[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Restricting SOCKS access now and later (was Re: Proposal 351: Making SOCKS5 authentication extensions extensible)

To: Michael Rogers <michael@xxxxxxxxxxxxxxxx>
Subject: [tor-dev] Restricting SOCKS access now and later (was Re: Proposal 351: Making SOCKS5 authentication extensions extensible)
From: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Wed, 11 Sep 2024 09:12:26 -0400
Cc: tor-dev@xxxxxxxxxxxxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 11 Sep 2024 09:12:54 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=torproject.org; s=2022-eugeni; t=1726060365; bh=Y9bfhTDsPNcXjPFWvMrmv+IS14tbjw4cpH5H82XHngA=; h=References:In-Reply-To:From:Date:To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Reply-To:Cc:From; b=gOOypM7nRBLoFtY8mUGGBCUVWRsTZJQf1FWlmMoyUCxwMTdqvVWXYwoFjbdBLTR7b Lsz1PdQMIQUaCrQaYRnDgTr5Ih6vlqqvwiSgzZqUEjUi5fJblVwjd5izCot8K7NKV9 lp5XUa5M+zdUkfxPQZ8rRWZjvZMR8sT1Jgm3BuupvlCMJYilbkPl/w1/jnNLtB3Hzp aAZ3n0yv99CBXIdwYHpPy5rOO5GxFi5LPuUWAduKP3CbHkPkK4MCkz2+n2XLth0VS1 I2uBhBEHE5QGdflLu+BrUH9KchzveOuGrtoYN13Ccww+/x3gt4eUehjDWMPeBNCvG5 Wv1KPm9dvDujQ==
In-reply-to: <248660b4-35f0-4459-90b8-33f6d7b23879@briarproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuwj-DCHuO5M5tK2eO4i1jjrsrotY4iuH5ufJMQtMRWFDA@mail.gmail.com> <248660b4-35f0-4459-90b8-33f6d7b23879@briarproject.org>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Wed, Sep 11, 2024 at 7:02 AM Michael Rogers <michael@xxxxxxxxxxxxxxxx> wrote:
>
> Hi Nick,
>
> It would be useful to have a way of controlling access to the SOCKS port
> so that untrusted applications running on the same device as a Tor
> client can't use the Tor client's SOCKS proxy. This is something that
> people auditing Briar have raised as a security concern.
>
> Unix sockets aren't a great solution here because HTTP libraries don't
> necessarily know how to connect to them. A TCP socket with
> username/password auth is what HTTP libraries are expecting to see, but
> because Tor uses the SOCKS username and password for other purposes, we
> can't currently use them for access control.
>
> Before seeing this proposal I'd thought about asking if Tor could
> support some way of configuring username/password pairs, which would
> function as real SOCKS credentials as well as providing stream
> isolation. But it seems like this proposal would make that more
> difficult, and if it's going to be possible to support SOCKS credentials
> in future, it might make sense to plan for it now.
>
> I'm not asking for username/password auth to be added to this proposal,
> just for the proposal to leave room for it to be added in the future.
>
> Can you see how that might be done?

Good question, Michael!

So, I see several answers: two comparatively simple, one a bit
trickier, one that's a bit philosophical, and two you probably can't
use.  (There are probably more I haven't thought of.)

In the order of descending usefulness:

## Simple answer 1: Extending this proposal to allow to using
username/password as a username/password

So, with this proposal (351), we have the ability to add new semantics
to the SOCKS5 username/password field: If the username begins with
`<torS0X>`, then the next byte describes what format the rest of the
username/password are in.

Now, the version of this proposal sent to the ML only defines
semantics for `0`; there's a version on gitlab (see [torspec!280])
that defines both `0` and `1`.

[torspec!280]: https://gitlab.torproject.org/tpo/core/torspec/-/merge_requests/280

But we could also add a new format (call it `P`) that allows encoding
an actual username and password.  That would be backward compatible
with this proposal, though we'd actually need to design and implement
it.

To use such a format, you might configure the SOCKS library to say
that the username is something like `<torS0X>Pmy_real_username`, and
that the password is `cnffjbeq`.

(FWIW, I believe this proposal makes it _easier_ to put a
username/password back into the SOCKS5 username password field, since
it defines a forward-compatible way to define new implementations.)

## Simple answer 2: Define a new SocksPort where Username/Password
means Username/Password

Both C Tor and Arti have the ability to define flags on a SocksPort.
We could in principle define a flag that means, "On this particular
SocksPort, Username/Password authentication is required, prop351
semantics are not available, and the username/password must be on some
list of approved users."

(Again we'd need to actually design and implement this, but it's not
impossible.)

## Trickier answer: How to do it if your application is using Arti RPC

With the Arti RPC subsystem (that's Arti's equivalent of C Tor's
control port), when your app authenticates an Arti RPC connection, it
gets an Object ID for an object called a Session.  According to this
proposal as amended at [tospec!280], you open a SOCKS connection
within a session by setting your username to
`<torS0X>1session_id_goes_here`.  (Note that Session IDs are fairly
long, and deliberately hard to guess.)

Taken together, this would make it possible to add a SocksPort flag
that means "Don't allow any SOCKS connections unless they are on a
session."

With this flag, if your application is already authenticating with
Arti RPC and linking its sockets via the mechanism defined here, it
would be allowed to connect, but Arti would shut out any application
that wasn't configured to do so.

## Philosophical answer: what are we restricting here and why?

It's not immediately clear to me _why_ it's considered a risk for
another application to be able to open connections through the same
Tor proxy as yours.  Naturally, you wouldn't want another app to use
the same circuits as yours, but you can mostly[^1] solve that by
setting your username/password to any hard-to-guess random values, and
having stream isolation code take care of that for you.

I guess that we might worry about side-channel attacks, where a
hostile application is sending traffic through the Tor proxy in order
to introduce a timing signal into your traffic?  But any application
with network access could do that, whether it has Tor access or not.

[^1]: Actually, wait.  There's a possible problem here when you're
making lots of onion service connections, since IIRC in C Tor onion
service circuits aren't affected by isolation.  But in Arti, they are.
So at least that problem will go away as Arti moves to the fore.

## An answer you probably can't use: embedding Arti

Right now, you can embed Arti in any Rust app.  Some folks have
already started to write wrappers for Java and other languages.  With
our RPC protocol, we intend to support embedding Arti in any
application written in any language that can call C and link a
library.

So with this solution, there is no SOCKS port at all, and nobody can
use your Tor client but you.

## An answer you probably can't use: OS-specific restrictions

Because somebody will mention it if I don't: you could probably cobble
something together using OS specific restrictions, like containers or
selinux.  Of course, this isn't really something you can ship in a
convenient cross-platform way AFAIK, so it probably isn't going to be
any portable application's first resort.

-----
Sorry for all the text!  But I do hope it's at least somewhat interesting.

best wishes,
-- 
Nick
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Restricting SOCKS access now and later (was Re: Proposal 351: Making SOCKS5 authentication extensions extensible)
  - From: Michael Rogers
- Re: [tor-dev] Restricting SOCKS access now and later (was Re: Proposal 351: Making SOCKS5 authentication extensions extensible)
  - From: Roger Dingledine

References:
- [tor-dev] Proposal 351: Making SOCKS5 authentication extensions extensible
  - From: Nick Mathewson
- Re: [tor-dev] Proposal 351: Making SOCKS5 authentication extensions extensible
  - From: Michael Rogers

Prev by Author: Re: [tor-dev] Restricting SOCKS access now and later (was Re: Proposal 351: Making SOCKS5 authentication extensions extensible)
Next by Author: Re: [tor-dev] When RFC 7686 and transparent proxies collide
Previous by thread: Re: [tor-dev] Proposal 351: Making SOCKS5 authentication extensions extensible
Next by thread: Re: [tor-dev] Restricting SOCKS access now and later (was Re: Proposal 351: Making SOCKS5 authentication extensions extensible)
Index(es):
- Author
- Thread