[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #12500 [Tor]: Slay hidden service upload time dragons

#12500: Slay hidden service upload time dragons
------------------------+-------------------------------------------------
     Reporter:  andrea  |      Owner:
         Type:  defect  |     Status:  new
     Priority:  normal  |  Milestone:  Tor: 0.2.6.x-final
    Component:  Tor     |    Version:  Tor: 0.2.5.5-alpha
   Resolution:          |   Keywords:  026-triaged-1 026-deferrable tor-hs
Actual Points:          |  Parent ID:
       Points:          |
------------------------+-------------------------------------------------
Changes (by sysrqb):

 * keywords:  026-triaged-1 026-deferrable => 026-triaged-1 026-deferrable
     tor-hs


Comment:

 This is actually a reasonably large problem. When a hidden service is
 first started it will always upload its descriptor 30 seconds later.

 Replying to [ticket:12500 andrea]:

 > Descriptor upload happens from rend_consider_services_upload(time_t now)
 - some things to consider:
 > 1.) Where does now come from?  Is this another thing that should use
 CLOCK_MONOTONIC when available?
 >

 For reference, `now` comes from the top of second_elapsed_callback().
 CLOCK_MONOTONIC would likely be a good thing to use, but the "forcing the
 clock to jump sufficiently far into the future" is an equally effective
 attack.

 > {{{
 > 3245     if (service->next_upload_time < now ||
 > 3246         (service->desc_is_dirty &&
 > 3247          service->desc_is_dirty < now-30)) {
 > 3248       /* if it's time, or if the directory servers have a wrong
 service
 > 3249        * descriptor and ours has been stable for 30 seconds, upload
 a
 > 3250        * new one of each format. */
 > 3251       rend_service_update_descriptor(service);
 > 3252       upload_service_descriptor(service);
 > 3253     }
 > }}}
 >
 > We should look at how desc_is_dirty gets set and make sure this doesn't
 cause newly created HS descriptors to always be immediately uploaded.

 We set it as dirty when we add or remove intro points. This includes when
 we first add the hidden service. If we want to be safe here we should
 simply remove the "stable for 30 seconds" criterion and leave the 0 < x <
 2*rendpostperiod. On the other hand, as rransom mentions in #4243, clients
 will not be as happy about waiting up to 2 hours before the descriptor is
 published. They can decrease the value of RendPostPeriod, if this is a
 problem, though.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12500#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs