- tor-dev - lists.torproject.org

Tor Proposal status updates: Feb 2015
by Nick Mathewson 08 Feb '15

08 Feb '15

This is an update to the Tor proposal status overview. I last sent one of these out almost a year ago; since 0.2.6 has entered feature freeze, I really ought to do this regularly again. Future versions of this document will be maintained in the torspec repository as "proposals/proposal-status.txt". I'll still send them to tor-dev periodically. If you're looking for something to review, think about, or comment on: Review 219 if you're a DNS geek, or you'd like Tor to work better with more DNS types. Review 220 (ed25519 identity keys) and 228 (cross-certification) if you like designing signature things, if you have good ideas about future-proofing key type migration, or if you care about making Tor servers' identity keys stronger. Review 223 (ACE handshake) if you're a cryptographer, or a cryptography implementer, and you'd like an even faster replacement for the ntor handshake. Review 224 if you want to look through a big, complex protocol with a lot of pieces. Also review it if you care about hidden services and making them better. Review 226 if you're interested in bridgedb development. Review 241 for a big chance at making Tor clients and hidden services more secure. Review something else if you want to take a possibly good idea that needs more momentum and promote it, fix it up, or finally kill it off. I note in passing that many of the proposals below seem stalled, perhaps permanently: some because we don't know how to answer their open questions, others because we're not sure if they're a good idea, others because they don't seem implementable yet. Is that the best way to characterize it? Should we have a new "stalled" proposal status or something? Should we have a "rejected-pending-revision" status that we use effectively for everything that doesn't seem likely to get revised or implemented any time soon? Other suggestions would be welcome. Finally: if you've sent something to tor-dev or to me that should have a proposal number, but doesn't have one yet, please ping me again to remind me! **NOTE**: The dates after each paragraph indicate when I last revised the paragraph. 127 Relaying dirport requests to Tor download site / website The idea here was to make it easier to fetch and learn about Tor by making it easy for relays to automatically act as proxies to the Tor website. It needs more discussion, and there are some significant details to work out. It's not at all clear whether this is actually a good idea or not. Probably, there are better choices when it comes to distributing software and updates. (11/2013) 131 Help users to verify they are using Tor [NEEDS-REVISION] This one is not a crazy idea, but I marked it as needs-revision since it doesn't seem to work so well with our current designs. It seems mostly superseded by proposal 211. (11/2013) 132 A Tor Web Service For Verifying Correct Browser Configuration This proposal was meant to give users a way to see if their browser and privoxy (yes, it was a while ago) are correctly configured by running a local webserver on 127.0.0.1. I'm not sure the status here. Generally, I'm skeptical of designs that run webservers on localhost, since they become a target for cross-site attacks. (11/2013) 133 Incorporate Unreachable ORs into the Tor Network This proposal had an idea for letting ORs that can only make outgoing connections still relay data usefully in the network. It's something we should keep in mind, and it's a pretty neat idea, but it radically changes the network topology. Anybody who wants to analyze new network topologies should definitely have a look. (5/2011) 140 Provide diffs between consensuses This proposal describes a way to transmit less directory traffic by sending only differences between consensuses, rather than the consensuses themselves. Daniel Marti implemented this for his GSoC project last summer; it is still under revision and on target for merge into 0.2.7. (See ticket #13339) (2/2015) 141 Download server descriptors on demand The idea of this proposal was for clients to only download the consensus, and later ask nodes for their own server descriptors while building the circuit through them. It would make each circuit more time-consuming to build, but make bootstrapping much cheaper. Microdescriptors obsolete a lot of this proposal, and present some difficulties in using in a way compatible with it. (6/2012) 143 Improvements of Distributed Storage for Tor Hidden Service Descriptors Here's a proposal from Karsten about making the hidden service DHT more reliable and secure to use. It could use more discussion and analysis. We should look into it as part of efforts to improve designs for the next generation of hidden services. One problem with the analysis here, though, is that it assumes a fixed set of servers that doesn't change. One reason that we upload to N servers at each chosen point in the ring is that the hidden service host and the hidden service client may have different views of which servers exist. We need to re-do the analysis with some fraction of recent consensuses. This is probably superseded by proposal 224; we should close it IMO. (2/2014) 144 Increase the diversity of circuits by detecting nodes belonging the same provider This is a version of the good idea, "Let's do routing in a way that tries to keep from routing traffic through the same provider too much!" There are complex issues here that the proposal doesn't completely address, but I think it might be a fine idea for somebody to see how much more we know now than we did in 2008, particularly in light of the relevant paper(s) by Matt Edmann and Paul Syverson. (5/2011) 145 Separate "suitable as a guard" from "suitable as a new guard" [NEEDS-RESEARCH] Currently, the Guard flag means both "You can use this node as a guard if you need to pick a new guard" and "If this node is currently your guard, you can keep using it as a guard." This proposal tries to separate these two concepts, so that clients can stop picking a router once it is full of existing clients using it as a guard, but the clients currently on it won't all drop it. It's not clear whether this has anonymity issues, and it's not clear whether the imagined performance gains are actually worthwhile. This is probably superseded by proposal 236, which has a better approach for weighting guard node selection probabilities; we should probably close this ticket. (2/2015) 156 Tracking blocked ports on the client side This proposal provides a way for clients to learn which ports they are (and aren't) able to connect to, and connect to the ones that work. It comes with a patch, too. It also lets routers track ports that _they_ can't connect to. I'm a little unconvinced that this will help a great deal: most clients that have some ports blocked will need bridges, not just restriction to a smaller set of ports. This could be good behind restrictive firewalls, though. The router-side part is a little iffy: routers that can't connect to each other violate one of our network topology assumptions, and even if we do want to track failed router->router connections, the routers need to be sure that they aren't fooled into trying to connect repeatedly to a series of nonexistent addresses in an attempt to make them believe that (say) they can't reach port 443. This one is a paradigmatic "open" proposal: it needs more discussion. The patch probably also needs to be ported to 0.2.3.x; it touches some code that has changed. This is likely also to be relevant for the ideas of proposal 241, and maybe superseded by some version of that proposal. (2/2015) 159 Exit Scanning This is an overview of SoaT, with some ideas for how to integrate it into Tor. (5/2011) 164 