Re: [tor-dev] A Proposal for a hidden service revocation system

Hi Donncha,

Thanks for the feedback! This is an issue I'm passionate about and would really like to help
implement. Since the CA/Browser Forum recently adopted rules letting anyone who has the
master secret key get an EV SSL certificate for a .onion domain, a hijacker can even present
itself as a 'secure version' of the real service, with the https://, the padlock, the green bar,
and everything.

You make a good point, a local cache of previously encountered revoked services is a privacy
risk. I'll remove references to this in the next draft.

I'm very glad to hear that current hidden service directories would accept a descriptor with
a 'revoked' line! If a revocation is defined as a descriptor with zero introductory points and
a 'revoked' line, then there is no danger of accidental revocations in the current code and
no need for the modification in step 1 or the waiting period in step 2 of the timeline I
outlined. We could skip straight to step 3, modifying hidden service directories to block
'un-revocation' attempts.

The reason I suggested hijacking detection would be part of the hidden service node itself
is because I can't see any way for hijacking to be detected with certainty unless the
detector knows for sure which descriptors were published by the legitimate service
and which may have been published by someone else. I think you're right that architecturally
a detector should be a separate piece of software, but tor would need to have an local
interface which exposes this information.

Yes, it's too bad the hidden service directories are currently vulnerable to attackers intentionally
positioning themselves so that they hold the descriptors for a targeted hidden service. This is
already noted as making .onions vulnerable to DOS attacks in some of the specifications I've read,
but vulnerability to un-revocation is also serious, especially if clients do not retain a local cache
of previously-known-to-be-revoked sites.

It was my pleasure putting to this together, and I agree, it would be nice if it weren't needed! But
most services run their web server on the same machine as their tor node, so compromises are
inevitable. I can't wait for the added protection next generation hidden services look like they're
going to bring!

Cheers,
Adrien Johnson

On 2015-03-07 9:43 PM, Donncha O'Cearbhaill wrote:

Filename: xxx-rend-revoke.txt Title: Hidden Service Revocation Author: Adrien Johnson Created: 2015-03-04 Status: Draft Hidden service operators need to be able to revoke trust in their hidden service if they know or suspect their hidden service secret key has been compromised.

4.1 Basic Support For the Tor network to support hidden service revocations at a basic level, a large proportion of hidden service directories must recognize that a hidden service descriptor with zero introductory points has the special meaning of being a revocation. These hidden service directories must not allow a current unexpired revocation descriptor to be replaced by a non-revocation descriptor (so called 'un-revocation'). In all other ways, treatment of a revocation descriptor is identical to treatment of a non-revocation descriptor for a hidden service. [NOTE: Maybe we want a more explicitly requested revocation? Using a zero introductory point descriptor as a revocation has the advantage of being backward-compatible with older directory software, which will be able to accept and propagate the revocation to other more up-to-date directories, even though the older directories will not provide protection against un-revoking a hidden service if the attacker delivers an un-revocation descriptor to them directly. Is there a need for zero introductory point descriptors in any other case? If a hidden service previously published introductory points and it now no longer can be contacted at those points, and it does not have any new introductory points, it is unreachable. Publishing a descriptor announcing all zero of its introductory points will not change its reachability, though it may slightly reduce wasted effort by tor nodes attempting to reach it.]

The current rend-spec allows for hidden service's to publish descriptors without any introduction points. I think it would much better to add an explicit 'revoked' line to the revocation descriptor. I've done a quick test and it looks like relays already accept hidden service descriptors containing undefined fields. As such implementing it as such should be backward-compatible with previous version of Tor.

4.1.1 Steps required to add support 1) If current code results in hidden services publishing zero- introductory point descriptors, this is blocked to prevent accidental revocation. I would love to get this in 0.2.6. 2) If a modification is needed in step 1, then a grace period is given for hidden service operators to update their software. This grace period does not have to be long, we can move onto step 3 relatively fast, since the only penalty for accidental revocation step 3 would create is forcing the hidden service to upgrade their software, and the hidden service being unreachable for a maximum of 25 hours (lifetime of a descriptor) after the hidden service upgrades. 3) Hidden service directories are modified to not allow a current unexpired revocation descriptor to be replaced by an un-revocation descriptor. Basic support for revocation is achieved! 4) A long upgrade grace period is now given. The vast majority of hidden services should be using software which includes the modifications made in step 1 5) Expanded revocation capabilities may be added, as described below. 4.2 Expanded Capabilities 4.2.1 Cache of revoked services A Tor node which tried to connect to a hidden service in the past and discovered that the service was revoked should remember that revocation and refuse to connect indefinitely, even if the revocation ceases to be broadcast in the future.

4.2.2 Presentation to the user If an onion proxy that detects the user tried to visit a revoked service, this information should be presented to the user out-of-band. I.E not in a way that could be mistaken for a hidden service which is only temporarily unreachable, or as information sent by the service. This could be done via a system level popup, or a taskbar notification. The presentation should be strongly distinguished from a hidden service which is simple unreachable.

4.2.3 Automatic hijacking detection/revocation Tor hidden service software could have a mode to detect if another party is using the hidden service private key to publish descriptors for that service. If the hidden service operator configures it, the Tor hidden service software could immediately begin to broadcast the revocation for that service.

This may be possible, but I think it would be simpler and safer to implement "hijacking" detection outside of little-t-tor. It practice, it may be difficult to ensure that a client actually receives a revocation descriptor. Firstly this protocol won't work very well until enough relays upgrade to version implementing this protocol. Additionally with the current implementation of hidden services, an attacker who has compromised the HS key could position their relays to be the HSDir's for the revoked hidden service. They could then provide client's with only a standard descriptor and impersonate the HS. In practice it may be possible for a revocation service to to watch for this type of behaviour. Thanks for putting this together. The best solution is of course of hidden service operators their service key safe in the first place! Regards Donncha