[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal #291 Properties (was IRC meeting)

To: Mike Perry <mikeperry@xxxxxxxxxxxxxx>, tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Proposal #291 Properties (was IRC meeting)
From: George Kadianakis <desnacked@xxxxxxxxxx>
Date: Thu, 03 May 2018 14:14:02 +0300
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 03 May 2018 07:14:26 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1525346050; bh=grB47CFF+rNw22YI8PPSa7hwrLW8oOUXU8zXEbO5QxM=; h=From:To:Subject:In-Reply-To:References:Date:From; b=r97URCPAn1dTiSVDcbSteijiAeYTNhB76nZew2hizLknH4ct6EZIAmVnCQfrU861s 4qhYeP+VHK+nTJF6/rgEFbReM9onVRo7JtUA8/cvP7a+Yw7m9eQwz53pqejXHrfPZS O95aIhmsT46baD1LZ26avWHWnnC7UwZ1AdVl7X2s=
In-reply-to: <20180427115635.GE14485@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <20180416183508.GA5433@torproject.org> <20180418193931.GB2915@torproject.org> <20180425083046.GB5433@torproject.org> <92816CB7-F058-4867-AA01-454BB1490759@gmail.com> <20180427104327.GC5433@torproject.org> <20180427115635.GE14485@torproject.org>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Mike Perry <mikeperry@xxxxxxxxxxxxxx> writes:

> Mike Perry:
>> teor:
>> > 
>> > 
>> > > On 25 Apr 2018, at 18:30, Mike Perry <mikeperry@xxxxxxxxxxxxxx> wrote:
>> > > 
>> > > 1. Hidden service use can't push you over to an unused guard (at all).
>> > >  2. Hidden service use can't influence your choice of guard (at all).
>> > >  3. Exits and websites can't push you over to an unused guard (at all)
>> > >  4. DoS/Guard node downtime signals are rare (absent)
>> > >  5. Nodes are not reused for Guard and Exit positions ("any" positions)
>> > >  6. Information about the guard(s) does not leak to the website/RP (at all).
>> > >  7. Relays in the same family can't be forced to correlate Exit traffic.
>> > 
>> > I think this list is missing some important user-visible properties, or it's
>> > not clear which property above corresponds to these properties:
>> > 
>> > * Is Tor reliable and responsive when guards go down, or when I move
>> >   networks, or when I have lost and regained service?
>> 
>> I think this is implicitly provided by #4. Downtime is a security issue.
>> If (any of) a client Guard(s) are down, and the adversary can detect
>> this based on client behavior, well, that is a side channel signal that
>> provides information about the Guard. So by satisfying #4, we also
>> satisfy the weaker conditions of general reliability and responsiveness.
>>  
>> > I also think it's missing an implicit property, which we should make explicit:
>> > 
>> > * Can Tor users be fingerprinted by their set of guards or directory guards?
>> > 
>> > Perhaps this property is out of scope.
>> 
>> I think it is worth considering. We should add it if we need to do
>> another round of evaluation.
>
> Alright, for the sake of argument, let's call this Property #8:
>   8. Less information from guard fingerprinting (the least information)
>
> I argue that this #8 is also equivalent to a #9 that Roger would ask
> for:
>   9. Fewer points of observation into the network (the fewest points).
>

If we are actually aiming for 8 and 9 we need to do something about the
numdirguard=3 situation, otherwise we still have a huge guard fpr and we
still expose ourselves to more of the network even if we keep one guard.

> To avoid TL;DR, that argument is an exercise to the reader ;).
>
> Here is a proposal that beats my previous proposal on Property #8 and
> #9, while trying to preserve as many of the other properties as
> possible:
>
>  * Set "num primary guards"=1 and "num primary guards to use"=1
>  * Set "num directory guards"=1 and "num directory guards to use"=1
>  * Don't give Exit nodes the Guard flag.
>  * Allow "same node, same /16, same family" between guard and last hop,
>    but only for HS circuits (which are at least 4 hops).
>  * Allow same /16 and same family for HS circuits.

This's for all hops? So all service-side HS circ hops can share the same
family? I gues that's OK since we don't know what's happening on the
other side of the HS circuit anyhow? Or what?

>  * When a primary guard leaves the consensus, pick a new one.
>  * When a primary guard fails circuits, do $MAGIC_FAILURE_HEURISTIC.

What is the $MAGIC_FAILURE_HEURISTIC supposed to do? Also I doubt we can
do anything magic here, we even have trouble doing very naive stuff when
it comes to network-uptime response.

>
> This proposal gets strong:
>   1. Hidden service use can't push you over to an unused guard (at all).
>   2. Hidden service use can't influence your choice of guard (at all).
>   3. Exits and websites can't push you over to an unused guard (at all)
>   8. Less information from guard fingerprinting (the least information)
>
> It loses #4 (and your reliability point above), because if we transition
> to a second guard too quickly when the first one starts failing, then we
> lose the winning fingerprinting property we want to keep. So then
> therefore, we must tolerate failure and RESOURCELIMIT issues and suffer
> through connectivity issues during DoS:
>   4. DoS/Guard node downtime signals are rare (absent) 
>
> It then gets us regular:
>   5. Nodes are not reused for Guard and Exit positions ("any" positions)
>   6. Information about the guard(s) does not leak to the website/RP (at all).
>   7. Relays in the same family can't be forced to correlate Exit traffic.
>
> And again, we could get strong #6 if we allow the guard node for both RP
> and the node before the RP:
>   6. Information about the guard(s) does not leak to the website/RP (at all).
>
> So the key thing (in this property list) that forcing one guard causes us
> to lose is reliability under DoS, which is a guard discovery vector (and
> probably a source of other side channels, too).
>

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Proposal #291 Properties (was IRC meeting)
  - From: Mike Perry

Prev by Author: Re: [tor-dev] HS v3 client authorization types
Next by Author: [tor-dev] Abort in test_bridges.c
Previous by thread: [tor-dev] Bandwidth Scanning Meeting Notes 3 May 2018
Next by thread: Re: [tor-dev] Proposal #291 Properties (was IRC meeting)
Index(es):
- Author
- Thread