Reporting the status of server votes This proposal explains a way for authorities to provide a slightly more verbose document that relay operators can use to diagnose reasons that their router was or was not listed in the consensus. These documents would be like slightly more verbose versions of the authorities' votes, and would explain *why* the authority voted as it did. It wouldn't be too hard to implement, and would be a fine project for somebody who wants to get to know the directory code. (5/2011) 165 Easy migration for voting authority sets This is a design for how to change the set of authorities without having a flag day where the authority operators all reconfigure their authorities at once. It needs more discussion. One difficulty here is that we aren't talking much about changing the set of authorities, but that may be a chicken-and-egg issue, since changing the set is so onerous. If anybody is interested, it would be great to move the discussion ahead here. (5/2011) 168 Reduce default circuit window This proposal reduces the default window for circuit sendme cells. I think it's implemented (or mostly implemented) in 0.2.1.20? If so, we should make sure that tor-spec.txt is updated and close it. (11/2013) 172 GETINFO controller option for circuit information 173 GETINFO Option Expansion These would help controllers (particularly arm) provide more useful information about a running Tor process. They're accepted and some parts of 173 are even implemented: somebody just needs to implement the rest. (5/2011) 175 Automatically promoting Tor clients to nodes Here's Steven's proposal for adding a mode between "client mode" and "relay mode" for "self-test to see if you would be a good relay, and if so become one." It didn't get enough attention when it was posted to the list; more people should review it. (5/2011) 177 Abstaining from votes on individual flags Here's my proposal for letting authorities have opinions about some (flag,router) combinations without voting on whether _every_ router should have that flag. It's simple, and I think it's basically right. With more discussion and review, somebody could/should build it, I think. (11/2013) 182 Credit Bucket This proposal suggests an alternative approach to our current token-bucket based rate-limiting, that promises better performance, less buffering insanity, and a possible end to double-gating issues. (6/2012) 185 Directory caches without DirPort The old HTTP directory port feature is no longer used by clients and relays under most circumstances. The proposal explains how we can get rid of the requirement that non-bridge directories have an open directory port. (6/2012) 188 Bridge Guards and other anti-enumeration defenses This proposal suggests some ways to make it harder for a relay on the Tor network to enumerate a list of Tor bridges. Worth investigating and possibly implementing. (6/2012) 189 AUTHORIZE and AUTHORIZED cells 190 Bridge Client Authorization Based on a Shared Secret [NEEDS-REVISION] 191 Bridge Detection Resistance against MITM-capable Adversaries Proposal 187 reserved the AUTHORIZE cell type; these proposals suggests how it could work to try to make it harder to probe for Tor bridges. They need more alternatives and attention, and possibly some revision and analysis. Number 190 needs revision, since its protocol isn't actually so great. (11/2013) 192 Automatically retrieve and store information about bridges This proposal gives an enhancement to the bridge information protocol, where clients remember more things about bridges, and are able to update what they know about them over time. Could help a lot with bridge churn. (6/2012) 194 Mnemonic .onion URLs Here's one of several competing "let's make .onion URLs human-usable" proposals. This one makes sentences using a fixed map. This kind of approach is likely to obsoleted if we go ahead with current plans for hidden services that would make .onion addresses much longer, though. (11/2013) 195 TLS certificate normalization for Tor 0.2.4.x Here's the followup to proposal 179, containing all the parts of proposal 179 that didn't get built, and a couple of other tricks besides to try to make Tor's default protocol less detectable. I'm pretty psyched about the part where we let relays drop in any any self-signed or CA-issued certificate that they like. Some of this is done in ticket #7145; we should decide, however, how much we want to push towards normalizing the main Tor protocol. Some of the NSA documents published in Der Spiegel this past December imply that this kind of fingerprinting can be helpful for snoops; we should take another look at it. (2/2015) 196 Extended ORPort and TransportControlPort Here are some remaining pieces of the pluggable transport protocol that give Tor finer control over the behavior of its transports. Much of this is implemented in 0.2.5 now; we should figure out what's left, and whether we want to build that. (11/2013) 197 Message-based Inter-Controller IPC Channel This proposal is for an architectural enhancement in Tor deployments, where Tor coordinates communications between the various programs (Vidalia, TorBrowser, etc) that are using it. (6/2012) 199 Integration of BridgeFinder and BridgeFinderHelper Here's a proposal for how Tor can integrate with a client program that finds bridges for it. I've seen some work being done on things called "BridgeFinder"; I don't know what the status of the current proposal is, though. (11/2013) 201 Make bridges report statistics on daily v3 network status requests Here's a proposal for bridges to better estimate the number of bridge users. (6/2012) 202 Two improved relay encryption protocols for Tor cells Here's a sketch of the two broad classes of alternatives for improving how relay encryption works. Right now, progress on this proposal is stalled waiting for the ideal wide-block construction to come along the line. (11/2013) 203 Avoiding censorship by impersonating an HTTPS server This one is a design for making a bridge that acts like an HTTPS server (by *being* an HTTPS server) until the user proves they know it's a bridge. (11/2013) 209 Tuning the Parameters for the Path Bias Defense In this proposal, Mike discusses alternative parameters for getting better result out of the path-bias-attack detection code. (11/2013) 210 Faster Headless Consensus Bootstrapping This proposal suggests that we get our initial consensus by launching multiple connections in parallel, and fetching the consensus from whichever one completes. In my opinion, that would be a fine idea when we're fetching our initial consensus from non-Authority DirSources, but we shouldnt' do anything to increase the load on authorities. (11/2013) 211 Internal Mapaddress for Tor Configuration Testing Here, the idea is to serve an XML document over HTTP that would let the know when it's using Tor. The XML document would be returned when you make a request over Tor for a magic address in 127.0.0.0/8. I think we need to do _something_to solve this problem, but I'm not thrilled with the idea of having any more magical addresses like this; we got rid of .noconnect for a reason, after all. (11/2013) 212 Increase Acceptable Consensus Age This proposal suggests that we increase the maximum age of a consensus that clients are willing to use when they can't find a new one, in order to make the network robust for longer against a failure to reach consensus. In my opinion, we should do that. If I recall correctly, there was some tor-dev discussion on this one that should get incorporated into a final, implementable version. (11/2013) 219 Support for full DNS and DNSSEC resolution in Tor Here's a design to allow Tor to support a full range of DNS request types. It probably isn't adequate on its to make DNSSEC work realistically, since