December 2011 - tor-dev - lists.torproject.org

Purpose Controller Bug
by Tarik Karaoglu 14 Dec '11

14 Dec '11

Hi, I am trying to create circuits for use of my controller application however I got the following warning after my unsuccessful attempt. Dec 14 02:43:35.239 [warn] circuit_launch_by_extend_info(): Bug: unexpected purpose 19 when cannibalizing a circ. If I don't specify any purpose, I am able to create general purpose circuits. Another problem is that, is there a way to tell Tor to use separate circuits for each flow if possible when Tor attaches streams to circuits? Currently I am trying to attach streams to circuits using my controller but I am facing Proxy timeout issues like below: Dec 14 02:45:35.690 [notice] Tried for 120 seconds to get a connection to [scrubbed]:40000. Giving up. (waiting for controller) Any help will be appreciated. Thanks, Tarik

1 0

How to try out the new shiny IPv6 bridge support
by Linus Nordberg 13 Dec '11

13 Dec '11

Hi, With great help from Jeroen Massars address independence patch posted to this list earlier this year, a first milestone of IPv6 support in tor was reached in the 0.2.3.9-alpha release. Clients can now connect to private bridges over IPv6 if configured for that. If you are at all interested in trying out the new IPv6 support, this short HOWTO is for you. Please note that this is new code. Be prepared to run into bugs, hunt them down, report them, help out solve them and earn eternal fame and glory. It's a pain, but someone's got to do it. As part of proposal 186 ("Multiple addresses for one OR or bridge"), the ORPort configuration option has changed and ORListenAddress will be deprecated. We can use this for adding an IPv6 address to a bridge already running on an IPv4 address. (Another option is to run a bridge listening _only_ to IPv6 but note that every relay need IPv4 too, in order to speak to other OR's in the Tor network.) In order to configure a bridge to listen to an IPv6 address, add an ORPort option with an IPv6 address within square brackets and a port number like this: ORPort [2001:DB8::42]:4711 In order to have your client connect to a bridge over IPv6, simply state the address of the bridge within square brackets and a port number in a Bridge line: Bridge [2001:DB8::42]:4711 Note that there's still no support for IPv6 in BridgeDB. There is no harm in specifying PublishServerDescriptor 1 but nothing good will come out of it. You will have to find other ways of getting your bridge addresses to your users. Note also that if you configure your client with two (or more) addresses belonging to the very same bridge, your client will pick one of them and try to use that. This behaviour is not perfect and will change in future versions of tor. This behaviour isn't even bug free and should not be counted on -- especially when an IPv6 address is preferred over an IPv4 address, in which case the IPv4 address in many cases is the one being used anyway. Short story: Don't configure your client with more than one address per bridge. Please let me know if there are any questions about this and if you run in to any trouble setting it up. Then, when you run into the bugs, please go to https://trac.torproject.org/ and fire away. Thanks, Linus

1 0

Uploading video over Orbot
by Nathan Freitas 11 Dec '11

11 Dec '11

Some progress to share on Tor-related efforts with our Secure Smart Cam project with WITNESS. (More here: https://guardianproject.info/apps/securecam/ ) I know that "uploading HD video over a mobile network on Tor" has long been one of these cringe-inducing requests from NGOs, but at least for short clips, it seems to be working fairly well, both to YouTube and to the self-hostabled Videobin.org software. SSCXfer is my reduction of the Vidiom.mobi (http://vidiom.mobi/) app to be a focused, clean secure video uploader for YouTube and the self-hostable videobin.org software. Vidiom is pretty fantastic, but is a bit too kitchen sink, and also included features like FTP and Facebook upload which I don't feel comfortable putting a "secure" stamp on. The YouTube upload code comes from the very interesting "YouTube Direct" project's Android client: http://code.google.com/p/ytd-android/ The basic user story for SSCXfer is: "Alice has sensitive video evidence of a human rights crime recorded on her smartphone and wants to upload it to YouTube, but is in a country where YouTube is often blocked, and always monitored." a more complex one is: "Bob is a trained human rights defender working in a restrictive region, using his smartphone to interview victims about their experiences, and he needs to safely offload the videos from his phone to a secure private site as soon as possible, without raising any flags in the internet monitor systems." In this case "secure" and "safe", mean it will 1) use HTTPS as available, 2) store any local data in SQLCipher, and 3) support upload over proxy servers, specifically Orbot's built-in SOCKS or HTTP proxy without requiring root. In addition, the uploader must support low-bw, high latency connections, and support resumeable uploads. Finally, since videobin.org can be self-hosted, it is possible that a server could be run by WITNESS or any organization on a Tor hidden service .onion address, or at least on their own, https site. At this point, I've implemented support for Orbot/Tor working by enabling HTTP proxying support in all the HTTP connection code, and it is working quite well for both uploads to YouTube and the default Videobin.org site instance. Resume and retry seem to work, but I have not done extensive testing. I think the most extreme test scenario is uploading over Tor over EDGE network, and then going up and down into the subway. We'll see how we do in that case. Best, Nathan

