- tor-dev - lists.torproject.org

Tor Browser 4.5a5 will change circuit expiry to 2hrs
by Mike Perry 28 Mar '15

28 Mar '15

In Tor Browser 4.5a5, we decided to increase MaxCircuitDirtiness to 2 hours (https://trac.torproject.org/projects/tor/ticket/13766) Because we also use Tor's SOCKS username isolation using the URL bar domain as the SOCKS username in Tor Browser 4.5 now, this has the effect that websites you visit will continue to use the same circuit (and thus the same exit IP) for all of their content elements for 2 hours, or until you click "New Identity" or "New Tor Circuit for this Site" (which appeared in Tor Browser 4.5a4). The reasons for this change are detailed in that ticket description, but in summary I think it is a really, really bad user experience when a website switches languages, bans you, or logs you out every 10 minutes. My own workflow in Tor Browser has been frequently interrupted by this in ways that have caused lost work and/or lost access due to this problem. With this change in combination with the "New Tor Circuit for this Site" Torbutton menu option, you now have the ability to get a good circuit for a site that you can actually use long enough to get something done. However, there are some downsides to this change: 1. Longer circuit lifetimes may mean more memory consumption at relays. 2. Longer circuit lifetimes may make correlation easier for adversaries that run Tor nodes or can see inside TLS (by stealing node keys). 3. Longer circuit lifetimes may distinguish Tor Browser users at the Guard node. 4. Longer circuit lifetimes may mean that the Tor client is less able to adapt to transient changes in Tor relay overload - the load conditions that caused the Circuit Build Timeout code to pick your current path may have long since changed over the span of 2 hours. 5. We actually had to hack update, OCSP, and favicon requests to continue to use 10 minute circuits, because Firefox does not make it easy to determine the URL bar associated with them. (We opted to keep the circuits for these requests at 10 minutes to avoid excessive linkability at the exit.) Did I miss any? Long term, I think what I'd rather do to achieve this functionality is to create a "TrackIsolationExits" Tor feature that ensures that Tor Browser keeps the same exit IP for a given URL bar domain independent of the underlying circuit lifespan, as I mentioned in https://trac.torproject.org/projects/tor/ticket/15458#comment:2. So: How do we make the decision as to if it is more important to improve usability in the short term while we design and implement "TrackIsolationExits", or if the above concerns (and others) trump poor usability? Right now, I am inclined to make the choice that leads to more people being able to effectively use Tor Browser in the short term, and then try to provide a better solution that gives similar user-facing behaviors with better network usage properties in the long term. To complicate matters, as ticket #15458 indicates, there are several other security concerns related to circuit use by Tor Browser that also need to be ironed out. In particular, it is actually somewhat dangerous to allow websites to use a new circuit every 10 minutes for things like Javascript/AJAX requests, because this enables Guard discovery. SOCKS isolation and a long circuit lifespan may actually make such Guard discovery harder, but unfortunately, there may still be other ways to do this in Tor today (See https://trac.torproject.org/projects/tor/ticket/13669 and https://trac.torproject.org/projects/tor/ticket/7870) Thoughts? -- Mike Perry

5 8

Measurement of the amount of discrimination by website operators on Tor users?
by Rishab Nithyanand 28 Mar '15

28 Mar '15

Hey all, I was wondering if anyone could help me figure out the status of this blog post (from August 2014): https://blog.torproject.org/blog/call-arms-helping-internet-services-accept… Specifically this part: "Step one is to enumerate the set of websites and other Internet services that handle Tor connections differently from normal connections, and look for patterns that help us identify the common (centralized) services that impact many sites". I think it's an important step to help make more informed decisions about how the usability of Tor can be improved (by reducing discrimination). I've got a measurement platform in place, some ideas of how I'd like the study to be done, and an awesome mentor to help me with it. But I'd like to know if it's already been accomplished by someone else before investing time into it. Thanks! Rishab

2 1

onionoo-announces
by Nusenu 28 Mar '15

28 Mar '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Karsten, the latest onionoo update 2.3 triggered a bug in my onionoo "client" (charset encoding). Even though it is a bug on my side, would you mind announcing future releases/deployments on onionoo-announce [1] including a short changelog? thanks, Nusenu [1] https://lists.torproject.org/pipermail/onionoo-announce/2015/thread.html -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVFeWsAAoJEFv7XvVCELh0aeYP/R9pkcPgMGttspr5cl1W1RM+ qeIutnhNDAMs+DcbHKmB19BzgSRUfzrm4DCqnizWIxdXcF+AQP2nhmP0y+hIWTrK 5ctBQsWMUiwHym0TcKbbIEHrP2BcIoQSIM1GG52G4OWfmoymjbi5J1Jd+KuXYsFr 8GtJlLkjHWcD8wQuCUtMSfq1tTK/XnQES/UfhTUfJ3TMZvR1wxD3BNWZFJSOFMP2 k7cfBLYSG2uRCyRZ8dkoLXnSeJ/aya2PqR41mvU5y+IdUHC8IoVItx3GhC4ZT2v1 YcQyxvVFZh0NEwrdnYIxErNN5CJjqDUyLPWVQPJGvKR1KgFVdtcqsJH8OsyvYW1y ysETJ9AXPReo9os+oAWVJZvFG1HwU6MzS4U7beuVMo3drzNh3433nkZbCX50hS4z WMUdsWjZgUNscAIj76ECI58wiTgYN8Ro5X9wY9LwSwJz7NHtc+a999xSLy3GUuUp vEerRa1k06PqeqpNsZoe/8WVwohZVtRc9oGTcXJgtRF3F3hltsqB6s03hGLsQfXJ roOFglxrUlBaGAVYlyLWHSDiPf2lVnNUF27nsGodjoTLEubsJ1BsxUqT1JTNi3yx k8WTU2ATfbTVKva0N7Ac3yBE8+ZkQ+YbZB839li9ocXuxi173/aNmG3mKOVWWhP2 x0C/WXllxI2ObZY05ryR =IfVc -----END PGP SIGNATURE-----

2 1

Localization
by Abhiram Chintangal 26 Mar '15

26 Mar '15

Hi, I ran into a user, who was asking for censorship circumvention tools that have been translated to indic languages ( Bengali, Hindi, Tamil and Telugu to name a few). Is there a separate mailing list for localization efforts? I would appreciate it if someone can point me to the right resources. Cheers! -- Abhiram Chintangal

1 0

Draft report on where to focus testing efforts and modularization efforts in Tor
by Nick Mathewson 26 Mar '15