naive DNSSEC requires many round trips that wouldn't be practical over Tor. It has a ton of inline discussion that needs to get resolved before this is buildable. One thing to consider here is whether we can get the server-side done with reasonable confidence, and figure out the client side once more servers have upgraded. (12/2013) 220 Migrate server identity keys to Ed25519 v This one is a design to migrate server identity keys to Ed25519 for improved security margin. It needs more analysis of long-term migration to other signing key types -- what do we do if we want to add support for EdDSA over Curve3617 or something? Can we make it easier than this? And it also needs analysis to make sure it enables us to eventually drop RSA1024 keys entirely. I've started building this in #12498, though, so we'd better figure out out fairly soon. Other proposals, like 224, depend on this one. (2/2015) 223 Ace: Improved circuit-creation key exchange Here's an interesting one. It proposes a replacement for the ntor handshake, using the multi-exponentiation optimization, to run a bit faster at an equivalent security level. Assuming that more cryptographers like the security proof, and that the ntor handshake winds up being critical-path in profiles as more clients upgrade to 0.2.4 or 0.2.5, this is something we should consider. (12/2013) 224 Next-Generation Hidden Services in Tor This proposal outlines a more or less completely revised version of the Tor hidden services protocol, improved to accomodate better cryptography, better scalability, and defenses for several attacks we'd never considered when we did the original design. Some parts of this one are clearly right; some (like scalability) are entirely unwritten. This proposal needs a lot of attention and improvements to get it done right. I hope to implement this over the course of 2015-2016. (2/2015) 225 Strawman proposal: commit-and-reveal shared rng Proposal 224's solutions for bug #8244 require that authorities regularly agree upon a shared random value which none of them could have influenced or predicted in advance. This proposal outlines a simple one that isn't perfect (it's vulnerable to DOS and to limited influence by one or more collaborating hostile authorities), but it's quite simple, and it's meant to start discussion. I hope that we never build this, but instead replace it with something better. Some alternatives have already been discussed on tor-dev; more work is needed, though. (12/2013) 226 Scalability and Stability Improvements to BridgeDB: Switching to a Distributed Database System and RDBMS This one outlines design and behavior changes for a seriously refactored bridgedb. (2/2014) 228 Cross-certifying identity keys with onion keys This proposal signs each server's identity key with its onion keys, to prove onion key ownership in the router descriptor. It's not clear that this actually improves security, but it fixes an annoying gap in our key authentication. I have it coded up in my #12498 branch, targetting 0.2.7. (2/2015) 229 Further SOCKS5 extensions Here's a nice idea for how we can support a new SOCKS5 protocol extension to relay information between clients and Tor, and between Tor and pluggable transports, more effectively. It also adds some additional SOCKS5 error codes. There are some open questions to answer. "Trunnel" has an implementation of the protocol extension formats in its examples directory. (2/2015) 230 How to change RSA1024 relay identity keys [DRAFT] 231 Migrating authority RSA1024 identity keys [DRAFT] Who remembers the OpenSSL "Heartbleed" vulnerability? These proposals I wrote try to explain safer mechanisms for a bunch of servers to migrate their RSA1024 identity keys at once. I'm not sure we'll be able to build thee, though: implementating proposal 220 above seems cleverer to me. (2/2015) 232 Pluggable Transport through SOCKS proxy [OPEN] Arturo Filastò wrote this proposal for chaining pluggable transports which themselves need to go through proxies. Seems potentially useful! (2/2015) 233 Making Tor2Web mode faster [OPEN] This one by Virgil, Fabio, and Giovanni describes a couple of ways that Tor2Web builds of Tor can save some circuit hops that they use today. Potentially useful for Tor2Web; any implementation needs to be sure that it never changes the behavior of non-tor2web clients. (2/2015) 234 Adding remittance field to directory specification [OPEN] Virgil, Leif, and Rob added this proposal for relays to specify payment addresses for schemes that want to compensate relay operators for their use of bandwidth. (2/2015) 235 Stop assigning (and eventually supporting) the Named flag [DRAFT] This proposal is about removing the Named flag. (Thanks to Sebastian Hahn for writing it!) The rationale is that the naming system for relays never worked particularly well, and it had strange and hard-to-explain security properties. We've implemented the key part of this already: directory authorities don't assign the Named flag any longer. Next up will be removing client support for parsing and understanding it. (2/2015) 236 The move to a single guard node [OPEN] This proposal suggests that to limit client fingerprinting, and to limit opportunities for attacks, clients should use a single guard node, rotated infrequently. This transition is in progress; we use a single guard node for circuit traffic now, but in order to make guards more long-lived, we need to adjust how they are chosen. George has a patch for that as #9321, targetting inclusion into 0.2.6. (Thanks to George Kadianakis and Nicholas Hopper for writing this one.) (2/2015) 237 All relays are directory servers [OPEN] Matthew Finkel wrote this proposal to describe a transition to a world where Tor relays can be directory servers without having an open DirPort -- and eventually, where every relay can be a DirServer. He has an implementation, possibly for 0.2.6 or 0.2.7, in ticket #12538. (2/2015) 238 Better hidden service stats from Tor relays [DRAFT] Here's an important one that needs many eyes. George Kadianakis, David Goulet, Karsten Loesing, and Aaron Johnson wrote this to describe a mechanism for the tor network to securely produce aggregate hidden service usage statistics without exposing sensitive intermediate results. This has an implementation in 0.2.6 and should probably be marked closed. (2/2015) 239 Consensus Hash Chaining [DRAFT] Here's the start of a good idea that Andrea Shepard wrote up (with some help from Nick). The idea is to make it hard even for a set of corrupt authorities (or authority-key-thieves) to make a personalized false consensus for a target user, by authenticating the whole sequence as a hash chain. Others on tor-dev suggested improvements and had good questions (thanks, Leif and Sebastian G!) (2/2015) 240 Early signing key revocation for directory authorities [DRAFT] This one is another Andrea+Nick collaboration about certificate revocation for our most sensitive keys. If an authority key needs to be replaced, it would be great to take the old one out of circulation as fast as possible. Peter Palfrader on tor-dev had some ideas for making this better. (2/2015) 241 Resisting guard-turnover attacks [DRAFT] I wrote this one with good ideas from Aaron Johnson and Rob Jansen. It describes a way to respond to an important class of attacks where an adversary kills off a targeted user's guards until the user has chosen a guard the attacker controls. (See the "Sniper Attack") paper. The defense is tricky, and if not done right, might lead clients to kick themselves off the network out of paranoia. So, this proposal could use more analysis. (2/2015) Since last time: Proposal 140 and 227 have been implemented and closed. Proposal 215 was implemented and closed Proposals 230 through 241 are new.

2 1

How to set up meek on a cooperating web server
by David Fifield 08 Feb '15

08 Feb '15

Roger asked me what it would take to run a meek bridge on an existing hard-to-block HTTPS web site that wants to help, Wikipedia for example. The difference with our existing deployments on CDNs is that we don't expect any special cooperation by the CDN, whereas an interested site could make minor changes to make running a bridge easier. It's actually not hard to do. For example, this is the meek-server port on the Tor bridge behind meek-azure: https://meek.bamsoftware.com/ That URL is actually totally usable directly in a bridge line: Bridge meek 0.0.2.0:3 url=https://meek.bamsoftware.com/ The reason we don't just distribute the above bridge line, (and why we involve a CDN at all), is because meek.bamsoftware.com is trivial to block by domain or IP--it is used for nothing but circumvention, so the collateral damage of blocking it is zero. That's why we have to do domain fronting and put a domain with some unblockability in front of it. With an important web site, the unblockability comes for free, so you don't need domain fronting. Wikipedia could set up their own Tor bridge running meek-server, then set up a special URL path to reverse-proxy to the bridge. A bridge line might look like this: Bridge meek 0.0.2.0:4 url=https://en.wikipedia.org/magic-meek-path/ They would configure their web server to forward every request for the path /magic-meek-path to their Tor bridge running meek-server, and that's it. You could do the same thing with a vhost rather than special path. The domain name doesn't even have to exist--its only purpose is to tag the requests that should get forwarded to meek-server. The bridge line would be like this: Bridge meek 0.0.2.0:4 url=https://magic.meek.bogus/ front=en.wikipedia.org They would set up the vhost magic.meek.bogus to forward to a meek-server as before. Here we are technically using domain fronting, but not to gain unblockability, merely to tag meek requests. (The requests arrive at the server for en.wikipedia.org, but they have a Host header of magic.meek.bogus.) This is how to run meek-server: https://trac.torproject.org/projects/tor/wiki/doc/meek#Howtorunameek-server… And this is an example of doing vhost forwarding on Nginx: https://gitweb.torproject.org/pluggable-transports/meek.git/tree/nginx/READ… https://gitweb.torproject.org/pluggable-transports/meek.git/tree/nginx/ngin… An even lighter-weight alternative that doesn't require running meek-server is to host one of the "reflector" apps. For example, they can host this file: https://gitweb.torproject.org/pluggable-transports/meek.git/tree/php/index.… at a path like /meek/index.php. Then the bridge line will be Bridge meek 0.0.2.0:4 url=https://en.wikipedia.org/meek/index.php All the PHP file does is forward to a meek-server running elsewhere. This way is less efficient than running your own meek-server, but it's the first thing I would try for testing. We have reflector apps for PHP and Python WSGI: https://gitweb.torproject.org/pluggable-transports/meek.git/tree/php https://gitweb.torproject.org/pluggable-transports/meek.git/tree/wsgi In summary, it's not hard to do. A quick test with index.php is less than a day of work. Setting up meek-server on your own bridge is more involved, but not more than other pluggable transports. David Fifield

