tor-commits May 2015

tor-commits@lists.torproject.org

22 participants
990 discussions

[tor-browser-spec/master] Cleanups and fixes.
by mikeperry＠torproject.org 04 May '15

04 May '15

commit 16ef0c1333762109fd5778dd1af4d537080c3e83 Author: Mike Perry <mikeperry-git(a)torproject.org> Date: Thu Apr 30 22:49:05 2015 -0700 Cleanups and fixes. --- position-papers/HTTP3/HTTP3.tex | 240 ++++++++++++++++++++------------------- 1 file changed, 125 insertions(+), 115 deletions(-) diff --git a/position-papers/HTTP3/HTTP3.tex b/position-papers/HTTP3/HTTP3.tex index ff08c33..b4d7993 100644 --- a/position-papers/HTTP3/HTTP3.tex +++ b/position-papers/HTTP3/HTTP3.tex @@ -19,6 +19,7 @@ \title{The Future of HTTP and Anonymity on the Internet} +% XXX: This is broken: \author{Georg Koppen \\ The Tor Project, Inc \\ georg(a)torproject.org} \author{Mike Perry \\ The Tor Project, Inc \\ mikeperry(a)torproject.org} @@ -36,21 +37,25 @@ with the Tor Network, avoid introducing new third party tracking and linkability vectors, and minimize client fingerprintability. We also have a strong interest in the development of enhancements and/or extensions that protect the confidentiality and integrity of HTTP traffic, as well as provide -resistance to traffic fingerprinting and general traffic analysis. We are -presently actively researching these areas. +resistance to traffic fingerprinting and general traffic analysis. In fact, we +are presently researching these areas. \end{abstract} \section{Introduction} -The Tor Project, Inc is a US non-profit dedicated to providing technology and -education to support online privacy, anonymity, and censorship circumvention. -Our primary products are the Tor network software, and the Tor Browser, which -is based on Firefox. +The Tor Project is a United States 501(c)(3) non-profit dedicated to providing +technology, research, and education to support online privacy, anonymity, and +censorship circumvention. Our primary software products are the Tor network +software, and the Tor Browser, which is based on Firefox. The Tor Project is +actively collaborating with Mozilla to ensure that its modifications to +Firefox are merged with the official Firefox distribution, with the long-term +goal of providing an optional Tor-enabled mode of operation for native Firefox +users. In this position paper, we describe the concerns and interests of the Tor Project with respect to future HTTP standardization. These concerns and -interests span five areas: identifier linkability, connection usage linkability, +interests span six areas: identifier linkability, connection usage linkability, fingerprinting linkability, traffic confidentiality and integrity, traffic fingerprinting and traffic analysis, and Tor network compatibility. @@ -61,13 +66,13 @@ performing a more in-depth review of HTTP/2 for client fingerprinting and other tracking issues in the coming months as we modify the Firefox implementation for deployment in Tor Browser. -\section{Identifier Linkability} +\section{Identifier Linkability Concerns} Identifier linkability is the ability to use any form of browser state, cache, data storage, or identifier to track (or link) a user between two otherwise -independent actions. For the purposes of this position paper, we concern -ourselves with any browser state that persists beyond the duration or scope of -a single connection. +independent actions. For the purpose of this position paper, we are +specifically concerned with any stateful information residing in the browser's +HTTP layer that persists beyond the duration or scope of a single connection. For background, the Tor Project has designed Tor Browser with two main properties for limiting identifier-based tracking: First Party Isolation, and @@ -75,20 +80,19 @@ Long Term Unlinkability. % FIXME: cite design doc First Party Isolation is the property that a user's actions at one -top-level URL bar domain cannot be correlated or linked to their actions on a +top-level URL bar domain must not be correlated or linked to their actions on a different top-level URL bar domain. We maintain this property through a number of patches and modifications to various aspects of browser functionality and state keeping. % FIXME: Cite design doc -Long Term Unlinkability is the property that the user may completely clear all -website-visible data and other identifiers associated, such that their future -activity cannot be linked or correlated to any activity prior to this action. -Tor Browser provides Long Term Unlinkability by allowing the user to clear all -browser tracking data in a single click (called "New Identity"). Our long-term -goal is to allow users to define their relationship with individual first -parties, and alter that relationship by resetting or blocking the associated -tracking data on a per-site basis. +Long Term Unlinkability is the property that a user's future activity must not +be linked or correlated to any prior activity after that user's explicit request +to sever this link. Tor Browser provides Long Term Unlinkability by allowing +the user to clear all browser tracking data in a single click (called "New +Identity"). Our long-term goal is to allow users to define their relationship +with individual first parties, and alter that relationship by resetting or +blocking the associated tracking data on a per-site basis. % FIXME: Cite design doc \subsection{Identifier Linkability in HTTP/2} @@ -96,17 +100,16 @@ tracking data on a per-site basis. The Tor Project is still in the process of evaluating the stateful nature of HTTP/2 connections and their associated streams and settings. It is likely that we will be able to isolate the usage of HTTP/2 connection state in a -similar way to how we currently isolate HTTP connection state, as well as -close these connections and clear that state when the user chooses to use a -New Identity. However, it is not clear yet at this point how complicated this -isolation will be. +manner similar to the way we currently isolate HTTP/1.1 connection state. +However, it is not clear yet at this point how complicated this isolation will +be. \subsection{Avoiding Future Identifier Linkability} We feel that it is very important that mechanisms for identifier usage, storage, and connection-related state keeping be cleanly abstracted and narrowly scoped within the HTTP protocol. However, we also recognize that to a -large degree identifier usage and the resulting linkability is primarily an +large degree identifier storage and the resulting linkability is primarily an implementation detail, and not specific to the protocol itself. Identifier linkability will become a problem if instances arise where the @@ -114,9 +117,10 @@ server is allowed to specify a setting or configuration property for a client that must persist beyond the duration of the session. In these cases, care must be taken to ensure that this data is cleared or isolated upon entry to private browsing mode, or when the user attempts to clear their private data. +In the case of Tor Browser, we will most likely clear this state immediately +upon connection close. - -\section{Connection Usage Linkability} +\section{Connection Usage Linkability Concerns} Connection usage linkability arises from the use of the same underlying transport stream for requests that would otherwise be independent due to the @@ -138,18 +142,22 @@ SHOULD NOT open more than one connection to a given host and port). \subsection{Avoiding Future Connection Usage Linkability} In the future, connection usage linkability may become a problem if the notion -of a connection becomes further abstracted from the transport, and instead is -enforced through a collection of identifiers or stateful behavior in the -browser. This may tend to further encourage implementations that make it -difficult to decouple the notion of a connection from the notion of a -destination address. +of a connection becomes disassociated from the application layer, and instead +is enforced through a collection of identifiers or stateful behavior in the +browser. This may tend to encourage implementations that make it difficult to +decouple the notion of a connection from the notion of a destination address. + +Connection (and even identifier) linkability could similarly arise if +implementations were required to remember which endpoints supported which HTTP +versions, to avoid wasting round trips determining this information in-band. -Even this is technically an implementation issue, but consideration should be -taken to ensure that the specification does not encourage implementations to -bake in deep assumptions about providing only a single connection instance per -site, as was done for HTTP/2. +Even these concerns are technically implementation issues, but consideration +should be taken to ensure that the specification does not encourage +implementations to bake in deep assumptions about providing only a single +connection instance per site, as well as the need to remember a site's +capabilities for long periods of time. -\section{Fingerprinting Linkability} +\section{Fingerprinting Linkability Concerns} User agent fingerprinting arises from four sources: end-user configuration details, device and hardware characteristics, operating system vendor and @@ -184,7 +192,7 @@ delegated to the client, and depend on things like available system memory, available CPU cores, or other system details. Care should be taken to avoid these situations, but we also expect them to be unlikely. -\section{Traffic Confidentiality and Integrity} +\section{Traffic Confidentiality and Integrity Concerns} The Tor Project is very interested in any efforts to improve the confidentiality and integrity of the session layer of HTTP/3. @@ -196,18 +204,18 @@ authenticated encryption, as opposed to deploying opportunistic mechanisms. % FIXME: Cite Let's Encrypt We are also interested in efforts to encrypt the ClientHello and ServerHello -messages using an initial forward-secure handshake, as described in the -Encrypted TLS Handshake proposal. If SNI, ALPN, and the ServerHello can be -encrypted using an ephemeral exchange that is authenticated later in the -handshake, the adversary loses a great deal of information about the user's -intended destination site. When large scale CDNs and multi-site load balancers -are involved, the ultimate destination would be impossible to determine with -this type of handshake in place. This will aid in defenses against traffic +messages using an initial ephemeral handshake, as described in the Encrypted +TLS Handshake proposal. If SNI, ALPN, and the ServerHello can be encrypted +using an ephemeral key exchange that is authenticated later in the handshake, +the adversary loses a great deal of information about the user's intended +destination site. When large scale CDNs and multi-site load balancers are +involved, the ultimate destination would be impossible to determine with this +type of handshake in place. This will aid in defenses against traffic fingerprinting and traffic analysis, which we describe detail in the next section. % FIXME: Cite https://tools.ietf.org/html/draft-ray-tls-encrypted-handshake-00 -\section{Traffic Fingerprinting and Traffic Analysis} +\section{Traffic Fingerprinting and Traffic Analysis Concerns} Website Traffic Fingerprinting is the process of using machine learning to classify web page visits based on their encrypted traffic patterns. It is most @@ -217,33 +225,36 @@ visited. In the case of Tor, this attack is most commonly considered with respect to the client's connection to their Guard node (the entry into the Tor network). -There, Tor's fixed 512 byte packet size, link encryption, and multiplexing all -go a long way to impede this attack for minimal overhead. The fixed 512 byte -packet size helps to obscure some amount of request and response length -information. Tor's link encryption also conceals the destination website, -which reduces classifier accuracy and capabilities, due largely to the Base -Rate Fallacy. - -There was some initial controversy in the literature as to the exact degree to -which the Base Rate Fallacy and other properties applied to website traffic -fingerprinting of Tor traffic, but after publicly requesting that these -effects be studied in closer detail, recent results have confirmed and -quantified the benefits conferred by Tor's unique link encryption. +There, Tor's fixed 512 byte packet size, link encryption, and stream +multiplexing go a long way to impede this attack for minimal overhead. The +fixed 512 byte packet size helps to obscure some amount of request and +response length information. Tor's link encryption also conceals the +destination website from the Guard node observer, which reduces classifier +accuracy and capabilities by increasing the size of the classification domain. + +There was some initial controversy in the research literature as to the exact +degree to which the classification domain size, the base rate fallacy, and +other machine learning issues applied to website traffic fingerprinting of Tor +traffic, but after publicly requesting that these effects be studied in closer +detail, recent results have confirmed and quantified the benefits conferred by +Tor's unique link encryption. + +Tor's link properties are by no means a complete defense, but they show that +there is room to develop defenses that specifically aim to increase the size +of the classification domain and associated base rate. In fact, it is our +belief that minimal padding and clever use of request and response framing +will increase the false positive rate enough to frustrate these attacks. For +this reason, we have been encouraging continued study of low-overhead defenses +against traffic fingerprinting. % FIXME: Cite blog post and Mjaurez's paper - -For this reason, we have been encouraging continued study of low-overhead -defenses against traffic fingerprinting. We are optimistic that clever use of -request bundling and response chunking can be combined with minimal amounts of -padding to significantly reduce the accuracy of this attack, even when the -attack is combined with prior information that reduces the size of the -classification domain. % FIXME: Cite design doc's website traffic fingerprinting section With the aid of an encrypted TLS handshake, we are hopeful that these defenses -will also be applicable to non-Tor TLS sessions as well. The application of -these defenses to HTTP's TLS layer will serve to increase the difficulty -of end-to-end correlation and general traffic analysis of Tor Exit node -traffic. +will also be applicable to non-Tor TLS sessions as well. In addition to +protecting the communications of non-Tor users from traffic fingerprinting, +the application of these defenses to the HTTP TLS layer will serve to increase +the difficulty of end-to-end correlation and general traffic analysis of Tor +exit node traffic as well. \subsection{Traffic Analysis Issues with HTTP/2} @@ -251,31 +262,30 @@ In our preliminary investigation of HTTP/2, we discovered that certain aspects of the protocol may aid certain types of traffic analysis attacks. In particular, the PING and SETTINGS frames are acknowledged immediately by -the client which might give servers the option to collect information about a -client via timing side-channels. They also allow the server to introduce an -active traffic pattern that can be used for end-to-end correlation or -confirmation, independent of client behavior. - -It is true that there are other means an attacker could use for the same -purpose (such as redirects or Javascript), but these mechanisms can either be -disabled by the user, reflected in UI activity, or otherwise mitigated by Tor -Browser - -In Tor Browser, we will likely close the connection after receiving some rate -of unsolicited PING or SETTINGS updates, and introduce delay or jitter before -responding to these requests before that point. However, lack of explicit -guidance in the specification about this issue raises concerns about what -frequencies of these frames are likely to constitute attacks, or instead -represent normal server behavior in the wild due to overly-aggressive HTTP/2 -implementations. +the client, which might give servers the ability to collect information about a +client's location and/or routing via timing side-channels. They also allow the +server to introduce an active traffic pattern that can be used for end-to-end +correlation or confirmation. + +In Tor Browser, we will likely introduce delay or jitter before responding to +these requests, and close the connection after receiving some rate of +unsolicited PING or SETTINGS updates. However, lack of explicit guidance in +the specification about this issue raises concerns about what frequencies of +these frames are likely to represent normal server behavior in the wild due to +overly-aggressive HTTP/2 implementations, as opposed to actual attacks. + +It is true that there are other mechanisms that an attacker could use for the +same purpose (such as redirects or Javascript), but these mechanisms can +either be disabled by the user, discovered by UI indicators, or otherwise +mitigated by Tor Browser. \subsection{Future Traffic Analysis Resistance Enhancements for HTTP/3} In terms of assisting traffic analysis defenses, we would like to see capabilities for larger amounts of per-frame padding, and more fine-grained client-side control over frame sizes. Unfortunately the 256 bytes of padding -provided by HTTP/2 is likely to be inconsequential when combined with a 16K -frame size. +provided by HTTP/2 is likely to be inconsequential when combined with the +minimum frame size the client can request (16 kilobytes). In combination with researchers at the University of Leuven, the Tor Project has also developed a protocol and prototype implementation for communicating @@ -290,38 +300,38 @@ basis of new HTTP/3 frame commands for communicating more sophisticated (yet still traffic-bounded) padding schedules to HTTP/3 servers. -\section{Tor Network Compatibility} +\section{Tor Network Compatibility Concerns} Our final area of concern is continued compatibility of the Tor network with -future versions of the HTTP protocol. - -It is our understanding that there is a desire for future versions of HTTP to -move to a UDP transport layer so that reliability, congestion control, and -client mobility will be more directly under control of the application layer. - -At present, the Tor Network is only capable of carrying TCP traffic. While we -would like to support UDP traffic and indeed eventually transition the entire -Tor network to our own datagram protocol with custom congestion and flow -control, additional research is still needed to examine the anonymity -implications associated with this transition. Our present estimate is that a -full network transition to UDP is at least five years away. - +future versions of the HTTP protocol. It is our understanding that there is a +desire for future versions of HTTP to move to a UDP transport layer so that +reliability, congestion control, and client mobility will be more directly +under control of the client user agent. + +At present, the Tor Network is only capable of carrying TCP traffic. While it +will be possible to support the transit of UDP datagrams using our existing +TCP overlay network without significant anonymity risks within a year's time +or sooner, it is unlikely that this level of support will be sufficient to +warrant the use of a finely-tuned UDP version of HTTP rather than a TCP +variant. + +Long term, our goal is to transition the entire Tor network to our own +datagram protocol with custom congestion and flow control to better support +both native datagram transport and end-to-end flow control. However, +additional research is still needed to examine the anonymity implications +associated with this transition. Our present estimate is that a full network +transition to UDP is at least five years away. % FIXME: Site Murdoch's UDP study -While it will be technically possible to support the transit of UDP inside our -existing TCP overlay network without significant anonymity risks within a -year's time or sooner, it is unlikely that this level of support will be -sufficient to warrant the use of a finely-tuned UDP version of HTTP rather -than a TCP variant. - -We are also concerned that even with a full network transition to a datagram +We are also concerned that even after a full network transition to a datagram transport, it is likely that the congestion, flow, and reliability control of -a UDP version of HTTP/3 may still end up performing poorly over higher-latency -overlay networks such as ours. We are especially interested in ensuring that -overlay networks are taken in to account in the design of any UDP-based future -versions of HTTP, and would also prefer to retain the ability to use future -HTTP versions over TCP, should the UDP implementations prove sub-optimal for -our use case. +a UDP version of HTTP may still end up performing poorly over higher-latency +overlay networks such as ours. + +For these reasons, we are especially interested in ensuring that overlay +networks are taken into account in the design of any UDP-based future versions +of HTTP, and also prefer to retain the ability to use future HTTP versions +over TCP, should the UDP implementations prove sub-optimal for our use case.

1 0

[tor-browser-spec/master] Add compiled PDF for HTTP3 position paper.
by mikeperry＠torproject.org 04 May '15

04 May '15

commit 272da5daa6ef1847b2b8035227ebc58cdbbdca68 Author: Mike Perry <mikeperry-git(a)torproject.org> Date: Mon May 4 11:16:59 2015 -0700 Add compiled PDF for HTTP3 position paper. This commit was the initial submitted version. --- position-papers/HTTP3/HTTP3.pdf | Bin 0 -> 71714 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/position-papers/HTTP3/HTTP3.pdf b/position-papers/HTTP3/HTTP3.pdf new file mode 100644 index 0000000..23fccd5 Binary files /dev/null and b/position-papers/HTTP3/HTTP3.pdf differ

1 0

[tor-browser-spec/master] [Citation needed].
by mikeperry＠torproject.org 04 May '15

04 May '15

commit cafc1fd6a0717c4ba24ebf9e55d0f89c39be732f Author: Mike Perry <mikeperry-git(a)torproject.org> Date: Thu Apr 30 21:41:23 2015 -0700 [Citation needed]. --- position-papers/HTTP3/HTTP3.tex | 118 +++++++++++++++++++++------------------ 1 file changed, 65 insertions(+), 53 deletions(-) diff --git a/position-papers/HTTP3/HTTP3.tex b/position-papers/HTTP3/HTTP3.tex index 6040902..ff08c33 100644 --- a/position-papers/HTTP3/HTTP3.tex +++ b/position-papers/HTTP3/HTTP3.tex @@ -48,35 +48,38 @@ education to support online privacy, anonymity, and censorship circumvention. Our primary products are the Tor network software, and the Tor Browser, which is based on Firefox. -In this position paper, we describe the concerns of the Tor Project with -respect to future HTTP standardization. These concerns are broken down into -five areas: identifier linkability, connection usage linkability, +In this position paper, we describe the concerns and interests of the Tor +Project with respect to future HTTP standardization. These concerns and +interests span five areas: identifier linkability, connection usage linkability, fingerprinting linkability, traffic confidentiality and integrity, traffic fingerprinting and traffic analysis, and Tor network compatibility. -Each of these areas of concern is communicated in a separate section of this -position paper. We have also performed a preliminary review of HTTP/2 with -respect to these areas, and have noted our findings inline. We will be +Each of these areas is communicated in a separate section of this position +paper. We have also performed a preliminary review of HTTP/2 with respect to +these areas, and have noted our comments in each section. We will be performing a more in-depth review of HTTP/2 for client fingerprinting and -other tracking issues in the coming months. +other tracking issues in the coming months as we modify the Firefox +implementation for deployment in Tor Browser. \section{Identifier Linkability} Identifier linkability is the ability to use any form of browser state, cache, -data storage, or identifier to track (link) a user between two otherwise -independent actions. For the purposes of this position paper, we are concerned -with any browser state that persists beyond the duration of a single -connection. +data storage, or identifier to track (or link) a user between two otherwise +independent actions. For the purposes of this position paper, we concern +ourselves with any browser state that persists beyond the duration or scope of +a single connection. -The Tor Project has designed Tor Browser with two main properties for limiting -identifier-based tracking: First Party Isolation, and Long Term Unlinkability. +For background, the Tor Project has designed Tor Browser with two main +properties for limiting identifier-based tracking: First Party Isolation, and +Long Term Unlinkability. +% FIXME: cite design doc First Party Isolation is the property that a user's actions at one top-level URL bar domain cannot be correlated or linked to their actions on a different top-level URL bar domain. We maintain this property through a number of patches and modifications to various aspects of browser functionality and state keeping. -% FIXME: Cite +% FIXME: Cite design doc Long Term Unlinkability is the property that the user may completely clear all website-visible data and other identifiers associated, such that their future @@ -86,15 +89,17 @@ browser tracking data in a single click (called "New Identity"). Our long-term goal is to allow users to define their relationship with individual first parties, and alter that relationship by resetting or blocking the associated tracking data on a per-site basis. +% FIXME: Cite design doc \subsection{Identifier Linkability in HTTP/2} The Tor Project is still in the process of evaluating the stateful nature of -HTTP/2 connections. It is likely that we will be able to isolate the usage of -HTTP/2 connection state in a similar way to how we currently isolate HTTP -connection state, as well as close these connections and clear that state when -the user chooses to use a New Identity. However, it is not clear yet at this -point how complicated this isolation will be. +HTTP/2 connections and their associated streams and settings. It is likely +that we will be able to isolate the usage of HTTP/2 connection state in a +similar way to how we currently isolate HTTP connection state, as well as +close these connections and clear that state when the user chooses to use a +New Identity. However, it is not clear yet at this point how complicated this +isolation will be. \subsection{Avoiding Future Identifier Linkability} @@ -128,6 +133,7 @@ complexities for ensuring that requests are isolated. Unfortunately, unlike identifier usage, connection usage linkability is encouraged by the HTTP/2 specification in Section 9.1 (in the form of specifying that clients SHOULD NOT open more than one connection to a given host and port). +% FIXME: Cite HTTP2 S 9.1 \subsection{Avoiding Future Connection Usage Linkability} @@ -165,17 +171,18 @@ possibility. The Tor Project is still in the process of evaluating client fingerprintability in HTTP/2. The largest potential source of fingerprinting -appears to be in the SETTINGS frame. If these values vary depending on end-user -configuration, hardware capabilities, or operating system version, we may -alter our implementation's behavior accordingly. +appears to be in the SETTINGS frame. If clients choose setting values +depending on end-user configuration, hardware capabilities, or operating +system version, we may alter our implementation's behavior accordingly to +remove this logic. \subsection{Avoiding Future Fingerprinting Linkability} It is conceivable that more fingerprinting vectors could arise in future, -especially if flow control and stream multiplexing decisions are delegated to -the client, and depend on things like available system memory, available CPU -cores, or other details. Care should be taken to avoid these situations, -though we also expect them to be unlikely. +especially if more flow control and stream multiplexing decisions are +delegated to the client, and depend on things like available system memory, +available CPU cores, or other system details. Care should be taken to avoid +these situations, but we also expect them to be unlikely. \section{Traffic Confidentiality and Integrity} @@ -186,18 +193,18 @@ In particular, we are strong advocates for mandatory authenticated encryption of HTTP/3 connections. The availability of entry-level authentication through the Let's Encrypt Project should eliminate the remaining barriers to requiring authenticated encryption, as opposed to deploying opportunistic mechanisms. +% FIXME: Cite Let's Encrypt We are also interested in efforts to encrypt the ClientHello and ServerHello -messages in an initial forward-secure handshake, as described in the Encrypted -TLS Handshake proposal. If SNI, ALPN, and the ServerHello can be encrypted -using an ephemeral exchange that is authenticated later in the handshake, -the adversary loses a great deal of information about the user's intended -destination site. When large scale CDNs and multi-site load balancers are -involved, the ultimate destination would be impossible to determine with this -type of handshake in place. This will aid in defenses against traffic +messages using an initial forward-secure handshake, as described in the +Encrypted TLS Handshake proposal. If SNI, ALPN, and the ServerHello can be +encrypted using an ephemeral exchange that is authenticated later in the +handshake, the adversary loses a great deal of information about the user's +intended destination site. When large scale CDNs and multi-site load balancers +are involved, the ultimate destination would be impossible to determine with +this type of handshake in place. This will aid in defenses against traffic fingerprinting and traffic analysis, which we describe detail in the next section. - % FIXME: Cite https://tools.ietf.org/html/draft-ray-tls-encrypted-handshake-00 \section{Traffic Fingerprinting and Traffic Analysis} @@ -208,15 +215,21 @@ effective when exact request and response lengths are visible, and when the classification domain is limited by knowledge of the specific site being visited. -Tor's fixed 512 byte packet size and large classification domain go a long way -to impede this attack for minimal overhead. The 512 byte packet size helps to -obscure some amount of length information, and Tor's link encryption conceals -the destination website reduces classifier accuracy and capabilities, due -largely to the Base Rate Fallacy. There was some initial controversy in the -literature as to the exact degree to which this was the case, but after -publicly requesting that these effects be studied in closer detail, recent -results have confirmed and quantified the benefits conferred by Tor's unique -link encryption. +In the case of Tor, this attack is most commonly considered with respect to +the client's connection to their Guard node (the entry into the Tor network). +There, Tor's fixed 512 byte packet size, link encryption, and multiplexing all +go a long way to impede this attack for minimal overhead. The fixed 512 byte +packet size helps to obscure some amount of request and response length +information. Tor's link encryption also conceals the destination website, +which reduces classifier accuracy and capabilities, due largely to the Base +Rate Fallacy. + +There was some initial controversy in the literature as to the exact degree to +which the Base Rate Fallacy and other properties applied to website traffic +fingerprinting of Tor traffic, but after publicly requesting that these +effects be studied in closer detail, recent results have confirmed and +quantified the benefits conferred by Tor's unique link encryption. +% FIXME: Cite blog post and Mjaurez's paper For this reason, we have been encouraging continued study of low-overhead defenses against traffic fingerprinting. We are optimistic that clever use of @@ -224,19 +237,18 @@ request bundling and response chunking can be combined with minimal amounts of padding to significantly reduce the accuracy of this attack, even when the attack is combined with prior information that reduces the size of the classification domain. +% FIXME: Cite design doc's website traffic fingerprinting section -With the aid of an encrypted TLS handshake, we are also hopeful that these -defenses will also be applicable to non-Tor TLS sessions as well. This will -also serve to increase the difficulty of end-to-end correlation and general -traffic analysis of Tor Exit node traffic. - -% FIXME: Cite Mjarez's paper and wfpadtools +With the aid of an encrypted TLS handshake, we are hopeful that these defenses +will also be applicable to non-Tor TLS sessions as well. The application of +these defenses to HTTP's TLS layer will serve to increase the difficulty +of end-to-end correlation and general traffic analysis of Tor Exit node +traffic. \subsection{Traffic Analysis Issues with HTTP/2} -In our preliminary investigation of HTTP2/, however, we discovered that -certain aspects of the protocol may aid certain types of traffic analysis -attacks. +In our preliminary investigation of HTTP/2, we discovered that certain aspects +of the protocol may aid certain types of traffic analysis attacks. In particular, the PING and SETTINGS frames are acknowledged immediately by the client which might give servers the option to collect information about a @@ -271,12 +283,12 @@ statistical schedules for asynchronous padding from Tor clients to Tor relays. The research community is currently in the process of evaluating the efficacy of this protocol against traffic fingerprinting and other traffic analysis attacks. +% FIXME: Cite padding idea and wfpadtools Pending the results of this analysis, these padding commands could form the basis of new HTTP/3 frame commands for communicating more sophisticated (yet still traffic-bounded) padding schedules to HTTP/3 servers. -% FIXME: Cite. \section{Tor Network Compatibility}