26 Mar '15

0. Summary I've got some end-of-month deliverables to try to figure out how Tor fits together to identify the most important areas to test, the hardest areas to test, and the best ways to modularize Tor in the future. Here's my current draft. Some of these ideas are half-baked; many will need more rounds of revision before they can be acted on. For more information see tickets #15236 and #15234. 1. Testing Tor: Where we should focus 1.1. Let's focus on complicated, volatile things. These functions are the highest in length and in complexity: circuit_expire_building parse_port_config run_scheduled_events connection_ap_handshake_rewrite_and_attach options_act networkstatus_parse_vote_from_string connection_dir_client_reached_eof directory_handle_command_get networkstatus_compute_consensus options_validate If we focus on the number of commits that have code still live in a function, we have: circuit_expire_building parse_port_config run_scheduled_events connection_ap_handshake_rewrite_and_attach options_act networkstatus_parse_vote_from_string connection_dir_client_reached_eof directory_handle_command_get networkstatus_compute_consensus options_validate And if we want to focus on average commits per line of code in a function, weighted in various ways, these ones stand out: add_stream_log_impl connection_close_immediate connection_connect_sockaddr connection_dir_client_reached_eof connection_edge_destroy connection_exit_begin_conn connection_handle_write_impl consider_testing_reachability directory_info_has_arrived init_keys options_act options_validate router_add_to_routerlist router_dump_router_to_string tor_free_all router_rebuild_descriptor run_scheduled_events If we focus on how many changes have *ever* been made to a function, we get these as the top offenders: router_rebuild_descriptor onion_extend_cpath directory_handle_command dns_resolve assert_connection_ok connection_handle_write connection_handle_listener_read dns_found_answer circuit_extend main connection_edge_process_inbuf connection_ap_handshake_attach_circuit config_assign init_keys circuit_send_next_onion_skin connection_dir_process_inbuf prepare_for_poll connection_exit_begin_conn connection_ap_handshake_process_socks router_dump_router_to_string fetch_from_buf_socks getconfig run_scheduled_events connection_edge_process_relay_cell do_main_loop No single list above is uniquely the right one to focus on; instead, we should probably use them in tandem to identify areas to work on. 1.2. What will be hardest to test? The entire "blob" described in section 2.1 below should be considered hard-to-test because of the number of functions reachable from one another. Removing some of this callgraph complexity will help us test, but it's not completely trivial. See Appendix A for a list of functions of this kind. 2. Untangling Tor: Modules and You If you've done a software engineering class, you probably got taught how to diagram the modules or layers of a software project. I tried this with Tor back in 2005 and my head spun; things have not gotten easier since then. Looking at Tor's call graphs tell us a lot about our issues with modularizing Tor. In the abstract, we'd like to divide Tor into layers and modules, with most modules only calling a few others, and the "central" functions limited to as little code as possible. This will make modules more independent and help us test them in isolation. This will also help us with future design ideas like splitting Tor into separate processes for testing or security or robustness purposes. 2.1. Fun with callgraphs I did some analysis of Tor's callgraph to figure out where we stand today. About 27% of the functions that tor calls (internally and externally) can reach only 10 or fewer other functions that Tor knows about. About 82% can reach a smaller portion of Tor. Then there comes a block of functions that can reach _nearly every other function_ in the block, or in Tor. They are all reachable from one another. There are about 450 of these, or 11% of the functions in Tor. I'll call them "The Blob." Finally, there are functions that can reach the Blob, and all the functions that the Blob calls, but which are not themselves part of the Blob. These are about 100 functions, or 2% of the functions in Tor. Breaking up the Blob is a high priority for making Tor more modular. So, how can we do that? * Let's start by looking at which functions, if they were made unnecessary, or if they stopped calling into the Blob, would remove the most other functions from the Blob. * Let's also start by hand-annotating the Blob with a list of functions that logically shouldn't be part of the Blob, and then seeing what they call that pulls them into the Blob. Here are some preliminary results for the best functions to try to remove from the Blob, and some antipatterns to avoid: * The following functions pull many, many other functions into the Blob: control_event_* router_rebuild_descriptor_ directory_fetches_from_authorities *mark_for_close* *free *free_ If we could stop them calling back into the blob, we would shrink the blob's size down to 254 functions, and reduce the number of outside functions calling into the blob to 74. Also worth investigating is seeing whether to remove the call from 'connection_write_to_buf_impl_' to 'connection_handle_write', and the call from 'conection_handle_write_impl' to 'connection_handle_read'. Either of these changes reduces the number of functions reachable from blob functions severely, and shifts many functions from Blob-members to Blob-callers. Finally, these might be more work to unblob: 'connection_or_change_state' 'tor_cleanup' 'init_keys' 'connection_or_close_for_error' But doing so would take the blob down to 60 functions, with the blob-callers to 118. * Many functions that are meant to simply note that an event has occurred, so that some work must happen. We could refactor most of these to instead use a deferred callback type, rather than invoking the functions that call the work directly. This would also help us decouple Blob functions from one another. * I have the blob functions listed in Appendix A.1, with the ones that would still in the blob after the changes above listed in Appendix A.2. 2.2. Separating modules into processes and libraries; module-level APIs. Let's imagine this architecture: Tor runs as a series of conceptually separate processes that communicate over a reasonable IPC mechanism. These processes correspond to module boundaries; their APIs need to be carefully designed. There is a central communications process that does the work of transferring commands and replies from A to B. APIs would be divided into publish/subscribe types and remote-procedure call types. Modules would be divided into stateful/non-stateful; non-stateful ones could be shared libraries; or if their processing is sensitive, they could be kept in very sandboxed processes. How do we get there? To make the proposal concrete, I suggest for a 0th-order draft that we imagine the following simplified version: * That all src/common modules become shared libraries with no state. * That we divide (or imagine how to divide) the contents of src/or into separate modules, with more clear connections between them. We imagine doing this one part at a time, starting by adding a nice simple publish/subscribe mechanism. * That the controller API be reimagined as a a layer on top of the rest of this. * That any multiprocess version of this be imagined, for concreteness, as ProtocolBufs over nanomsg. (I'm not tied to this particular format/transport combination; just proposing it for concreteness. We would need a transition plan here. I'd suggest that some of the easiest modules to extract first would be voting, rephist, node information management, path selection, directory data, and hidden services. Most of these have the virtue of being more easily testable once they are extracted. Once we have some significant pieces split into libraries, and submodules, we could start doing process-level refactoring, moving towards an architecture built out of processes and parts of these kinds: * Network: Has libevent-driven main loop. Accepts commands in a pool, maybe from a subthread. * Utility: Is just event-driven. Answers requests, gives responses. * Manager: starts up processes as needed and connects them to one another. * Dispatcher: relays messages from where they come from to where they go. Our best next steps in this area, IMO, seem to be to identify one or two key areas and abstractions, and begin isolating them in practice so as to better get a feel for how this kind of transition works, so we can iterate our design. [Appendices in attachment so as to keep this to a reasonable size.]

1 0

Question about estimated number of clients
by Lei Yang 26 Mar '15

26 Mar '15

Hi, I have a question about estimated number of Tor clients. I know that the average number of Tor clients per day for each country is provided on the metrics site, which is a daily basis number. I am curious if I can get a more fine-grained information about how many clients are using Tor per hour for each country? I would like to know the peak number of concurrent users who are using Tor at a given time. Can anyone please give me some clues? Thank you very much! Best, Lei

2 5

Getting visuals out of bridge bandwidth statistics
by George Kadianakis 26 Mar '15

26 Mar '15

Hello, I recently discovered that bridges report detailed bandwidth histories in their extrainfo descriptors. We should think about the privacy implications of these statistics since they are quite fine grained (multiple measurements per day) and some bridges don't have many clients (hence small anonymity set for them). Until then, I decided to visualize a bit those bandwidth histories, to better understand how much bridges are used. This took a bit longer than I expected, so I'm just going to show you some preliminary results. Here is a graph! https://people.torproject.org/~asn/bridges_bureau/bridges_daily_bandwidth.p… To generate this graph, I summed up the reported bandwidth histories of each bridge descriptor to get that bridge's daily consumption. I used the number of *read* bytes, and ignored the number of written bytes. I discarded multiple descriptors of the same bridge and bridges which did not report 24 hours worth of bandwidth history. I started with about 7603 descriptors, in the end the graphs include about 4k bridges. Basically, this graph tells us that only very few bridges see big amounts of traffic. Most bridges are concentrated on the left side of the graph. If you can't see how many bridges contribute big bandwidth because their column is so small, you can use those spikes that come from the bottom of the graph. Each such spike is one bridge. The graph is in megabytes, and its left side is too crowded. Here is another graph that might be cleaner: https://people.torproject.org/~asn/bridges_bureau/bridges_daily_bandwidth_p… This graph was created the same way, but I discarded the 200 highest observations. This makes the left hand side of the graph cleaner. Here we can see that most bridges see less than 50 MBs of traffic per day, and there are even a few hundreds of them who see none or almost none. Unfortunately, this concludes my studies for today. Maybe in the future I will work on this a bit more, and also take in account the pluggable transports that these bridges use as well as how many hours in a day each bridge did not have any activity. Questions and feedback on my methodology are welcome. If people want to work on this, I'm happy to clean up and publish my Python scripts. Cheers!