1 0

Summary of meek's costs, January 2015
by David Fifield 07 Feb '15

07 Feb '15

Here's the summary of meek's CDN fees for January 2015. Earlier reports: https://lists.torproject.org/pipermail/tor-dev/2014-August/007429.html https://lists.torproject.org/pipermail/tor-dev/2014-October/007576.html https://lists.torproject.org/pipermail/tor-dev/2014-November/007716.html https://lists.torproject.org/pipermail/tor-dev/2014-December/007916.html https://lists.torproject.org/pipermail/tor-dev/2015-January/008082.html App Engine + Amazon + Azure = total by month February 2014 $0.09 + -- + -- = $0.09 March 2014 $0.00 + -- + -- = $0.00 April 2014 $0.73 + -- + -- = $0.73 May 2014 $0.69 + -- + -- = $0.69 June 2014 $0.65 + -- + -- = $0.65 July 2014 $0.56 + $0.00 + -- = $0.56 August 2014 $1.56 + $3.10 + -- = $4.66 September 2014 $4.02 + $4.59 + $0.00 = $8.61 October 2014 $40.85 + $130.29 + $0.00 = $171.14 November 2014 $224.67 + $362.60 + $0.00 = $587.27 December 2014 $326.81 + $417.31 + $0.00 = $744.12 January 2015 $464.37 + $669.02 + $0.00 = $1133.39 -- total by CDN $1065.00 + $1586.91 + $0.00 = $2651.91 grand total Usage jumped up again in January after a relatively flat December. https://metrics.torproject.org/userstats-bridge-transport.html?graph=userst… (BTW thanks Karsten for getting the graph ready.) meek has so far been a smashing success. It's the #2 pluggable transport behind obfs3 and it moved over 5 TB of traffic last month. But the costs are starting to get serious. We need to find a good source of funding (e.g., donations), or else start degrading service in order to limit costs. If you are interested in helping with costs, or you know another good means of support, please get in touch with me (PGP AD1A B35C 674D F572 FBCE 8B0A 6BC7 58CB C11F 6276). == App Engine a.k.a. meek-google == Of the total of $464.37, $464.36 was covered by credits. But now we're really out of credits. If you know someone who can get Google credits, or wants to help cover the bill, please put them in touch with me. Here is how the costs broke down: 2944 GB $353.31 2221 instance hours $111.06 https://globe.torproject.org/#/bridge/88F745840F47CE0C6A4FE61D827950B06F9E4… == Amazon a.k.a. meek-amazon == Asia Pacific (Singapore) 147M requests $177.01 1122 GB $153.25 Asia Pacific (Sydney) 220K requests $0.27 1 GB $0.20 Asia Pacific (Tokyo) 57M requests $68.07 378 GB $48.26 EU (Ireland) 92M requests $110.70 726 GB $56.80 South America (Sao Paulo) 2M requests $4.78 10 GB $2.37 US East (Northern Virginia) 31M requests $31.12 212 GB $16.17 -- total 329M requests $391.95 2449 GB $277.05* https://globe.torproject.org/#/bridge/3FD131B74D9A96190B1EE5D31E91757FADA1A… * The total is $0.02 less than the sum of the subtotals, probably because of rounding. == Azure a.k.a. meek-azure == I haven't been able to get estimated costs out of Azure. However I recently got an email that says, "...we are pleased to offer Microsoft Azure sponsored accounts as part of our Azure for Research (A4R) grants. The new model provides the ability to directly monitor Azure usage, and more options and flexibility for using Azure features and services." I'll try turning that on and see if it makes a difference. https://globe.torproject.org/#/bridge/AA033EEB61601B2B7312D89B62AAA23DC3ED8… David Fifield

1 0

[PATCH] Fix comparison is always true due to limited range of data type
by Christian Kujau 07 Feb '15

07 Feb '15

Hi, I was unable to compile Tor for powerpc32 for a while but I was unable to bisect it because of other compilation errors (and "git bisect skip" did not help): ----------------------------------------------- CC src/or/scheduler.o In file included from src/or/or.h:91:0, from src/or/scheduler.c:9: src/or/scheduler.c: In function 'scheduler_adjust_queue_size': src/or/scheduler.c:623:18: error: comparison is always true due to limited range of data type [-Werror=type-limits] (dir >= 0) ? "+" : "-", ^ src/or/../common/torlog.h:190:55: note: in definition of macro 'log_debug' log_fn_(LOG_DEBUG, domain, __PRETTY_FUNCTION__, args); \ ^ src/or/scheduler.c:631:11: error: comparison is always true due to limited range of data type [-Werror=type-limits] if (dir >= 0) { ^ cc1: all warnings being treated as errors ----------------------------------------------- The last good version to compile for me was 4ae729683 ("Try to fix test_checkdir windows compilation more"). Below is my attempt to fix this issue by declaring "dir" as "signed char". It compiles now (4.6.3 and 4.9.1) for powerpc32 and Tor seems to work - but please have a look if this is the Right Thing To Do. Thanks, Christian. Declare "char dir" as signed, otherwise compilation on powerpc32 would fail with: ------------------------------------- CC src/or/scheduler.o In file included from src/or/or.h:91:0, from src/or/scheduler.c:9: src/or/scheduler.c: In function 'scheduler_adjust_queue_size': src/or/scheduler.c:623:18: error: comparison is always true due to limited range of data type [-Werror=type-limits] (dir >= 0) ? "+" : "-", ^ src/or/../common/torlog.h:190:55: note: in definition of macro 'log_debug' log_fn_(LOG_DEBUG, domain, __PRETTY_FUNCTION__, args); \ ^ src/or/scheduler.c:631:11: error: comparison is always true due to limited range of data type [-Werror=type-limits] if (dir >= 0) { ^ cc1: all warnings being treated as errors ------------------------------------- Signed-off-by: Christian Kujau <lists(a)nerdbynature.de> scheduler.c | 2 +- scheduler.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/or/scheduler.c b/src/or/scheduler.c index f3fbc4a..78db274 100644 --- a/src/or/scheduler.c +++ b/src/or/scheduler.c @@ -613,7 +613,7 @@ scheduler_touch_channel(channel_t *chan) */ void -scheduler_adjust_queue_size(channel_t *chan, char dir, uint64_t adj) +scheduler_adjust_queue_size(channel_t *chan, signed char dir, uint64_t adj) { time_t now = approx_time(); diff --git a/src/or/scheduler.h b/src/or/scheduler.h index 70f6a39..111e23a 100644 --- a/src/or/scheduler.h +++ b/src/or/scheduler.h @@ -29,7 +29,7 @@ void scheduler_channel_wants_writes(channel_t *chan); MOCK_DECL(void,scheduler_release_channel,(channel_t *chan)); /* Notify scheduler of queue size adjustments */ -void scheduler_adjust_queue_size(channel_t *chan, char dir, uint64_t adj); +void scheduler_adjust_queue_size(channel_t *chan, signed char dir, uint64_t adj); /* Notify scheduler that a channel's queue position may have changed */ void scheduler_touch_channel(channel_t *chan); -- BOFH excuse #103: operators on strike due to broken coffee machine

