[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal 189: AUTHORIZE and AUTHORIZED cells

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Proposal 189: AUTHORIZE and AUTHORIZED cells
From: George Kadianakis <desnacked@xxxxxxxxx>
Date: Sat, 05 Nov 2011 04:21:55 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 04 Nov 2011 23:22:19 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:to:subject:in-reply-to:references:user-agent:date:message-id :mime-version:content-type; bh=9sKCN9lgxwKKkJg6NbplrOE2kZTKW6NMhjagDbsinS8=; b=CVw6p9iA48n4Lv4/5WL8ceMYlz/UkihqFQzbQdno5HJNJijg5UqygDxnkKJPhQmf/F BVTc5T7r04xXFTo41pCgkNUMztzWG51CJ+ADwSA3cCEmnzt9jm5+7Xkao2O13PMVnSVk lLSKuNf2Pl0zTWVWzx+zVBuhx2a+4Y2Cvy/CM=
In-reply-to: <4EB48ACE.1090006@xxxxxxxxxx> (Julian Yon's message of "Sat, 05 Nov 2011 01:01:02 +0000")
List-archive: <http://lists.torproject.org/pipermail/tor-dev>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for discussion by the developers of Tor." <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <87ty6jg57z.fsf@xxxxxxxxxx> <CABqy+sqBay=9Fq_CeFxtwAUXp2wUNtFH_xUXFufcRO7EKDHfpA@xxxxxxxxxxxxxx> <CACsn0ck2rscD+_+zZimQ03LnVHiL7jCzeBe62Du-uq0H8YfECA@xxxxxxxxxxxxxx> <4EB48ACE.1090006@xxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Microsoft Outlook Express 6.00.2900.5843

Julian Yon <julian@xxxxxxxxxx> writes:

> On 04/11/11 21:37, Watson Ladd wrote:
>> On Fri, Nov 4, 2011 at 4:10 PM, Robert Ransom <rransom.8774@xxxxxxxxx> wrote:
>>> | Should the client send a string of the form "GET
>>> | /?q=correct+horse+battery+staple\r\n\r\n" instead of an AUTHORIZE
>>> | cell, where "correct+horse+battery+staple" is a semi-plausible search
>>> | phrase derived from the HMAC in some way?
>> 
>> Seems to me at that point we are hosed anyway. If you see
>> correct+horse+battery+staple
>> and the response is garbled data, not an HTTP response, its probably
>> something unusual.
>> Bridge descriptors should include enough information for Tor to ensure
>> that the TLS connection is safe.
>
> What if the GET request can be anything innocuous (e.g. robots.txt,
> index.html) and a valid document is sent back. But the headers include
> an ETag derived in some way from the document content (or just the URL),
> the shared secret and the bridge's TLS cert. If there's a MITM then the
> client will compute a different ETag (due to the wrong cert) and can
> close the connection. Otherwise it can immediately initiate the full
> authorisation sequence.
>
> (NB. I'm not a cryptographer; feel free to tell me where the flaw in my
> logic lies)
>
> Julian

There are some things in these HTTP solutions that make me nervous.

In the "GET /?q=correct+horse+battery+staple\r\n\r\n" client-side case
we will have to build HTTP header spoofing into the tor client, which
is not fun since modern browsers send loads of HTTP headers in their
first GET.

In the Etags/Cookies/whatever server-side case we will probably have
to build some sort of 'valid document'/'innocuous webpage' generator
into the Tor bridge, which is also not fun. Fortunately, we might be
able to reuse such a construction when Bridge Passwords fail:
https://lists.torproject.org/pipermail/tor-dev/2011-October/002996.html

Still, I would very much enjoy if we could find a way to authenticate
the bridge using the shared secret without relying on HTTP covert
channel wizardry. 

I've been thinking of having bridges that use Bridge Passwords, "tag"
their SSL certificate, say the Serial Number, with their password, and
have clients validate them before proceeding with AUTHORIZE cells.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Proposal 189: AUTHORIZE and AUTHORIZED cells
  - From: Julian Yon

References:
- [tor-dev] Proposal 189: AUTHORIZE and AUTHORIZED cells
  - From: George Kadianakis
- Re: [tor-dev] Proposal 189: AUTHORIZE and AUTHORIZED cells
  - From: Robert Ransom
- Re: [tor-dev] Proposal 189: AUTHORIZE and AUTHORIZED cells
  - From: Watson Ladd
- Re: [tor-dev] Proposal 189: AUTHORIZE and AUTHORIZED cells
  - From: Julian Yon

Prev by Author: [tor-dev] Proposal 190: Password-based Bridge Client Authorization
Next by Author: Re: [tor-dev] Proposal 189: AUTHORIZE and AUTHORIZED cells
Previous by thread: Re: [tor-dev] Proposal 189: AUTHORIZE and AUTHORIZED cells
Next by thread: Re: [tor-dev] Proposal 189: AUTHORIZE and AUTHORIZED cells
Index(es):
- Author
- Thread