[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [GSoC] Improving Snakes on a Tor



Hmmm... so we aren't interested in having a clearer definition of what makes up a bad exit? From the following I thought this is something we were interested in John looking into:

"On the bright side though, it's looking good that we'll be able to get a
google summer of code student to revive Mike Perry's "Snakes on a Tor"
project, and hopefully that means we will a) have some automated scans
looking for really obviously broken relays, and b) build a clearer policy
about what counts as badexit and what doesn't, so we can react faster
next time.
" [0]

This strikes me as something very easy he could do to both:
1. start integrating with the community more (all the gsoc students have been very quiet so far, hence I'm trying to encourage him to spark a discussion on or-talk)
2. it'll provide ideas of things that SoaT can look for later for both misconfigured and malicious exits

I agree that we should try and either fix or find safe ways of using bad exits, and that using SoaT to try and protect the network from all the evils exit relays can dish at us is an arms race we'd lose. However, for many of the nastier active attacks like sslstrip I don't see why we should be waving the white flag right away. Cheers! -Damian

[0] http://archives.seul.org/or/talk/Apr-2010/msg00148.html

On Fri, May 14, 2010 at 3:15 PM, Roger Dingledine <arma@xxxxxxx> wrote:
On Sat, May 01, 2010 at 02:55:53PM -0700, Damian Johnson wrote:
> An easy place to start would be to solicit input on or-talk for a better
> definition and enumerable attributes we can look for. Some obvious starting
> ones would be ssl stripping, certificate tampering (checking for differences
> like the Perspectives addon [2]), and bad DNS responses. I'd imagine Scott
> Bennett would be glad to jump in with some more ideas. :)

The balance here is between making use of imperfect exit resources that
people volunteer, and keeping the content you can reach through Tor
"clean". If we had infinite exit relays, it would be clear that we should
hunt for any differences and ban all relays that don't behave perfectly.

I think John's starting point, of doing very simple tests and trying to
reduce false positives, is a good way to go. The goal would be identifying
exit relays that are *accidentally* broken, for example because their
ISP or upstream or software AV system messes with the traffic. Detecting
these can be as simple as fetching an html page with known content, and
seeing if you get the right content. Then we can focus on doing tests as
soon as possible when a new exit relay shows up (rather than waiting for
the relay to get into the consensus, go to clients, see some use, etc),
and on automating the process of getting the directory authorities to
change its status.

The next missing steps there are a) how to contact exit relays that are
accidentally broken so they have a hope of fixing the problem, and b)
how to let broken exits still be somewhat useful. These aren't problems
that John needs to tackle (at least not this summer ;), but solving them
will will make his work more useful.

For "a", it's easy if they set their ContactInfo. Problem is, many exits
don't set it, or don't set it accurately. We could set a message at the
directory authorities that their relay gets every time it publishes a
descriptor, and then have their relay log the message (and/or tell Vidalia
to pop up a message). We're on our way to supporting that approach,
but we never finished all the steps. If anybody wants to pick that up,
please do.

For "b", it could be smart to just remove certain ports from the exit
policy. We can't change the exit policy in the descriptor clients get
(because it's self-signed by the relay), but for example in the consensus
we can say that exiting on port 80 of that relay is bad but the rest of
the ports are ok. I guess how much energy we put into part b depends on
how many broken relays we find, and how successful we are at part a.

There is a separate arms race of detecting intentionally broken exits.
But imo that isn't really an arms race we can win with SoaT. The way
to do better at that one is to teach users and service providers about
end-to-end authentication and encryption. Oh, and solve the fact that
the whole Certificate Authority infrastructure idea is a mess.

--Roger

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/