1 0

[tor-browser-spec/master] Another round of cleanups.
by mikeperry＠torproject.org 04 May '15

04 May '15

commit 899d225375aff9f4dbd1ccf219a0a932b74d202f Author: Mike Perry <mikeperry-git(a)torproject.org> Date: Fri May 1 02:50:52 2015 -0700 Another round of cleanups. --- position-papers/HTTP3/HTTP3.tex | 130 +++++++++++++++++++++++---------------- 1 file changed, 76 insertions(+), 54 deletions(-) diff --git a/position-papers/HTTP3/HTTP3.tex b/position-papers/HTTP3/HTTP3.tex index d7d8aac..43fac24 100644 --- a/position-papers/HTTP3/HTTP3.tex +++ b/position-papers/HTTP3/HTTP3.tex @@ -20,8 +20,7 @@ \title{The Future of HTTP and Anonymity on the Internet} % XXX: This is broken: -\author{Georg Koppen \\ The Tor Project, Inc \\ georg(a)torproject.org} -\author{Mike Perry \\ The Tor Project, Inc \\ mikeperry(a)torproject.org} +\author{Mike Perry \\ The Tor Project, Inc \\ mikeperry(a)torproject.org \and Georg Koppen \\ The Tor Project, Inc \\ gk(a)torproject.org} %\institute{The Internet} @@ -48,7 +47,7 @@ The Tor Project is a United States 501(c)(3) non-profit dedicated to providing technology, research, and education to support online privacy, anonymity, and censorship circumvention. Our primary software products are the Tor network software, and the Tor Browser, which is based on Firefox. The Tor Project is -actively collaborating with Mozilla to ensure that its modifications to +actively collaborating with Mozilla to ensure that our modifications to Firefox are merged with the official Firefox distribution, with the long-term goal of providing an optional Tor-enabled mode of operation for native Firefox users. @@ -88,7 +87,7 @@ Long Term Unlinkability is the property that a user's future activity must not be linked or correlated to any prior activity after that user's explicit request to sever this link. Tor Browser provides Long Term Unlinkability by allowing the user to clear all browser tracking data in a single click (called -"New Identity")\cite{torbrowser-longterm}. Our long-term goal is to allow +"New Identity")\cite{torbrowser-longterm}. Our eventual goal is to allow users to define their relationship with individual first parties, and alter that relationship by resetting or blocking the associated tracking data on a per-site basis. @@ -110,11 +109,9 @@ narrowly scoped within the HTTP protocol. However, we also recognize that to a large degree identifier storage and the resulting linkability is primarily an implementation detail, and not specific to the protocol itself. -Identifier linkability will become a problem if instances arise where the -server is allowed to specify a setting or configuration property for a client -that must persist beyond the duration of the session. In these cases, care -must be taken to ensure that this data is cleared or isolated upon entry to -private browsing mode, or when the user attempts to clear their private data. +Identifier linkability will become a more serious problem in future HTTP +versions if the server is allowed to specify a setting or configuration +property for a client that must persist beyond the duration of the session. In the case of Tor Browser, we will most likely clear this state immediately upon connection close. @@ -125,8 +122,11 @@ transport stream for requests that would otherwise be independent due to the first party isolation of their associated identifiers and browser state. Tor Browser currently enforces connection usage unlinkability at the HTTP -layer, by creating independent HTTP connections for third party hosts that -are sourced from different first party domains. +layer, by creating independent HTTP connections to third party hosts that are +sourced from different first party domains, even if HTTP requests are issued +simultaneously to the same third party site. These connections also use +separate, isolated paths through the Tor network based on the domain of the +first party that sourced them. \subsection{Connection Usage Linkability with HTTP/2} @@ -137,29 +137,39 @@ HTTP/2 specification in Section 9.1 (in the form of specifying that clients SHOULD NOT open more than one connection to a given host and port)\cite{http2-spec}. +The Tor Browser will ignore this recommendation in its HTTP/2 implementation, +and create an independent HTTP/2 connections to third parties for every first +party domain that sources them. + \subsection{Avoiding Future Connection Usage Linkability} -In the future, connection usage linkability may become a problem if the notion -of a connection becomes disassociated from the application layer, and instead -is enforced through a collection of identifiers or stateful behavior in the -browser. This may tend to encourage implementations that make it difficult to -decouple the notion of a connection from the notion of a destination address. +In the future, connection usage linkability may become a more serious problem +if the notion of a connection becomes disassociated from the application +layer, and instead is enforced through a collection of identifiers or stateful +behavior in the browser (for example, in the case of a connectionless datagram +transport layer). This may tend to encourage implementations that make it +difficult to decouple the notion of a session from the notion of a destination +address, which will serve to entrench and cement cross-site third party +tracking capabilities. Some user agent vendors already have implicit or +explicit monetary incentives to make these implementation tradeoffs. Connection (and even identifier) linkability could similarly arise if implementations were required to remember which endpoints supported which HTTP versions, to avoid wasting round trips determining this information in-band. +Implementations that choose not to store this state (to prevent the associated +tracking vectors) may end up at an inherent performance disadvantage. -Even these concerns are technically implementation issues, but consideration -should be taken to ensure that the specification does not encourage -implementations to bake in deep assumptions about providing only a single -connection instance per site, as well as the need to remember a site's +For these reasons, consideration should be taken to ensure that the +specification does not encourage implementations to bake in deep assumptions +about providing only a single connection instance per site, or otherwise +implicitly encourage the browser to store information about a site's capabilities for long periods of time. \section{Fingerprinting Linkability Concerns} -User agent fingerprinting arises from four sources: end-user configuration -details, device and hardware characteristics, operating system vendor and -version differences, and browser vendor and version differences. +User agent fingerprinting arises from four primary sources: end-user +configuration details, device and hardware characteristics, operating system +vendor and version differences, and browser vendor and version differences. The Tor Project is primarily concerned with minimizing the ability of websites to obtain or infer end user configuration details and device characteristics. @@ -178,17 +188,18 @@ possibility. The Tor Project is still in the process of evaluating client fingerprintability in HTTP/2. The largest potential source of fingerprinting appears to be in the SETTINGS frame. If clients choose setting values -depending on end-user configuration, hardware capabilities, or operating -system version, we may alter our implementation's behavior accordingly to -remove this logic. +depending on end-user configuration, local network or related hardware +capabilities, or operating system version, we may alter our implementation's +behavior accordingly to remove this logic. \subsection{Avoiding Future Fingerprinting Linkability} -It is conceivable that more fingerprinting vectors could arise in future, -especially if more flow control and stream multiplexing decisions are -delegated to the client, and depend on things like available system memory, -available CPU cores, or other system details. Care should be taken to avoid -these situations, but we also expect them to be unlikely. +It is conceivable that more fingerprinting vectors could arise in future +versions of HTTP, especially if more flow control and stream multiplexing +decisions are delegated to the client, and depend on things like local link +layer properties, available system memory, available CPU cores, or other +system details. Care should be taken to avoid these situations, especially +in the specification of any highly-tuned datagram-based transport layer. \section{Traffic Confidentiality and Integrity Concerns} @@ -198,8 +209,11 @@ confidentiality and integrity of the session layer of HTTP/3. In particular, we are strong advocates for mandatory authenticated encryption of HTTP/3 connections. The availability of free and automated entry-level authentication through the Let's Encrypt Project\cite{lets-encrypt} should -eliminate the remaining barriers to requiring authenticated encryption, as -opposed to deploying opportunistic mechanisms. +eliminate the remaining barriers to requiring authenticated encryption. The +creation of the Let's Encrypt certificate authority also causes us to strongly +favor mandatory authenticated encryption over opportunistic unauthenticated or +unauthenticated to authenticated upgrade mechanisms, despite our concerns with +the certificate authority authentication model. We are also interested in efforts to encrypt the ClientHello and ServerHello messages using an initial ephemeral handshake, as described in the Encrypted @@ -210,11 +224,11 @@ information about the user's intended destination site. When large scale CDNs and multi-site load balancers are involved, the ultimate destination would be impossible to determine with this type of handshake in place. This will aid in defenses against traffic fingerprinting and traffic analysis, which we -describe detail in the next section. +describe in detail in the next section. \section{Traffic Fingerprinting and Traffic Analysis Concerns} -Website Traffic Fingerprinting is the process of using machine learning to +Traffic fingerprinting is the process of using machine learning to classify web page visits based on their encrypted traffic patterns. It is most effective when exact request and response lengths are visible, and when the classification domain is limited by knowledge of the specific site being @@ -228,6 +242,9 @@ fixed 512 byte packet size helps to obscure some amount of request and response length information. Tor's link encryption also conceals the destination website from the Guard node observer, which reduces classifier accuracy and capabilities by increasing the size of the classification domain. +Tor's stream multiplexing causes concurrent web page loads to blend together. +In the face of concurrent multiplexed web page loads, the accuracy of these +attacks drops considerably. There was some initial controversy in the research literature as to the exact degree to which the classification domain size, the base rate fallacy, and @@ -238,18 +255,13 @@ benefits conferred by Tor's unique link encryption\cite{ccs-wtf}. Tor's link properties are by no means a complete defense, but they show that there is room to develop defenses that specifically aim to increase the size -of the classification domain and associated base rate. In fact, it is our -belief that minimal padding and clever use of request and response behavior -will increase the false positive rate enough to frustrate these attacks. For -this reason, we have been encouraging continued study of low-overhead defenses -against traffic fingerprinting\cite{torbrowser-wtf}. - -With the aid of an encrypted TLS handshake, we are hopeful that these defenses -will also be applicable to non-Tor TLS sessions as well. In addition to -protecting the communications of non-Tor users from traffic fingerprinting, -the application of these defenses to the HTTP TLS layer will serve to increase -the difficulty of end-to-end correlation and general traffic analysis of Tor -exit node traffic as well. +of the classification domain and the base rate. Additionally, with a large +base rate, it is our belief that minimal padding and clever use of request and +response behavior will increase the false positive rate enough to prevent +these attacks from being practical, even when some amount of prior information +about the website in question is available. For this reason, we have been +encouraging continued study of low-overhead defenses against traffic +fingerprinting\cite{torbrowser-wtf}. \subsection{Traffic Analysis Improvements and Issues with HTTP/2} @@ -258,19 +270,19 @@ experimental defense against it that attempted to use HTTP/1.1 pipelining to randomize pipeline depth and request ordering to reduce the information available to classifiers\cite{blog-pipelining}. Unfortunately, cursory experiments have revealed that this defense appears to provide questionable -benefit, though exactly why has not yet been investigated. We suspect this may -be due to the lack of support for large pipeline depths (or any reliable -HTTP/1.1 pipelining at all) on many sites. +benefit, though exactly why has not yet been thoroughly investigated. We +suspect it may be due to the lack of support for large pipeline depths (or +any reliable HTTP/1.1 pipelining at all) on many sites. We are hopeful that HTTP/2 will enable better request and response size and -ordering randomization through the use of HTTP/2's client configurable frame +ordering randomization through the use of HTTP/2's client-configurable frame size and stream multiplexing properties, in addition to frame padding. Leveraging these features is high on the list of low-overhead defense experiments that the Tor Project is interested in evaluating when we pick up the Firefox implementation of HTTP/2 as part of our rebase to Firefox 38-ESR in the coming months. -However, in our preliminary investigation of HTTP/2, we also iscovered that +However, in our preliminary investigation of HTTP/2, we also discovered that certain aspects of the protocol may aid certain types of traffic analysis attacks. @@ -278,7 +290,7 @@ In particular, the PING and SETTINGS frames are acknowledged immediately by the client, which might give servers the ability to collect information about a client's location and/or routing via timing side-channels. They also allow the server to introduce an active traffic pattern that can be used for end-to-end -correlation or confirmation. +traffic correlation or confirmation. In Tor Browser, we will likely introduce delay or jitter before responding to these requests, and close the connection after receiving some rate of @@ -294,11 +306,21 @@ mitigated by Tor Browser. \subsection{Future Traffic Analysis Resistance Enhancements for HTTP/3} +With the aid of an encrypted TLS handshake (to increase the classification +domain and associated base rate), along with some additional padding features, +we are hopeful that defenses against traffic fingerprinting will also be +applicable to non-Tor TLS sessions as well. In addition to protecting the +communications of non-Tor users from traffic fingerprinting, the application +of these defenses to the HTTP layer will also serve to increase the difficulty +of end-to-end traffic correlation and general traffic analysis of Tor exit +node traffic. + In terms of assisting traffic analysis defenses, we would like to see capabilities for larger amounts of per-frame padding, and more fine-grained client-side control over frame sizes. Unfortunately the 256 bytes of padding provided by HTTP/2 is likely to be inconsequential when combined with the -minimum frame size the client can request (16 kilobytes). +minimum frame size the client can request (16 kilobytes), unless we are +additionally able to take advantage of Tor's 512 byte cell size in tandem. In combination with researchers at the University of Leuven, the Tor Project has also developed a protocol\cite{multihop-padding} and prototype

1 0

[tor-browser-spec/master] Add bibliography and citations.
by mikeperry＠torproject.org 04 May '15