1 1

Proposal 243: Give out HSDir flag only to relays with Stable flag
by George Kadianakis 24 Mar '15

24 Mar '15

Inlining the proposal written for #8243. Feedback is welcome. Thanks! ------ Filename: 243-hsdir-flag-need-stable.txt Title: Give out HSDir flag only to relays with Stable flag Author: George Kadianakis Created: 2015-03-23 Status: Open 1. Introduction The descriptors of hidden services are stored by hidden service directories. Those are chosen by directory authorities who assign the "HSDir" flag to those relays according to their uptime. It's important for new relays to not be able to get the HSDir flag too easily, because a few correctly placed HSDirs can launch a denial of service attack on a hidden service. We should make sure that a naive Sybil attacker that injects thousands of new Tor relays to the network cannot position herself like this. 2. Motivation Currently, directory authorities give out the HSDir flag to relays that volunteer to be hidden service directories by sending a "hidden-service-dir" line in their relay descriptor, which is the default relay behavior. Furthermore, the HSDir flag is only given to relays that have been up for more than MinUptimeHidServDirectoryV2 hours. MinUptimeHidServDirectoryV2 is a parameter locally set at the directory authorities and it's somewhere between 25 to 96 hours. We propose changing that last requirement, and instead giving the HSDir flag only to relays that have the Stable flag. We believe that this will result in a few benefits: - We stop using the ad-hoc uptime calculation that we are currently doing (see dirserv_thinks_router_is_hs_dir()). Instead, we use the MTBF uptime calculation that is performed for the Stable flag which is more robust. - We increase the time required to get the HSDir flag, making it harder for naive adversaries that flood the network with relays to actually get the HSDir flag. - After implementing non-deterministic HSDir picks (#8244) we also make it harder for sophisticated adversaries to DoS a hidden service, since at that point their main attack strategy is to flood the network with relays. - By increasing the stability of HSDirs, we reduce the misses during descriptor fetching that get caused by natural churn of relays on the list of HSDirs. 3. Specification We are suggesting changing the criteria that directory authorities use to vote for HSDirs to the following: - The relay has included the "hidden-service-dir\n" line in its descriptor. - The relay is eligible for having the "Stable" flag. 4. Security considerations As it currently is, a router is 'Stable' if it is active, and either its Weighted MTBF is at least the median for known active routers or its Weighted MTBF corresponds to at least 7 days. This is stricter criteria than what's required for HSDir, which means that the number of HSDirs will decrease after the suggested changes. Currently there are about 2400 HSDirs in the consensus, and about 2300 of them are Stable, which means that we will lose about 100 HSDirs. We believe that this is an acceptable temporary loss. In the short-term future, the number of HSDirs will greatly improve as more directory authorities upgrade to #14202 and more relays upgrade to #12538. 5. Future Should we give out the HSDir flag only to relays that are Fast? Is being an HSDir a demanding job bandwidth-wise? With the upcoming keyblinding scheme (#8106) and non-deterministic HSDir selection (#8244), are there any other criteria that we should use when assigning HSDir flags?

1 0

Re: [tor-dev] #15060: Decide the fate of MyFamily / prop242 better families
by teor 23 Mar '15

23 Mar '15

> Date: Mon, 23 Mar 2015 09:32:50 -0400 > From: Nick Mathewson <nickm(a)alum.mit.edu> > >> On Mon, Mar 23, 2015 at 8:56 AM, Nusenu <nusenu(a)openmailbox.org> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> Hi, >> >> I like prop242 [1] because it doesn't "Nuke MyFamily" [2] but replaces >> it with a better approach. "Better" in terms of scalability and >> maintainability. >> >> I don't know of any current 'tools' (except the tor client itself) >> that use MyFamily data but Virgil's [3] gamification website and >> compass group-by family feature [4] would depend on it. >> >> So before spending time on features that depends on an uncertain >> descriptor field, it is probably better to wait till the fate of that >> property (MyFamily) has been decided. >> >> The reason for this email is to find out when that fate will be >> decided upon? (expected answer: before tor 0.2.7.x-final is released) > > I don't know that we have a date here, or a consensus that it ought to > be done. Whether any changes happen in 0.2.7 here is going to depend > on whether we've got a solid answer one way or another on the question > of MyFamily. > > So, what do we think? I'd say that MyFamily is likely to continue to > serve a useful purpose, and that removing it entirely would be > premature given how often people come up with fun new routing and path > selection and guard selection ideas. > > On the other hand, prop242 is a fair bit of work to do, and I don't > know whether it will rise to a high enough priority over all the other > stuff we need to do. And who knows, maybe somebody will come up with > a solid argument in favor of removing MyFamily entirely? It's worth > thinking about. I can think of one good social/technical reason to keep MyFamily or similar feature(s): It provides a useful mechanism for the Tor relay community to distinguish between Sybils, technically capable enthusiastic new operators, and operators who can't/won't maintain their relays. I've seen this sort of communication a few times, but I'm not sure how frequently it happens: Someone says: "Thanks for signing up N Tor relays, please add MyFamily to each of them so we don't choose any of them in the same path." If the operator complies, they become part of the Tor network. If they decline or ignore, they are excluded from the Tor network. It would be a shame to lose such a useful technique for weeding out the bad onions, even if it relies on us finding them in the first place. teor teor2345 at gmail dot com pgp 0xABFED1AC https://gist.github.com/teor2345/d033b8ce0a99adbc89c5 teor at blah dot im OTR C3C57B23 349825DE 929A1DEF C3531C25 A32287ED

1 0

onionoo: grouping families in the backend?
by Nusenu 23 Mar '15

23 Mar '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I figured it might make sense to discuss this in a separate thread. > And just in case you were wondering, if you ever have a feature > request for Onionoo, I'd be happy to discuss that. In contrast to > some of its clients, Onionoo itself is actively maintained. Actually I came to the conclusion that it would make sense to move the myfamily grouping to the backend since any other compass grouping is based on onionoo data and not on data "generated" by compass itself (grouping key). The MyFamily grouping takes also a bit CPU time. So "computing" families once per generated details document make a lot more sense than recalculating them in every compass query again. Since the MyFamily is subject to change [1] is also relevant here. [1] https://lists.torproject.org/pipermail/tor-dev/2015-March/008516.html -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVEBuLAAoJEFv7XvVCELh05MMP/0Gy6zYQLbZtavXL1wdISLMg X/zdJM9+ZysuFkDj2hl0fP1iXfrNCCCvjCOdCYQJXzD5axrvgzPK/Jql1b2J1tO5 m+fbkLla9/KRCukJKYOjmkeoKAuadRDiZvI9LvePuGPrP53ZmlJmh4PT/Iss8Qh+ ndTBIbz1Kl04cBVS8RW08veFIKyzblkd2bJVj6AIlsvRvNybLJdEatgNAJ0YX6Vk ERuWuI65qP40ATFMAmL+IMsrdJ2WVdhpbbFLNkrZfloXt/UlNvFddMKlJ0k3YUkb ZQsFmZUPPv9+gMGx7Rkca94XmleBxMidjAbDVT0Y+SVyC0HxEOa5UsZ099cVu52F Hf2ZHt2E6vSxICoO4lxFEx82BxuaJLvG/+pQcNmUQk+SeBlcYn/W6PIyYV1bs9sh /pLjikLnMEMpNCls5XNc/wtFJtbnfljmsDhYL+R5jCHfUk5s3XmyEuDitenwZ8Qb 3u4qtnusQqLzW0R2bcnA8OV5RU5N12kBmFnki2lZ+m7VKtHCQVgJP8Rpvfg7G0/6 Js36UnNL2ijMNuDJED70PZEPop8kiuSZq6ePI3lYsPaLLRGLmNyHCgFQFRBox4BK ntAiePf2HtQ1kSLM2j5GLrQK5p59ko9xXrQkRBy60M5oVJkl+Rtf/+79W0Nf9f8Y /rcCkyU4s7XqW0UoHMYQ =ly6d -----END PGP SIGNATURE-----

2 5