2 1

Bridge users by transport is broken
by Kevin P Dyer 06 Feb '15

06 Feb '15

The "Bridge users by transport" [1] graph on metrics.torproject.org abruptly stops at Dec. 12 for all transports. Has anyone had an opportunity to troubleshoot this issue? -Kevin [1] https://metrics.torproject.org/userstats-bridge-transport.html?graph=userst…

4 8

Doxbin files
by doxbin＠cmail.nu 06 Feb '15

06 Feb '15

Hi, can anyone please reupload the Doxbin files ( https://archive.today/hsIOj from the https://lists.torproject.org/pipermail/tor-dev/2014-November/007731.html post). I want to review it for vulns on my spare time. Thanks in advance! --

1 0

Re: [tor-dev] Understanding the HS subsystem
by George Kadianakis 04 Feb '15

04 Feb '15

[Declassifying this discussion and posting on [tor-dev]] David Goulet <dgoulet(a)ev0ke.net> writes: > Hello HS elves! > > I wrote a document to organize my thought and also list what we have in > the bug tracker right now about HS behaviours that we want to > understand/measure/assess/track. > > It's a bit long but you can pass the first section describing the > tickets and go right into the How and The Work to be done. > > Nick, you will see there is a SponsorS component but I didn't go into > hard details there. We all know we need a testing network but for now > I'm more focuses on making sure we can collect the right data (for HS). > > Very important part I would like feedback on is the "HS health service" > for which I would like that we all agree of it's usefulness and way to > do it properly. > > Cheers! > David > > This document describes the methodology and technical details of an hidden > service measurement framework/tool/<insert what this is>. > > NOTE: This is NOT intended to be run in the real Tor network. ONLY testing. > > Why and What > ----- > > The goal is to answer some questions we have regarding HS behaviours. Most > of them have a ticket assigned to them but needs an experiment or/and added > feature(s) so we can measure what we need. > > - Is rend_cache_clean_v2_descs_as_dir cutoff crazy high? > https://trac.torproject.org/projects/tor/ticket/13207 > > In order to address this, it seems we need a way to measure all the > interactions with the cache of an HSDir and a client. We need to assess > the rend cache cleanup timing values which will also helps with the upload > and refetch timings. > > - What's the average number of hsdir fetches before we get the hsdesc? > https://trac.torproject.org/projects/tor/ticket/13208 > > Using the control port for that is trivial but this needs a testing > network to be setup and has actual load on it. > > It could also be setup as a feature of an "HS health measurement tool" > with a client fetching over and over the same .onion address randomly over > time. > > - Write a hidden service hsdir health measurer > https://trac.torproject.org/projects/tor/ticket/13209 > > This is a useful one, being able to correlate relay churn and HS desc. > fetch. This one needs more brainstorming on how we could setup some sort > of client or service that report/logs the results on crunching the > consensus for HSDir for a specific .onion address that we know and > control. > > - Refactor rend_client_refetch_v2_renddesc() > https://trac.torproject.org/projects/tor/ticket/13223 > > Insure correctness of this very important function that do fetches for the > client. It's in there that the HSDir (with replicas) are looped on so the > descriptor can be fetched. > > - Maybe we want three preemptive internal circs for hidden services? > https://trac.torproject.org/projects/tor/ticket/13239 > > That's pretty trivial to measure and quantify with the tracing > instrumentation added in Tor. No need for a new feature but an experiment > has to be designed to measure 2 internal circuits versus 3. > > - rend_consider_services_upload() sets initial next_upload_time which is > clobbered when first intro point established? > https://trac.torproject.org/projects/tor/ticket/13483 > > Do the RendPostPeriod option is working correctly. What's the exact > relation in time of service->desc_is_dirty and upload time of a new > descriptor. > > - Do we have edge cases with rend_consider_descriptor_republication()? Can > we refactor it to be cleaner? > https://trac.torproject.org/projects/tor/ticket/13484 > > This is a core function that is called every second so we should make sure > it behaving as expected and not trying to do uneeded upload. > Hello, nice list of tickets. Here are some more ideas if you are looking for more brainstorming action. There is #3733 which is about a behavior that affects performance and could benefit from a testing network. And there is #8950 which is about the number of IPs per hidden service. It's very unclear whether this functionality works as intended or whether it's a good privacy idea. And there is also #13222 but it's probably easier to hack the solution here, than to measure its severity. > > How > ----- > > Here are some steps I think are needed to be able to measure and answer the > Why section. > 2> 1) Dump the uploaded/fetched HS in a human readable way. > * Allows us to track descriptor over time while testing and analyse them > afterwards by correlating events with a readable desc. This kind of > feature will also be useful for people crawling HS on SponsorR. > * Should be a control event like for instance (ONLY client side): > > setconf HSDESC_DUMP /tmp/my/dir > > 2) On how many HSDir (including replicas) have been probed for one > single .onion request. (Which should be repeated a lot for significant > results.) > * Why have we probed 1 or 5? > * What made us retry? Failure code? > * Did the descriptor was actually alive on the HSDir? If not, when did > it move? (Correlate timings between HSdir and client in a testing network) > > 3) HS desc cache tracker. We want to know, very precisely, how things are > moving in the cache especially on the HSDir cache side. > * When and why an HS desc is removed? > * Why it hasn't been stored in the cache? > * Count and when a descriptor is requested. > > 4) Track the HS descriptor upload. Log at what time it was done. Use this > to correlate with RendPostPeriod or when desc_is_dirty is set. Also should > be correlate with the actual state of the HSDir. Did it already have it? > Is the HSDir gone? > > > What to be done > ---------------- > > * Collect data > > "Collect it all" --> https://i.imgur.com/tVXAcGGl.jpg > > It's clear that we have to collect more data from the HS subsystem. Most of > it can be collected through the control port but some are missing. > Measuring precise timing of HS actions (for instance let say descriptor > store) is not possible with the control port right now and also might not be > that relevant since the job of this feature is to report high level events > and push command to the tor daemon. > > Tracing should be used here with a set of events added to the HS subsystem > to collect the information we need so it can be analyzed after the > experiment is run. This is only for performance measurement, the rest should > as much as possible use the control port. > > * Testing network (much SponsorS) > > Once we are able to extract all the data we need, time to design experiment > that allows us to run scenarios and collect/analyze what we want. A scenario > could be this example with a set of questions we want to answer going with > it: > > * 50 clients randomly accessing an HS in a busy tor network. > - What is the failure rate of desc. fetch, RP establishment, ...? > - What are the timings of each component of the HS subsystem? > - What are the outliers of the whole process of establishing a connection > to the HS? > - How much relay churn affected HS reachability. > > And dump a human readable report/graphs whatever is useful for us to > investiguate or assess the HS functionnalities. > > * HS health service > > ref: https://trac.torproject.org/projects/tor/ticket/13209 > > What about a web page that prints the result of: > > 1) Fetch last 3 concensuses (thus 3 hours) > 2) Find the union of all HSDir responsible for a.onion (we control that > HS service and should be up at all time else the results are meaningless.) > 3) Fetch the descriptor on each of them > 4) Graph/log how many of them had it thus giving us a probability of > reaching the HS within a time period. > > So 3) is the tricky one. There are multiple ways of achieving that possibly: > > i) New SOCKS command to tor that a client could use. > - Command would have an onion address with it and the reply should be 0 > or 1 (successful attempt or not) with the HSDir fingerprint with it. > > ii) Control event. > > setconf HSDESC_FETCH_ALL <this_is_a.onion> > [...] > Prints out the results as they come in with the HSDir information. > > iii) A weird way of doing this with an option "tor --fetch-on-all-hs-dir > this_address.onion", print out the results and quit. > > I much prefer i) and ii) here. Not sure which one is best though. Hm, I think I like (ii) here. It doesn't seem to be much more work than (i) and a few researchers have been asking for such functionality for years.

1 0

ANN: txtorcon 0.12.0
by meejah 03 Feb '15

03 Feb '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm pleased to announce txtorcon 0.12.0. Full list of improvements: * doc, code and import cleanups from Kali Kaneko * HiddenServiceDirGroupReadable support * Issue #80: honour "ControlPort 0" in incoming TorConfig instance. The caller owns both pieces: you have to figure out when it's bootstraped, and are responsible for killing it off. * Issue #88: clarify documentation and fix appending to some config lists * If GeoIP data isn't loaded in Tor, it sends protocol errors; if txtorcon also hasn't got GeoIP data, the queries for country-code fail; this error is now ignored. * 100% unit-test coverage! * PyPy support (as in: all tests pass) * TCP4HiddenServiceEndpoint now waits for descriptor upload before the listen() call does its callback (this means when using "onion:" endpoint strings, or any of the endpoints APIs your hidden service is 100% ready for action when you receive the callback) * "TorControlProtocol now has an ".all_routers" member, which is a set() of all Routers * TimeIntervalCommaList from Tor config supported * documentation fix from "sammyshj" You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.12.0 https://github.com/meejah/txtorcon/releases/tag/v0.12.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-0.12.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.12.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <<EOF | sha256sum --check 206b1bd8a840119c12d9b85d638ab9defec5b376436fa36be9139ab1ebc8cd78 txtorcon-0.12.0.tar.gz 4e4f6aa2ec677f6c27bff41d17888d31a979f6b831a20501101b39ca93ede9da txtorcon-0.12.0-py2-none-any.whl EOF thanks, meejah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU0TWHAAoJEMJgKAMSgGmnDEoH/AriLbAyImmcfmRy5C2YcVth eJyXRhHTXc6WBh0tBgryt88o5n55XAwiqNoAwslLvS4RS6w9NEzA9zusimuVYEZs CV10NeC5PiXHJ6qDlcJ+FPsHhWk4zt49wGtaqyfGK/8aZm9enQwiMH6j9Iwx6il0 rLFwm7RoukPTW8dn3oR67QFYwdpHD7cCQW8e6uajpQuBCeNr2nljRpVLFM/6hueh shIAAmPGfBQ2vR16QOQDyJMCLk7oKj0xtzok8O4fWBof1+h3JvMQqphEYlgtE5Lh 9W0XgG/ugrrhjIIoKc29+4Io5vaqKjHcGfqEyJyEimppgGB/6YTX2fJNw2R3Op4= =vaqH -----END PGP SIGNATURE-----

1 0

[Proposal 241] Resisting guard-turnover attacks [DRAFT]
by Nick Mathewson 03 Feb '15

03 Feb '15

Filename: 241-suspicious-guard-turnover.txt Title: Resisting guard-turnover attacks Author: Aaron Johnson, Nick Mathewson Created: 2015-01-27 Status: Draft 1. Introduction Tor uses entry guards to prevent an attacker who controls some fraction of the network from observing a fraction of every user's traffic. If users chose their entries and exits uniformly at random from the list of servers every time they build a circuit, then an adversary who had (k/N) of the network would deanonymize F=(k/N)^2 of all circuits... and after a given user had built C circuits, the attacker would see them at least once with probability 1-(1-F)^C. With large C, the attacker would get a sample of every user's traffic with probability 1. To prevent this from happening, Tor clients choose a small number of guard nodes (currently 1: see proposal 236). These guard nodes are the only nodes that the client will connect to directly. If they are not compromised, the user's paths are not compromised. But attacks remain. Consider an attacker who can run a firewall between a target user and the Tor network, and make many of the guards they don't control appear to be unreachable. Or consider an attacker who can identify a user's guards, and mount denial-of-service attacks on them until the user picks a guard that the attacker controls. In the presence of these attacks, we can't continue to connect to the Tor network unconditionally. Doing so would eventually result in the user chosing a hostile node as their guard, and losing anonymity. 2. Proposed behavior Keep a record of all the guards we've tried to connect to, connected to, or extended circuits through in the last PERIOD days. (We have connected to a guard if we authenticate its identity. We have extended a circuit through a guard if we built a multi-hop circuit with it.) If the number of guards we have *tried* to connect to in the last PERIOD days is greater than CANDIDATE_THRESHOLD, do not attempt to connect to any other guards; only attempt the ones we have previously *tried* to connect to. If the number of guards we *have* connected to in the last PERIOD days is greater than CONNECTED_THRESHOLD, do not attempt to connect to any other guards; only attempt ones we have already *successfully* connected to. If we fail to connect to NET_THRESHOLD guards in a row, conclude that the network is likely down. Stop/notify the user; retry later; add no new guards for consideration. [[ optional If we notice that USE_THRESHOLD guards that we *used for circuits* in the last FAST_REACT_PERIOD days are not working, but some other guards are, assume that an attack is in progress, and stop/notify the user. ]] 2.1. Suggested parameter thresholds. PERIOD -- 60 days FAST_REACT_PERIOD -- 10 days CONNECTED_THRESHOLD -- 8 CANDIDATE_THRESHOLD -- 20 NET_THRESHOLD -- 10 (< CANDIDATE_THRESHOLD) [[ optional USE_THRESHOLD -- 3 (< CONNECTED_THRESHOLD) ]] (Each of the above should have a corresponding consensus parameter.) 2.2. What do we mean by "Stop/warn"? By default, we should probably give warnings in most of the above cases for the first version that deploys them. We can have an on/off/auto setting for whether we will build circuits at all if we're in a "stopped" mode. Default should be auto, meaning off for now. The warning needs to be carefully chosen, and suggest a workaround better than "get a better network" or "clear your state file". 2.3. What's with making USE_THRESHOLD optional? Aaron thinks that getting rid of it might help in the fascistfirewall case. I'm a little unclear whether that makes any of the attacks easier. 3. State storage requirements Right now, we save for each guard that we have made contact with: ID Added is dircache? down-since last-attempted bad-since chosen-on-date, chosen-by-version path bias info (circ_attempts, successes, close_success) To implement the above proposal, we'll need to add, for each guard *or guard candidate*: when did we first decide to try connecting to it? when did we last do one of: decide to try connecting to it? connect to it? build a multihop circuit through it? which one was it? Probably round these to the nearest day or so. 4. Future work We need to make this play nicely with mobility. When a user has three guards on port 9001 and they move to a firewall that only allows 80/443, we'd prefer that they not simply grind to a halt. If nodes are configured to stop when too many of their guards have gone away, this will confuse them. If people need to turn FascistFirewall on and off, great. But if they just clear their state file as a workaround, that's not so good. If we could tie guard choice to location, that would help a great deal, but we'd need to answer the question, "Where am I on the network", which is not so easy to do passively if you're behind a NAT. Appendix A. Scenario analysis A.1. Example attacks * Filter Alice's connection so they can only talk to your guards. * Whenever Alice is using a guard you don't control, DOS it. A.2. Example non-attacks * Alice's guard goes down. * Alice is on a laptop that is sometimes behind a firewall that blocks a guard, and sometimes is not. * Alice is on a laptop that's behind a firewall that blocks a lot of the tor network, (like, everything not on 80/443). * Alice has a network connection that sometimes turns off and turns on again. * Alice reboots her computer periodically, and tor starts a little while before the network is live. Appendix B. Acknowledgements Thanks to Rob Jansen and David Goulet for comments on earlier versions of this draft.

3 2

[RESEARCH] Student of University of Verona, Thesis about TOR
by Diego Sempreboni 02 Feb '15

02 Feb '15

Hi, I am a student of Engineering of the University of Verona. For my master's thesis, I decided to analyze TOR network, analyzing various attack scenarios. By consulting several documents have not been able to obtain a pattern of messages exchanged during the handshake protocol nor other details about the packets exchanged later. It would be possible to have some information about this? I write hoping someone can help me. Thank you.

3 2