1 1

AES_ctr128_encrypt() on Windows
by Gisle Vanem 07 Dec '11

07 Dec '11

Seems that this function isn't available in OpenSSL 1.1.0. On Windows at least. The function is enclosed in a "#if 0" in OpenSSL's <aes.h> and util/libeay.num also has this: AES_ctr128_encrypt 3216 NOEXIST::FUNCTION: So should we make an exception for Windows in common/aes.c: --- Git-latest/src/common/aes.c Mon Dec 05 16:54:55 2011 +++ src/common/aes.c Wed Dec 07 18:42:37 2011 @@ -17,7 +17,7 @@ #include <openssl/aes.h> #include <openssl/evp.h> #include <openssl/engine.h> -#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && !defined(MS_WINDOWS) /* See comments about which counter mode implementation to use below. */ #include <openssl/modes.h> #define USE_OPENSSL_CTR --gv

2 2

Reduce TBB/OSX from 32MB to 23MB
by Fabio Pietrosanti (naif) 06 Dec '11

06 Dec '11

Hi all, made the following tricks that you can find attached to reduce the size of TBB/OSX from 32MB to 23MB . With this tricks it's possible to send TBB/OSX via Gmail using Gettor. It goes from: 32M /tmp/TorBrowser-2.2.34-3-dev-osx-x86_64-en-US.zip to 23M /tmp/TorBrowser-7z-wrap2.2.34-3-dev-osx-x86_64-en-US.zip Probably it would require some better cleanup and integration, that's just a working poc. -naif

1 0

routers as bridges
by Rob van der Hoeven 06 Dec '11

06 Dec '11

In July i posted a message on this list proposing to use a router as a Tor bridge. Recently i liberated one of my routers with OpenWrt which made it possible to test this idea. Seems to work. Wrote a small article about it on my blog: http://freedomboxblog.nl/routers-as-tor-bridges/ Cheers, Rob. http://freedomboxblog.nl

1 0

Automatically retrieve and store information about bridges
by Sebastian Hahn 01 Dec '11

01 Dec '11

Filename: xxx-store-bridge-information.txt Title: Automatically retrieve and store information about bridges Author: Sebastian Hahn Created: 16-Nov-2011 Status: Open Target: 0.2.[45].x Overview: Currently, tor already stores some information about the bridges it is configured to use locally, but doesn't make great use of the stored data. This data is the Tor configuration information about the bridge (IP address, port, and optionally fingerprint) and the bridge descriptor which gets stored along with the other descriptors a Tor client fetches, as well as an "EntryGuard" line in the state file. That line includes the Tor version we used to add the bridge, and a slightly randomized timestamp (up to a month in the past of the real date). The descriptor data also includes some more accurate timestamps about when the descriptor was fetched. The information we give out about bridges via bridgedb currently only includes the IP address and port, because giving out the fingerprint as well might mean that Tor clients make direct connections to the bridge authority, since we didn't design Tor's UpdateBridgesFromAuthority behaviour correctly. Motivation: The only way to let Tor know about a change affecting the bridge (IP address or port change) is to either ask the bridge authority directly, or reconfigure Tor. The former requires making a non-anonymized direct connection to the bridge authority Tonga and asking it for the current descriptor of the bridge with a given fingerprint - this is unsafe and also requires prior knowledge of the fingerprint. The latter requires user intervention, first to learn that there was an update and second to actually teach Tor about the change. This is way too complicated for most users, and should be unnecessary while the user has at least one bridge that remains working: Tonga can give out bridge descriptors when asked for the descriptor for a certain fingerprint, and Tor clients learn the fingerprint either from their torrc file or from the first connection they make to a bridge. For some users, however, this option is not what they want: They might use private bridges or have special security concerns, which would make them want to connect to the IP addresses specified in their configuration only, and not tell Tonga about the set of bridges they know about, even through a Tor circuit. Also see https://blog.torproject.org/blog/different-ways-use-bridge for more information about the different types of bridge users. Design: Tor should provide a new configuration option that allows bridge users to indicate that they wish to contact Tonga anonymously and learn about updates for the bridges that they know about, but can't currently reach. Once those updates have been received, the clients would then hold on to the new information in their state file, and use it across restarts for connection attempts. The option UpdateBridgesFromAuthority should be removed or recycled for this purpose, as it is currently dangerous to set (it makes direct connections to the bridge authority, thus leaking that a user is about to use bridges). Recycling the option is probably the better choice, because current users of the option get a surprising and never useful behaviour. On the other hand, users who downgrade their Tors might get the old behaviour by accident. If configured with this option, tor would make an anonymized connection to Tonga to ask for the descriptors of bridges that it cannot currently connect to, once every few hours. Making more frequent requests would likely not help, as bridge information doesn't typically change that frequently, and may overload Tonga. This information needs to be stored in the state file: - An exact copy of the Bridge stanza in the torrc file, so that tor can detect when the bridge is unconfigured/the configuration is changed - The IP address, port, and fingerprint we last used when making a successful connection to the bridge, if this differs from/supplements the configured data. - The IP address, port, and fingerprint we learned from the bridge authority, if this differs from both the configured data and the data we used for the last successful connection. We don't store more data in the state file to avoid leaking too much if the state file falls into the hands of an adversary. Security implications: Storing sensitive data on disk is risky when the computer one uses gets into the wrong hands, and state file entries can be used to identify times the user was online. This is already a problem for the Bridge lines in a user's configuration file, but by storing more information about bridges some timings can be deduced. Another risk is that this allows long-term tracking of users when the set of bridges a user knows about is known to the attacker, and the set is unique. This is not very hard to achieve for bridgedb, as users typically make requests to it non-anomymized and bridgedb can selectively pick bridges to report. By combining the data about descriptor fetches on Tonga and this fingerprint, a usage pattern can be established. Also, bridgedb could give out a made-up fingerprint to a user that requested bridges, thus easily creating a unique set. Users of private bridges should not set this option, as it will leak the fingerprints of their bridges to Tonga. This is not a huge concern, as Tonga doesn't know about those descriptors, but private bridge users will likely want to avoid leaking the existence of their bridge. We might want to figure out a way to indicate that a bridge is private on the Bridge line in the configuration, so fetching the descriptor from Tonga is disabled for those automatically. This warrants more discussion to find a solution that doesn't require bridge users to understand the trade-offs of setting a configuration option. One idea is to indicate that a bridge is private by a special flag in its bridge descriptor, so clients can avoid leaking those to the bridge authority automatically. Also, Bridge lines for private bridges shouldn't include the fingerprint so that users don't accidentally leak the fingerprint to the bridge authority before they have talked to the bridge. Specification: No change/addition to the current specification is necessary, as the data that gets stored at clients is not covered by the specification. This document is supposed to serve as a basis for discussion and to provide hints for implementors. Compatibility: Tonga is already set up to send out descriptors requested by clients, so the bridge authority side doesn't need any changes. The new configuration options governing the behaviour of Tor would be incompatible with previous versions, so the torrc needs to be adapted. The state file changes should not affect older versions.

2 1

Proposal: Bridge Detection Resistance against MITM-capable Adversaries
by George Kadianakis 01 Dec '11

01 Dec '11

Filename: XXX-mitm-bridge-detection-resistance.txt Title: Bridge Detection Resistance against MITM-capable Adversaries Author: George Kadianakis Created: 07 Nov 2011 Status: Open 1. Overview Proposals 187, 189 and 190 make the first steps toward scanning resistant bridges. They attempt to block attacks from censoring adversaries who provoke bridges into speaking the Tor protocol. An attack vector that hasn't been explored in those previous proposals is that of an adversary capable of performing Man In The Middle attacks to Tor clients. At the moment, Tor clients using the v3 link protocol have no way to detect such an MITM attack, and will gladly send an VERSIONS or an AUTHORIZE cell to the MITMed connection, thereby revealing the Tor protocol and thus the bridge. This proposal introduces a way for clients to detect an MITMed SSL connection, allowing them to protect against the above attack. 2. Motivation When the v3 link handshake protocol is performed, Tor's SSL handshake is performed with the server sending a self-signed certificate and the client blindly accepting it. This allows the adversary to perform an MITM attack. A Tor client must detect the MITM attack before he initializes the Tor protocol by sending a VERSIONS or an AUTHORIZE cell. A good moment to detect such an MITM attack is during the SSL handshake. To achieve that, bridge operators provide their bridge users with a hash digest of the public-key certificate their bridge is using for SSL. Bridge clients store that hash digest locally and associate it with that specific bridge. Bridge clients who have "pinned" a bridge to a certificate "fingerprint" can thereafter validate that their SSL connection peer is the intended bridge. Of course, the hash digest must be provided to users out-of-band and before the actual SSL handshake. Usually, the bridge operator gives the hash digest to her bridge users along with the rest of the bridge credentials, like the bridge's address and port. 3. Security implications Bridge clients who have pinned a bridge to a certificate fingerprint will be able to detect an MITMing adversary in timely fashion. If after detection they act as an innocuous Internet client, they can successfully remove suspicion from the SSL connection and subvert bridge detection. Pinning a certificate fingerprint and detecting an MITMing attacker does not automatically aleviate suspicions from the bridge or the client. Clients must have a behavior to follow after detecting the MITM attack so that they look like innocent Netizens. This proposal does not try to specify such a behavior. Implementation and use of this scheme does not render bridges and clients immune to scanning or DPI attacks. This scheme should be used along with bridge client authorization schemes like the ones detailed in proposal 190. 4. Tor Implementation 4.1. Certificate fingerprint creation The certificate fingerprints used on this scheme MUST be computed by applying the SHA256 cryptographic hash function upon the ASN.1 DER encoding of a public-key certificate. 4.2. Bridge side implementation Tor bridge implementations SHOULD provide a command line option that exports a fully equipped Bridge line containing the bridge address and port, the link certificate fingerprint and any other enabled Bridge options, so that bridge operators can easily send it to their users. In the case of expiring SSL certificates, Tor bridge implementations SHOULD warn the bridge operator a sensible amount of time before the expiration, so that she can warn her clients and potentially rotate the certificate herself. 4.3. Client side implementation Tor client implementations MUST extend their Bridge line format to support bridge SSL certificate fingerprints. The new format is: Bridge <method> <address:port> [["keyid="]<id-fingerprint>] \ ["shared_secret="<shared_secret>] ["link_cert_fpr="<fingerprint>] where <fingerprint> is the bridge's SSL certificate fingerprint in hexademical encoding. Tor clients who use bridges and want to pin their SSL certificates must specify the bridge's SSL certificate fingerprint as in: Bridge 12.34.56.78 shared_secret=934caff420aa7852b855 \ link_cert_fpr=38b0712e90bed729df81f2a22811d3dd89e91406d2522f4482ae4079e5245187 4.4. Implementation prerequisites Tor bridges currently rotate their SSL certificates every 2 hours. This not only acts as a fingerprint for the bridges, but it also acts as a blocker for this proposal. Tor trac ticket #4390 and proposal YYY were created to resolve this issue. 5. Acknowledgements Thanks to Robert Ransom for his great help and suggestions on devising this scheme and writing this proposal!

5 6

Sanitizing and publishing our web server logs
by Karsten Loesing 01 Dec '11

01 Dec '11

Hi everyone, we have been discussing sanitizing and publishing our web server logs for quite a while now. The idea is to remove all potentially sensitive parts from the logs, publish them in monthly tarballs on the metrics website, and analyze them for top visited pages, top downloaded packages, etc. See the tickets #1641 and #2489 for details. Here's a suggested sanitizing procedure for our web logs, which are in Apache's combined log format: - Ignore everything except GET requests. - Ignore all requests that resulted in a 404 status code. - Rewrite log lines so that they only contain the following fields: - IP address 0.0.0.0 for HTTP request or 0.0.0.1 for HTTPS requests (as logged by our Apache configuration), - the request date (with the time part set to 00:00:00), - the requested URL (cut off at the first encountered "?"), - the HTTP version, - the server's HTTP status code, and - the size of the returned object. - Write all lines from a given virtual host and day to a single output file. - Sort the output file alphanumerically to conceal the original order of requests. Here's a sample sanitized log file for www.torproject.org from May 1, 2009 (462K): http://freehaven.net/~karsten/volatile/www.torproject.org-access.log-200905… Is there still anything sensitive in that log file that we should remove? For example: - Do the logs reveal how many pages were cached already on the requestor's site (e.g. as repeat accesses)? Note that log files are sorted before being published. - Are there other concerns about making these sanitized log files publicly available? Are the decisions to remove parts from the logs reasonable? In particular: - Do we have to take out all requests with 404 status codes? Some of these requests for non-existing URLs contain typos which may not be safe to make public. Should we instead put in some placeholder for the URL part and keep the 404 lines to know how many 404's we have per day? - Is there any good reason to keep the portion of a URL after a "?"? - Is it possible to leave some part of Referers in the logs that helps us figure out where our traffic originates and what search terms people use to find us? - Can we resolve client IP addresses to country codes and include those in the logs instead of our 0.0.0.0/0.0.0.1 code for HTTP/HTTPS? How would we handle countries with only a few users per day, e.g., should there be a threshold below which we consider requests to come from "a country with less than XY users?" Thanks, Karsten

6 10