04 May '15

commit 8348b0d88fa0448d89d8146de4569ded10b57490 Author: Mike Perry <mikeperry-git(a)torproject.org> Date: Fri May 1 02:09:31 2015 -0700 Add bibliography and citations. --- position-papers/HTTP3/HTTP3.bbl | 124 ++++++++++++++++++++++----------------- position-papers/HTTP3/HTTP3.tex | 103 +++++++++++++++++--------------- 2 files changed, 127 insertions(+), 100 deletions(-) diff --git a/position-papers/HTTP3/HTTP3.bbl b/position-papers/HTTP3/HTTP3.bbl index feb7b6f..3d9e725 100644 --- a/position-papers/HTTP3/HTTP3.bbl +++ b/position-papers/HTTP3/HTTP3.bbl @@ -1,60 +1,76 @@ \begin{thebibliography}{10} -\bibitem{web-send} -Tyler Close, Rajiv Makhijani, Mark Seaborn, Kenton Varda, Johan Apelqvist, - Claes Nilsson, and Mike Hanson. -\newblock {Web Introducer}. -\newblock \url{http://web-send.org/introducer/}. - -\bibitem{target} -Charles Duhigg. -\newblock {How Companies Learn Your Secrets}. -\newblock - \url{https://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?pagewa% -nted=9}. - -\bibitem{panopticlick} -Peter Eckersley. -\newblock How unique is your web browser? -\newblock In {\em Proceedings of the 10th international conference on Privacy - enhancing technologies}, PETS'10, pages 1--18, Berlin, Heidelberg, 2010. - Springer-Verlag. - -\bibitem{DNT-adoption} -Alex Fowler. -\newblock {Mozilla Led Effort for DNT Finds Broad Support}. -\newblock - \url{https://blog.mozilla.org/privacy/2012/02/23/mozilla-led-effort-for-dnt-% -finds-broad-support/}. - -\bibitem{safecache} -Collin Jackson and Dan Boneh. -\newblock Protecting browser state from web privacy attacks. -\newblock In {\em In Proceedings of the International World Wide Web - Conference}, pages 737--744, 2006. - -\bibitem{DNT-draft} -J.~Mayer, A.~Narayanan, and S.~Stamm. -\newblock {Do Not Track: A Universal Third-Party Web Tracking Opt Out}. -\newblock \url{https://tools.ietf.org/html/draft-mayer-do-not-track-00}. - -\bibitem{fourthparty} -Jonathan~R. Mayer and John~C. Mitchell. -\newblock {Third-Party Web Tracking: Policy and Technology}. -\newblock \url{https://www.stanford.edu/~jmayer/papers/trackingsurvey12.pdf}. - -\bibitem{Persona} -Mozilla~Developer Network. -\newblock {Persona}. -\newblock \url{https://developer.mozilla.org/en-US/docs/persona}. - -\bibitem{torbrowser} -Mike Perry. +\bibitem{torbrowser-identifiers} +Mike Perry, Erinn Clark, Steven Murdoch \newblock {The Design and Implementation of the Tor Browser}. -\newblock \url{https://www.torproject.org/projects/torbrowser/design/}. +\newblock {Section 4.5: Cross-Origin Identifier Unlinkability}. +\newblock \url{https://www.torproject.org/projects/torbrowser/design/#identifier-linkability}. + +\bibitem{torbrowser-longterm} +Mike Perry, Erinn Clark, Steven Murdoch +\newblock {The Design and Implementation of the Tor Browser}. +\newblock {Section 4.7: Long-Term Unlinkability via "New Identity" button}. +\newblock \url{https://www.torproject.org/projects/torbrowser/design/#new-identity}. + +\bibitem{torbrowser-fingerprinting} +Mike Perry, Erinn Clark, Steven Murdoch +\newblock {The Design and Implementation of the Tor Browser}. +\newblock {Section 4.6: Cross-Origin Fingerprinting Unlinkability}. +\newblock \url{https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability}. + +\bibitem{http2-spec} +M. Belshe, R. Peon, M. Thomson +\newblock {Hypertext Transfer Protocol version 2}. +\newblock \url{https://http2.github.io/http2-spec/}. + +\bibitem{lets-encrypt} +Mozilla, Akamai, Cisco, EFF, Identrust, Automattic +\newblock {Let's Encrypt Certificate Authority}. +\newblock \url{https://letsencrypt.org/}. + +\bibitem{encrypted-handshake} +M. Ray +\newblock {Transport Layer Security (TLS) Encrypted Handshake Extension}. +\newblock \url{https://tools.ietf.org/html/draft-ray-tls-encrypted-handshake-00}. + +\bibitem{blog-wtf} +Mike Perry +\newblock {A Critique of Website Traffic Fingerprinting Attacks}. +\newblock \url{https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks} + +\bibitem{blog-pipelining} +Mike Perry +\newblock {Experimental Defense for Website Traffic Fingerprinting}. +\newblock \url{https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting} + +\bibitem{torbrowser-wtf} +Mike Perry, Erinn Clark, Steven Murdoch +\newblock {The Design and Implementation of the Tor Browser}. +\newblock {Section 4.8: Other Defenses}. +\newblock \url{https://www.torproject.org/projects/torbrowser/design/#traffic-fingerprinting-defenses} + +\bibitem{multihop-padding} +Mike Perry, Marc Juarez +\newblock {Multihop Padding Primitives} +\newblock \url{https://gitweb.torproject.org/user/mikeperry/torspec.git/plain/proposals/ideas/xxx-multihop-padding-primitives.txt?h=multihop-padding-primitives} + +\bibitem{wfpadtools} +Marc Juarez +\newblock {WFPadTools} +\newblock \url{https://bitbucket.org/mjuarezm/obfsproxy_wfpadtools/} + +\bibitem{tor-udp} +Steven J. Murdoch +\newblock {Comparison of Tor Datagram Designs} +\newblock \url{https://research.torproject.org/techreports/datagram-comparison-2011-11-07.pdf} + +\bibitem{ccs-wtf} +Marc Juarez and Sadia Afroz and Gunes Acar and Claudia Diaz and Rachel Greenstadt +\newblock {A Critical Evaluation of Website Fingerprinting Attacks} +\newblock {Proceedings of the 21th ACM conference on Computer and Communications Security (CCS 2014)} +\newblock \url{https://www.eecs.berkeley.edu/~sa499/papers/ccs-webfp-final.pdf} +} + -\bibitem{thirdparty} -Dan Witte. -\newblock \url{https://wiki.mozilla.org/Thirdparty}. \end{thebibliography} diff --git a/position-papers/HTTP3/HTTP3.tex b/position-papers/HTTP3/HTTP3.tex index b4d7993..d7d8aac 100644 --- a/position-papers/HTTP3/HTTP3.tex +++ b/position-papers/HTTP3/HTTP3.tex @@ -77,23 +77,21 @@ HTTP layer that persists beyond the duration or scope of a single connection. For background, the Tor Project has designed Tor Browser with two main properties for limiting identifier-based tracking: First Party Isolation, and Long Term Unlinkability. -% FIXME: cite design doc First Party Isolation is the property that a user's actions at one top-level URL bar domain must not be correlated or linked to their actions on a different top-level URL bar domain. We maintain this property through a number of patches and modifications to various aspects of browser functionality and -state keeping. -% FIXME: Cite design doc +state keeping\cite{torbrowser-identifiers}. Long Term Unlinkability is the property that a user's future activity must not -be linked or correlated to any prior activity after that user's explicit request -to sever this link. Tor Browser provides Long Term Unlinkability by allowing -the user to clear all browser tracking data in a single click (called "New -Identity"). Our long-term goal is to allow users to define their relationship -with individual first parties, and alter that relationship by resetting or -blocking the associated tracking data on a per-site basis. -% FIXME: Cite design doc +be linked or correlated to any prior activity after that user's explicit +request to sever this link. Tor Browser provides Long Term Unlinkability by +allowing the user to clear all browser tracking data in a single click (called +"New Identity")\cite{torbrowser-longterm}. Our long-term goal is to allow +users to define their relationship with individual first parties, and alter +that relationship by resetting or blocking the associated tracking data on a +per-site basis. \subsection{Identifier Linkability in HTTP/2} @@ -136,8 +134,8 @@ The heavy use of connection multiplexing in HTTP/2 may present additional complexities for ensuring that requests are isolated. Unfortunately, unlike identifier usage, connection usage linkability is encouraged by the HTTP/2 specification in Section 9.1 (in the form of specifying that clients -SHOULD NOT open more than one connection to a given host and port). -% FIXME: Cite HTTP2 S 9.1 +SHOULD NOT open more than one connection to a given host and +port)\cite{http2-spec}. \subsection{Avoiding Future Connection Usage Linkability} @@ -168,7 +166,7 @@ to obtain or infer end user configuration details and device characteristics. We concern ourselves with operating system fingerprinting only to the point of removing ways of detecting a specific operating system version. We make no attempt to address fingerprinting due to browser vendor and version -differences. % FIXME: cite fingerprinting doc +differences\cite{torbrowser-fingerprinting}. Under this model, it is unlikely that very many fingerprinting vectors that concern us will arise in the HTTP layer. However, the possibility for end user @@ -198,22 +196,21 @@ The Tor Project is very interested in any efforts to improve the confidentiality and integrity of the session layer of HTTP/3. In particular, we are strong advocates for mandatory authenticated encryption -of HTTP/3 connections. The availability of entry-level authentication through -the Let's Encrypt Project should eliminate the remaining barriers to requiring -authenticated encryption, as opposed to deploying opportunistic mechanisms. -% FIXME: Cite Let's Encrypt +of HTTP/3 connections. The availability of free and automated entry-level +authentication through the Let's Encrypt Project\cite{lets-encrypt} should +eliminate the remaining barriers to requiring authenticated encryption, as +opposed to deploying opportunistic mechanisms. We are also interested in efforts to encrypt the ClientHello and ServerHello messages using an initial ephemeral handshake, as described in the Encrypted -TLS Handshake proposal. If SNI, ALPN, and the ServerHello can be encrypted -using an ephemeral key exchange that is authenticated later in the handshake, -the adversary loses a great deal of information about the user's intended -destination site. When large scale CDNs and multi-site load balancers are -involved, the ultimate destination would be impossible to determine with this -type of handshake in place. This will aid in defenses against traffic -fingerprinting and traffic analysis, which we describe detail in the next -section. -% FIXME: Cite https://tools.ietf.org/html/draft-ray-tls-encrypted-handshake-00 +TLS Handshake proposal\cite{encrypted-handshake}. If SNI, ALPN, and the +ServerHello can be encrypted using an ephemeral key exchange that is +authenticated later in the handshake, the adversary loses a great deal of +information about the user's intended destination site. When large scale CDNs +and multi-site load balancers are involved, the ultimate destination would be +impossible to determine with this type of handshake in place. This will aid in +defenses against traffic fingerprinting and traffic analysis, which we +describe detail in the next section. \section{Traffic Fingerprinting and Traffic Analysis Concerns} @@ -235,19 +232,17 @@ accuracy and capabilities by increasing the size of the classification domain. There was some initial controversy in the research literature as to the exact degree to which the classification domain size, the base rate fallacy, and other machine learning issues applied to website traffic fingerprinting of Tor -traffic, but after publicly requesting that these effects be studied in closer -detail, recent results have confirmed and quantified the benefits conferred by -Tor's unique link encryption. +traffic, but after we publicly requested that these effects be studied in +closer detail\cite{blog-wtf}, recent results have confirmed and quantified the +benefits conferred by Tor's unique link encryption\cite{ccs-wtf}. Tor's link properties are by no means a complete defense, but they show that there is room to develop defenses that specifically aim to increase the size of the classification domain and associated base rate. In fact, it is our -belief that minimal padding and clever use of request and response framing +belief that minimal padding and clever use of request and response behavior will increase the false positive rate enough to frustrate these attacks. For this reason, we have been encouraging continued study of low-overhead defenses -against traffic fingerprinting. -% FIXME: Cite blog post and Mjaurez's paper -% FIXME: Cite design doc's website traffic fingerprinting section +against traffic fingerprinting\cite{torbrowser-wtf}. With the aid of an encrypted TLS handshake, we are hopeful that these defenses will also be applicable to non-Tor TLS sessions as well. In addition to @@ -256,10 +251,28 @@ the application of these defenses to the HTTP TLS layer will serve to increase the difficulty of end-to-end correlation and general traffic analysis of Tor exit node traffic as well. -\subsection{Traffic Analysis Issues with HTTP/2} - -In our preliminary investigation of HTTP/2, we discovered that certain aspects -of the protocol may aid certain types of traffic analysis attacks. +\subsection{Traffic Analysis Improvements and Issues with HTTP/2} + +When website traffic fingerprinting was first studied in Tor, we developed an +experimental defense against it that attempted to use HTTP/1.1 pipelining to +randomize pipeline depth and request ordering to reduce the information +available to classifiers\cite{blog-pipelining}. Unfortunately, cursory +experiments have revealed that this defense appears to provide questionable +benefit, though exactly why has not yet been investigated. We suspect this may +be due to the lack of support for large pipeline depths (or any reliable +HTTP/1.1 pipelining at all) on many sites. + +We are hopeful that HTTP/2 will enable better request and response size and +ordering randomization through the use of HTTP/2's client configurable frame +size and stream multiplexing properties, in addition to frame padding. +Leveraging these features is high on the list of low-overhead defense +experiments that the Tor Project is interested in evaluating when we pick up +the Firefox implementation of HTTP/2 as part of our rebase to Firefox 38-ESR +in the coming months. + +However, in our preliminary investigation of HTTP/2, we also iscovered that +certain aspects of the protocol may aid certain types of traffic analysis +attacks. In particular, the PING and SETTINGS frames are acknowledged immediately by the client, which might give servers the ability to collect information about a @@ -288,12 +301,11 @@ provided by HTTP/2 is likely to be inconsequential when combined with the minimum frame size the client can request (16 kilobytes). In combination with researchers at the University of Leuven, the Tor Project -has also developed a protocol and prototype implementation for communicating -statistical schedules for asynchronous padding from Tor clients to Tor relays. -The research community is currently in the process of evaluating the efficacy -of this protocol against traffic fingerprinting and other traffic analysis -attacks. -% FIXME: Cite padding idea and wfpadtools +has also developed a protocol\cite{multihop-padding} and prototype +implementation\cite{wfpadtools} for communicating statistical schedules for +asynchronous padding from Tor clients to Tor relays. The research community +is currently in the process of evaluating the efficacy of this protocol +against traffic fingerprinting and other traffic analysis attacks. Pending the results of this analysis, these padding commands could form the basis of new HTTP/3 frame commands for communicating more sophisticated (yet @@ -319,9 +331,8 @@ Long term, our goal is to transition the entire Tor network to our own datagram protocol with custom congestion and flow control to better support both native datagram transport and end-to-end flow control. However, additional research is still needed to examine the anonymity implications -associated with this transition. Our present estimate is that a full network -transition to UDP is at least five years away. -% FIXME: Site Murdoch's UDP study +associated with this transition\cite{tor-udp}. Our present estimate is that a +full network transition to UDP is at least five years away. We are also concerned that even after a full network transition to a datagram transport, it is likely that the congestion, flow, and reliability control of

