[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #26240 [Core Tor]: Check Maxmind GeoIPLocation Database before distributing
#26240: Check Maxmind GeoIPLocation Database before distributing
--------------------------+----------------------------
Reporter: jvsg | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor | Version:
Severity: Normal | Keywords: GeoIP, Geoipdb
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------+----------------------------
Currently we're consuming Maxmind's (a company registered in the U.S)
GeoIPLocation Database in Tor. Not just this goes against the principles
of modern privacy that advocates non-reliance on any single
organisation/product, but comes with some serious threats. A powerful
adversary can impose it's control over Maxmind's database. This can be
used to attack tor in a variety of ways:
1. The Tor Network is constantly monitored for any suspicious spike in
nodes, as it may be an indication of an oncoming/undergoing sybil attack.
A powerful adversary can coerce Maxmind to map some specific IP address
blocks to random countries. This may lead to people/scripts monitoring the
network to not feel suspicious about this event, and would result in the
adversary staying under the radar.
2. A large percentage of people don't want the exit of their circuits to
be located in certain countries where the communication is under
surveillance. The powerful adversary knows this as well. Users generally
add a line in their config that allows them to not form a circuit through
nodes located in those locations. To overcome this, the adversary can
coerce Maxmind to alter it's database to map some particular IP's to
locations which the user thinks are havens of free speech.
**Solution**
I propose a system where instead of directly distributed maxmind's db to
the users, we first check it for any anomalies.
This is how it works:
1. The Dir Authorities fetch the GeoIPLocation DBs from all the companies
(including Maxmind) located in distinct countries.
2. Tor Nodes' location (from maxmind) are checked against other DBs as
well. The location which appears in a majority of DB is considered
authentic.
3. All the Dir Authorities perform the above two steps periodically and
independently of each other, and try to reach on a consensus.
4. This DB is then distributed to the users along with any modifications
from step 2.
**What if locations differ in all/most of the DBs?**
A case might arise where the locations for an IP differ in all/most of
DBs, because these locations are just guesses and hence can be erroneous.
However IMO,
1. Most of the nodes are either run from large datacentres, which in all
cases have the right GeoLocation mapped to their IP addr range.
2. Even if the nodes are run from home on a static IP, usually the whois
records are well kept, which help companies such as maxmind fetch data for
their DBs.
So, false positives would be very few. Even if there are some, we can ban
the IP addr from participating in the network until the issue is resolved.
Or we can be a little liberal and allow them to participate given that
there isnt a spike in number of nodes recently.
**What about DB licenses?**
Only the Dir Auths have to pay to get DBs in addition to the freely
available maxmind DB. The DB that we will distribute to the users would
just be maxmind (with some possible modifications)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26240>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs