQ/IYiZ6+DJ1v4U P9aTRfo2hWqpXM3+ICf89UsYA2QCFwjTYk0576ib1KNev6SAT7D5oHb2nSVfG67sX4Wj4V9G AtEmHDXQjophA+Srkv1PvZaFnw71NBNG1zYUe6zsT8IlTmHMeCATodw03jXYVDpUk2AvuSdN 3TAdb7YWtHswHHSGdFEizqt2prk6LpcnKR7TU//VeGh9jetQBMb6B8UbYi5bUjUmTOmxcuoD 0A2Jkym9uLALl8mq4OC1fGM8S0zfyUOdKJ3tEmRzSZ+DkcQ44cznCnwOksXWNmbw/LxCkvq2 /g1SOg7UDre+oy8SHyhvoDgBkS7HOAx3HSrdb2jUT4EVB2HgsV39yP2O5rzLPyC2psVdDmcg Rn2wHETKdJSevzw8N7G2oC3NSyzfAS8V3GXRfQJtBaV4Bf3DMQARAQABzShDZWN5bGlhIEJv Y292aWNoIDxjb2hvc2hAdG9ycHJvamVjdC5vcmc+wsGoBBMBCAA7AhsjBQsJCAcCBhUKCQgL AgQWAgMBAh4BAheAFiEEWmGM6ECIOUK68TNPAJ3jef2be5AFAlxR8pQCGQEAIQkQAJ3jef2b e5AWIQRaYYzoQIg5QrrxM08AneN5/Zt7kPASD/0fP5LlRH1jIKj/cof58Q6s0AGdfC9srQPi IoxntyJksj3zfEE5sg0gQpSz5hUMbDVBrDfOxF7I2ldRR47ihFe5Ued/OrXOV6Zpl6YGmaQ/ 2nr3VedeDb5dySf3s/J7/lAwrkRwRPYH1qrLc6zM49EmCZbTh2vLHd6CQibKROXxaNtFk4KP DmaQn26hU4WW+XYccXPzw0cYDaRRqQ7WEaOowiywIjkods/Yw1OnYeml6h0Bx5p4bplv5zAM 2n3YG1ZgSxcllC/8gu3WkmkxlfkWFI9F6G7FIG+a4HEEsvf0p8vePtN05TSJp3+skqKBhrAY YWMGjkO7SK3X9zOyF3+yixWHfcWeNQ29TeWeGRSo8oukvEA1gKHZS/JStMI2bB24cOmhC1tM a0R4/wNOiAYwXp+kDAeAUloJEesJ27nozedKKnOwXsZYvPaXsxjK72bpgHomCil8d8DM1qo/ o0fP9P7KnSFAbfsLw69xDSHLQKzMdXRGkXZzrwE9r7OnbrxQ5ukUass8puLNLe2UU0aVlDbQ NkJ0HNy6upJOvxwrj7X+IHBW1z9Lda1KWzyFqSC6rtsY1yChZRjM5iManmVJz0i1CaKz2ufQ tL6caBDioqJxHP883Ao2UBteXnpQVtVAFnbOk7jqVCy/qutH1JnBs1i+RXgjM8CvQXxlCssC S87BTQRcQTMxARAA66ekHf6H5A66OPjVmbT5R4g1qpI1BJqXoDbk2KiySMt7vY9l4xrBnDAM f8Yd1yUB7qdfZKHoxazj1ld6kMl0H1Y/mKGzPOVAWTATKSqpqiNTy1lBcxUSZkJ4WQfZuf+t +0JBTTECvcUBaaKk5qb8wMTzTA1m4Yjce8k4Teu13fskBjPEYFxkhoPuiwxXrvEMgwlusHPT QniPUOfcK8OcWMQYrss5nwEtLImIYYk3IV9kRd1mK5Ecl343EwBkr35z9Qo3vGXXSuE0BPI9 TWqm36mSorLtfS6m8a9hWIqxyhZ05coH0P2Z/znUId4cRuKH09Ta1TZun1Qcs/AnNv96t/RP y3UBOB4oLV0o9sPKMteiiXAvi+vqVer1B5dCtB5bM9EXKQCtEivKmxXkcLgBQuPztAQZqaS9 1gxbi9koEq55MwWAm457sCxOH8Sxy3wQK46Fbkquwv/n/NrbLdm/XA/qjoFKAvQFRx51IFNc DjhVlqp9NLLZGEb6AlKQZTdPLnZgZ+HZRlaSJgFrdStuz9wqcHgI+KkonKk5NHacDAsFapZB kAHxlsxbOuRBjalRGkWFOpz6hXxAKT9NZLk+tJy5b7XFhQw6nTLD91locsaQG5Vhos5ojcsE wZjO6M9GpgE3jqLfdhmmsvxcsfEuk89vheVkfLci5rZ+hCcxM+EAEQEAAcLBjQQYAQgAIBYh BFphjOhAiDlCuvEzTwCd43n9m3uQBQJcQTMxAhsMACEJEACd43n9m3uQFiEEWmGM6ECIOUK6 8TNPAJ3jef2be5CVuw//Ut9cwg4mnI4rl2AsTCEU4liXMdjjs6JZCRVgf5hjh8rzDbK8/XrK oKZDEXNO2gV1V2k6titbjaHm/OBsRjBAZXRM5JWWv8fnNPNoL/MB19SmdYssl6XQoJxufKAR cyaI9/JsNjeyV21lAYhr6eyrJ4xn7sJXCG6hDIoD0pe80/C/AO8rUBxQDdzP3kQJqp4SpeWp m8eHnhzBkHpHjxsLbcKDLuooCrpAQ5QaNr3IDj5gU9iyqHIkdzcXJDDs0lW3LzT0G5kA27CB A/5vK41986tIpXwdCUAQbhvFMKtsverQsCXFcXod0jn68IMDbJiksopJkLhEB2J4YBsdkVov ynS+JqgH5kK75gXkNV1lB/R1Oq7SOp1HBM6FeG1ifQ4eV6OxeYU/Jlz8Cm0KztJlmD8wUxad 7KkwBG5YzjnApafk7NHdwP9UYzpBJNF5ZLzDIpgKLtoWGhvfTvpBztWaXtwA0z0RpnohzCoK VIixihK9XoFYN7mmdmkasx7fWGsbeprX7Ohc356Q4EC2W+2bMXA+pI+75MVdaSN7dOWoQMLi 3hOYoCWrdr8FBaAdB8SXempNoK4G3VQ+bjBLCxZDFINdBAknYibCVifGPI2FrVwAvgYKMdUX IorYDTb5ADQwy3YtX1G2i9lB5NgLPcVf3iGgqJXsfoHH8LAnpJHYcU4=