1 0

[translation/tails-misc_completed] Update translations for tails-misc_completed
by translation＠torproject.org 04 May '15

04 May '15

commit c0b9b7268da55ba47d44c59d98f23cd83a5ff545 Author: Translation commit bot <translation(a)torproject.org> Date: Mon May 4 16:45:55 2015 +0000 Update translations for tails-misc_completed --- ca.po | 76 ++++++++++++++++++++++++++++++++++------------------------------- 1 file changed, 40 insertions(+), 36 deletions(-) diff --git a/ca.po b/ca.po index cddcd71..025a1ba 100644 --- a/ca.po +++ b/ca.po @@ -7,14 +7,14 @@ # Assumpta Anglada <assumptaanglada(a)gmail.com>, 2014 # Eloi García i Fargas, 2014 # Humbert <humbert.costas(a)gmail.com>, 2014 -# laia_ <laiaadorio(a)gmail.com>, 2014-2015 +# laia_, 2014-2015 msgid "" msgstr "" "Project-Id-Version: The Tor Project\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2015-02-23 16:25+0100\n" -"PO-Revision-Date: 2015-03-20 19:32+0000\n" -"Last-Translator: laia_ <laiaadorio(a)gmail.com>\n" +"POT-Creation-Date: 2015-05-02 23:47+0200\n" +"PO-Revision-Date: 2015-05-04 16:33+0000\n" +"Last-Translator: laia_\n" "Language-Team: Catalan (http://www.transifex.com/projects/p/torproject/language/ca/)\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" @@ -22,11 +22,11 @@ msgstr "" "Language: ca\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" -#: config/chroot_local-includes/etc/NetworkManager/dispatcher.d/60-tor-ready-notification.sh:42 +#: config/chroot_local-includes/etc/NetworkManager/dispatcher.d/60-tor-ready.sh:43 msgid "Tor is ready" msgstr "Tor es troba actiu" -#: config/chroot_local-includes/etc/NetworkManager/dispatcher.d/60-tor-ready-notification.sh:43 +#: config/chroot_local-includes/etc/NetworkManager/dispatcher.d/60-tor-ready.sh:44 msgid "You can now access the Internet." msgstr "Ara ja pots accedir a Internet." @@ -100,128 +100,132 @@ msgstr "_Desxifrar/Xifrar el Portapapers" msgid "_Manage Keys" msgstr "_Gestió de Claus" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:244 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:208 +msgid "_Open Text Editor" +msgstr "_Obre l'editor de textos" + +#: config/chroot_local-includes/usr/local/bin/gpgApplet:252 msgid "The clipboard does not contain valid input data." msgstr "El portapapers no conté dades d'entrada vàlides." -#: config/chroot_local-includes/usr/local/bin/gpgApplet:295 -#: config/chroot_local-includes/usr/local/bin/gpgApplet:297 -#: config/chroot_local-includes/usr/local/bin/gpgApplet:299 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:303 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:305 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:307 msgid "Unknown Trust" msgstr "Confiança desconeguda" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:301 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:309 msgid "Marginal Trust" msgstr "Confiança marginal" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:303 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:311 msgid "Full Trust" msgstr "Plena confiança" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:305 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:313 msgid "Ultimate Trust" msgstr "Confiança fins al final" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:358 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:366 msgid "Name" msgstr "Nom" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:359 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:367 msgid "Key ID" msgstr "ID de la Clau" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:360 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:368 msgid "Status" msgstr "Estat" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:392 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:400 msgid "Fingerprint:" msgstr "Empremta digital:" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:395 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:403 msgid "User ID:" msgid_plural "User IDs:" msgstr[0] "ID d'usuari:" msgstr[1] "IDs d'usuari:" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:425 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:433 msgid "None (Don't sign)" msgstr "Cap (no signat)" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:488 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:496 msgid "Select recipients:" msgstr "Sel·lecciona destinataris" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:496 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:504 msgid "Hide recipients" msgstr "Oculta destinataris" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:499 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:507 msgid "" "Hide the user IDs of all recipients of an encrypted message. Otherwise " "anyone that sees the encrypted message can see who the recipients are." msgstr "Oculta els IDs d'usuari de tots els receptors del missatge xifrat. Altrament, qualsevol persona que vegi el missatge xifrat veurà qui són els destinataris." -#: config/chroot_local-includes/usr/local/bin/gpgApplet:505 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:513 msgid "Sign message as:" msgstr "Signa el missatge com:" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:509 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:517 msgid "Choose keys" msgstr "Tria les claus" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:549 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:557 msgid "Do you trust these keys?" msgstr "Confies en aquestes claus?" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:552 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:560 msgid "The following selected key is not fully trusted:" msgid_plural "The following selected keys are not fully trusted:" msgstr[0] "La clau seleccionada no és de plena confiança:" msgstr[1] "Les claus seleccionades no són de plena confiança:" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:570 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:578 msgid "Do you trust this key enough to use it anyway?" msgid_plural "Do you trust these keys enough to use them anyway?" msgstr[0] "Tens prou confiança amb aquesta clau per fer-ne ús?" msgstr[1] "Tens prou confiança amb aquestes claus per usar-les?" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:583 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:591 msgid "No keys selected" msgstr "Cap clau seleccionada" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:585 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:593 msgid "" "You must select a private key to sign the message, or some public keys to " "encrypt the message, or both." msgstr "Has de seleccionar una clau privada per signar el missatge, o alguna clau pública per xifrar el missatge, o ambdues." -#: config/chroot_local-includes/usr/local/bin/gpgApplet:613 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:621 msgid "No keys available" msgstr "No hi ha claus disponibles" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:615 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:623 msgid "" "You need a private key to sign messages or a public key to encrypt messages." msgstr "Necessites una clau privada per signar missatges o una clau pública per xifrar missatges." -#: config/chroot_local-includes/usr/local/bin/gpgApplet:743 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:751 msgid "GnuPG error" msgstr "Error GnuPG" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:764 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:772 msgid "Therefore the operation cannot be performed." msgstr "Per tant, la operació no es pot realitzar." -#: config/chroot_local-includes/usr/local/bin/gpgApplet:814 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:822 msgid "GnuPG results" msgstr "Resultats GnuPG" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:820 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:828 msgid "Output of GnuPG:" msgstr "Sortida de GnuPG:" -#: config/chroot_local-includes/usr/local/bin/gpgApplet:845 +#: config/chroot_local-includes/usr/local/bin/gpgApplet:853 msgid "Other messages provided by GnuPG:" msgstr "Altres missatges entregats per GnuPG:"

1 0

[translation/tails-misc] Update translations for tails-misc
by translation＠torproject.org 04 May '15

04 May '15

commit 1b63617330713c29e2e604af074d4be828b31870 Author: Translation commit bot <translation(a)torproject.org> Date: Mon May 4 16:45:51 2015 +0000 Update translations for tails-misc --- ca.po | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ca.po b/ca.po index 1a8b0d0..025a1ba 100644 --- a/ca.po +++ b/ca.po @@ -13,8 +13,8 @@ msgstr "" "Project-Id-Version: The Tor Project\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2015-05-02 23:47+0200\n" -"PO-Revision-Date: 2015-05-03 08:25+0000\n" -"Last-Translator: runasand <runa.sandvik(a)gmail.com>\n" +"PO-Revision-Date: 2015-05-04 16:33+0000\n" +"Last-Translator: laia_\n" "Language-Team: Catalan (http://www.transifex.com/projects/p/torproject/language/ca/)\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" @@ -102,7 +102,7 @@ msgstr "_Gestió de Claus" #: config/chroot_local-includes/usr/local/bin/gpgApplet:208 msgid "_Open Text Editor" -msgstr "" +msgstr "_Obre l'editor de textos" #: config/chroot_local-includes/usr/local/bin/gpgApplet:252 msgid "The clipboard does not contain valid input data."

1 0

[translation/tor-launcher-network-settings_completed] Update translations for tor-launcher-network-settings_completed
by translation＠torproject.org 04 May '15

04 May '15

commit 535b47abffafc346d3297c2f10e62a53f7b54742 Author: Translation commit bot <translation(a)torproject.org> Date: Mon May 4 16:45:47 2015 +0000 Update translations for tor-launcher-network-settings_completed --- ca/network-settings.dtd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ca/network-settings.dtd b/ca/network-settings.dtd index 7bf1ca5..b817d3c 100644 --- a/ca/network-settings.dtd +++ b/ca/network-settings.dtd @@ -1,4 +1,4 @@ -<!ENTITY torsettings.dialog.title "Configuració de la Xarxa Tor"> +<!ENTITY torsettings.dialog.title "Configuració de la Tor Network">

1 0

[translation/tor-launcher-network-settings] Update translations for tor-launcher-network-settings
by translation＠torproject.org 04 May '15

04 May '15

commit 452de810795e093c328577abaadef72b55317a6e Author: Translation commit bot <translation(a)torproject.org> Date: Mon May 4 16:45:44 2015 +0000 Update translations for tor-launcher-network-settings --- ca/network-settings.dtd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ca/network-settings.dtd b/ca/network-settings.dtd index 7bf1ca5..b817d3c 100644 --- a/ca/network-settings.dtd +++ b/ca/network-settings.dtd @@ -1,4 +1,4 @@ -<!ENTITY torsettings.dialog.title "Configuració de la Xarxa Tor"> +<!ENTITY torsettings.dialog.title "Configuració de la Tor Network">

1 0

[translation/https_everywhere_completed] Update translations for https_everywhere_completed
by translation＠torproject.org 04 May '15

04 May '15

commit ca90406acdd4cbd351380f6bde23ddfad0364725 Author: Translation commit bot <translation(a)torproject.org> Date: Mon May 4 16:45:25 2015 +0000 Update translations for https_everywhere_completed --- ca/ssl-observatory.dtd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ca/ssl-observatory.dtd b/ca/ssl-observatory.dtd index ce27c0e..1d22c96 100644 --- a/ca/ssl-observatory.dtd +++ b/ca/ssl-observatory.dtd @@ -1,6 +1,6 @@  <!ENTITY ssl-observatory.popup.details "Detalls i privacitat de la Informació"> -<!ENTITY ssl-observatory.popup.later "Preguntar més endavant"> +<!ENTITY ssl-observatory.popup.later "Pregunta-ho més endavant"> <!ENTITY ssl-observatory.popup.no "No"> <!ENTITY ssl-observatory.popup.text "HTTPS a tot arreu pot detectar atacs

1 0

← Newer
1
...
78
79
80
81
82
83
84
...
99
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-commits May 2015