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Wed, 15 Jan 2020 14:36:42 -0500
- In-reply-to: <61c11209-756f-3b1a-1758-bcdcc129d575@riseup.net>
- List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
- List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
- List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
- List-post: <mailto:tor-dev@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
- References: <61c11209-756f-3b1a-1758-bcdcc129d575@riseup.net>
- Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
> Goal: We (Whonix) are researching optional bridge hosting for our users
> to thwart web fingerprinting. Snowflake makes the most sense since no
> NAT hole-punching is needed. Correct me if I'm wrong here because if
> that was possible with obfs4 or meek it would save a lot of work.
>
> We now know acting as a bridge makes the user act as a guard node and
> not just a rendezvous to one.[1]
Hi,
Thanks for the email. We'reassuming you are considering this website
fingerprinting defense after reading this recent blog post:
https://blog.torproject.org/new-low-cost-traffic-analysis-attacks-mitigations
First, to clear up some information about Snowflake:
- Volunteer Snowflakes run proxies to the bridge, *not bridges
themselves*. These proxies can be run behind a NAT because clients use
the built-in NAT punching properties of WebRTC to connect. The proxies
then open a WebSocket connection the Snowflake bridge and relay data
between the WebRTC connection with the client and the bridge.
- The Snowflake bridges cannot run behind a NAT and are similar to all
other existing PTs in this regard.
- See https://trac.torproject.org/projects/tor/wiki/doc/Snowflakefor
more information
So, in order to implement use the defence referenced in the blog post in
a Snowflake setting (and behind a NAT), you would have to run a
Snowflake proxy and write your own client that would encapsulate your
Tor traffic and send it through a TCP WebSocket connection to the
Snowflake bridge.
However, we do not think this will be an effective website
fingerprinting defence, for reasons outlined below:
1) The defense as described in
https://github.com/mikeperry-tor/vanguards/blob/master/README_SECURITY.md=#the-best-way-to-run-tor-relays-or-bridges-with-your-service
is meant to hide *onion service traffic*, not client exit traffic
through the
Tor network. So unless your intended use case is to disguise an onion
service that is running behind a NAT, this defence isn't what you want.
And, in fact, outside of onion services we don't yet suspect website
fingerprinting of client traffic to be a severe enough threat to warrant
this type of defense for internet-destined tor traffic. As the blog post
states, while the attack is an improvement and points to areas where
we should look for mitigations, there still are barriers to a practical
attack against generic tor exit traffic.
2) Because Snowflake traffic between each client and your proxy is a
distinct WebRTC connection and corresponding traffic between the proxy
and the Snowflake bridge is a distinct TCP connection, it would be
trivial for an adversary to filter out traffic originating from your
node (i.e., your onion service traffic) from other clients' proxy
traffic by simply matching up WebRTC and WebSocket flows by matching
patterns of incoming and outgoing packets. The WebSocket flow that does
not have a corresponding WebRTC connection will be your onion service
traffic which can then be fingerprinted as easily as before.
3) We'd like to clarify that we suspect this defense to be the helpful,
but it has not yet been conclusively shown to be so, and likely may not
be in DPI'd bridge and/or low-traffic situations. In fact, after some
discussion, we suspect that in most cases, other PT's bridge traffic will
also be posible to remove from consideration, in ways beyond the simple
connection matching above. To really have a chance of other traffic
providing cover, client traffic needs to be mixed with concurrent
relayed Tor relay traffic, which may require a relatively high speed
main network relay to happen frequently enough to help.
Mike has filed vanguards issue #50
(https://github.com/mikeperry-tor/vanguards/issues/50)
to correct and clarify the vanguards documentation on these points.
> [1]
> https://tor.stackexchange.com/questions/3636/what-is-the-relationship-betwee <https://tor.stackexchange.com/questions/3636/what-is-the-relationship-between-guard-nodes-and-bridges>n <https://tor.stackexchange.com/questions/3636/what-is-the-relationship-between-guard-nodes-and-bridges>-guard-nodes-and-bridges <https://tor.stackexchange.com/questions/3636/what-is-the-relationship-between-guard-nodes-and-bridges>
>
> Some questions to help with implementation:
>
> * Do the user's own data go through just two hops as well or are they
> sent to the guard node they chose before deciding to run as a bridge?
> How do configure Tor to do the former if it isn't?
If you configure a bridge using the same Tor client instance, then
client-originating traffic will still use an upstream guard node, and
more hops after that. However, this has some downsides in terms of
potential stalls in all traffic during client activity, which undo some
of the benefit from having additional through traffic:
https://trac.torproject.org/projects/tor/ticket/16585
There is also some risk if the bridge extra-info descriptor can be
obtained (not sure if this is possible) due to
https://trac.torproject.org/projects/tor/ticket/8742
If you use the separated tor instance setup described in
https://github.com/mikeperry-tor/vanguards/blob/master/README_SECURITY.md#the-best-way-to-run-tor-relays-or-bridges-with-your-serviceto
avoid the client-induced traffic stalling problem,
then user traffic will use one less hop, since the "Guard" position will
be taken up by the locally run but separate tor Bridge instance.
This is less of a problem for onion traffic with vanguards because there
still are Layer2 vanguard nodes after that. But for non-onion traffic,
users will only be using 2 hops after the local bridge. Mike will also
clarify this point in the vanguards documentation.
> * Are there plans to create signed debs for snowflake client/server so
> we can use it with Debian's tor daemon?
> * Do Tor Browser bundles with the snowflake addon also include the
> server component?
They do not. In fact, you cannot run a Snowflake proxy from Tor Browser,
since Tor Browser disables WebRTC.
> * Do Alpha bundles have this code yet?
Yes, alpha bundles allow you to use the Snowflake pluggable transport as
a client.
> * When are these bundles expected to arrive to stable?
Not sure! But soon, probably. We have a few outstanding performance
considerations to tackle.
> * Is it possible to interact headlessly with the snowflake server
> component via commandline? How?
Yes, see the instructions in the client README on the Snowflake repo:
https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/client/README.md?id=3D6077141f4affdab9b7ce97a9b1c6859825eaaa29
> * How can we run TBB headlessly so users don't mistakenly interact with
> it on the gateway?
You can send Tor traffic (both with and without configured pluggable
transports) without using Tor Browser by configuring a torrc file and
running `tor -f torrc`.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev