- tor-dev - lists.torproject.org

automatically detect many new identical/similar bridges
by nusenu 16 Dec '16

16 Dec '16

Hi, in the context of [1] I'm wondering if it makes sense to add bridge support to ornetradar. If there is any value to automatically detect multiple new bridges: - Do bridges publish ContactInfo in their descriptor? If not: Why not? (it shouldn't disclose their bridge location) another raw idea: - would the bridge auth be willing to publish a randomly generated AS identifier (regenerated daily) that allows new bridges added on the same day to be grouped by that identifier without directly disclosing the AS itself. Note: This introduces a confirmation opportunity, where attackers can learn the AS in which a new bridge is added if they added a bridge in the same AS on the same day. To reduce this problem it could be a hourly generated identifier. regards, nusenu [1] https://lists.torproject.org/pipermail/tor-project/2016-December/000851.html

5 8

Release: sandboxed-tor-browser 0.0.2
by Yawning Angel 14 Dec '16

14 Dec '16

Hello, I tagged sandboxed-tor-browser 0.0.2 (0.0.1 is also tagged, but it has a few issues), so this is the obligatory release announcement. Official binaries should be available sometime next week, so I strongly suggest that people wait till then, unless they feel confident in installing the build time dependencies, and building the binary. This is the non-developer alpha version of the sandboxing approach outlined in: https://lists.torproject.org/pipermail/tor-dev/2016-September/011444.html A lot has changed since then, the primary changes are numerous improvements to the sandbox, the addition of graphical UI, and the removal of the "you need a tor daemon as a system service" requirement. It is still very much an alpha (up from a proof of concept tech demo), so there will be rough edges and bugs, some potentially major. Features: * A Gtk+3 based UI for downloading/installing/updating Tor Browser, configuring tor, and launching the sandboxed browser. Think `tor-browser-launcher`, that happens to run Tor Browser in a bunch of containers. * Linux seccomp-bpf + namespace based containers for Tor Browser, that attempts to prevent/mitigate exploits and reduce the amount of personally identifiable information to a minimum, centered around bubblewrap (runtime dependency). Known system incompatibilities: * 64 bit kernel, 32 bit userland is not supported. * X32 (x86_64 with 32 bit pointers) is not supported. If you have to ask what this is, and how it's different from normal 32 bit x86, you don't have it. * Systems that do not store the dynamic linker/loader cache in `/etc/ld.so.cache` in glibc 2.2 format are not supported. * Ubuntu does not have a sufficiently recent bubblewrap package available for any current release, up to and including `yakkety` (16.10). The package that is available in `universe` SHOULD NOT be installed, and WILL NOT work. Errata: * On systems where gstreamer libraries are pulled in as part of the base firefox runtime dependencies, the libraries can find their way into the sandbox without the need for explicit user intervention, if "Extra Audio/Video Codecs" is enabled in the sandbox configuration. As far as I am aware, and on the systems I have tested, none of the modern distributions have system libraries built this way. If the sandbox manages to launch Tor Browser with the option disabled, you are not affected by this. The exact functionality, usage, and caveats are documented at: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux The code is at: https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/ Regards, -- Yawning Angel

3 3

Re: [tor-dev] blacklisting relays with end-to-end correlation capabilities?
by nusenu 09 Dec '16

09 Dec '16

> I do not think that this is worthwhile. It establishes a precedent where > setting your contact info is something that gets you banned, potentially > incorrectly because it's unauthenticated, whereas we're unable to identify > people who actually maliciously run several relays without such indicators. "actually maliciously" somehow implies that openly run groups (all relays have the same contact info) are certainly not malicious because they do not try to hide? (set contact info) While I even assume that this is true for most such operators, it does not have to be the operator itself as soon as his admin machine gets compromised. Since openly run groups are not blacklisted there is no reason for someone with malicious intents to to even try to hide. > If we did this, also why would we blacklist the nonexit relays? That > seems to not make sense, as a relay operator could have multiple relays > that act as guard and exit simultaneously. Exit relays with the guard flag have usually a guard probability of 0% according to onionoo. Since exit capacity is harder to get I was suggesting to blacklist the guard-only relays of such groups, so the exit capacity could still be used while breaking the end-to-end capabilities (if we can assume onionoo's guard_probability to be correct). also see: https://lists.torproject.org/pipermail/tor-dev/2016-December/011715.html

2 1

Re: [tor-dev] please update your MyFamily
by Sec INT 09 Dec '16

09 Dec '16

Think I'm on dev-tor list now - sorry for spamming - all family info should be up to date now regards Mark B > On 8 Dec 2016, at 14:07, Sec INT <sec.int9(a)gmail.com> wrote: > > Should all be correct now > > regards > > Mark B > > >> On 8 Dec 2016, at 11:56, nusenu <nusenu(a)openmailbox.org> wrote: >> >> Dear snaptorg tor operator, >> >> >> teor wrote [1]: >>> TL;DR: we're talking about blacklisting your non-exit relays, >>> because they don't have MyFamily set correctly. >>> >>> If you'd like help configuring MyFamily correctly, please let us know. >> >> >> If you are wondering which relay is misconfigured, the last column >> (MyFamilyCount) should say at least 7 (or 8 if you plan to recycle your >> Creanova relay key). >> >> https://atlas.torproject.org/#details/9BFBF1EA78A3FC1A790F7A7789F074338E7F8… >> >> +---------------------+--------------+------+-------+---------------+ >> | first_seen | nickname | exit | guard | MyFamilyCount | >> +---------------------+--------------+------+-------+---------------+ >> | 2016-12-03 23:00:00 | SnapTorCAN | 0 | 0 | 5.0000 | >> | 2016-11-28 14:00:00 | SnapExitUS | 1 | 1 | 7.0000 | >> | 2016-11-28 11:00:00 | SnapExitBULG | 1 | 0 | 7.0000 | >> | 2016-11-27 00:00:00 | SnapTorBANG | 0 | 0 | 8.0000 | >> | 2016-11-26 23:00:00 | SnapTorSNPR | 0 | 0 | 8.0000 | >> | 2016-11-26 23:00:00 | SnapTorSTRAS | 0 | 0 | 8.0000 | >> | 2016-11-12 00:00:00 | SnapTorFr | 0 | 0 | 8.0000 | >> +---------------------+--------------+------+-------+---------------+ >> >> >> >> [1] https://lists.torproject.org/pipermail/tor-dev/2016-December/011715.html >>

3 2

protecting users from known relay groups with end-to-end correlation capabilities
by nusenu 08 Dec '16

08 Dec '16

Hi, it is a well known fact that MyFamily is a largely ignored setting, luckily this is not a problem in most cases because - all relevant relays are run in a single /16 or - are only guard relays (exit probability = 0*) or - are only exit relays (guard probability = 0*) but there is a limited number of relay groups** that have actual end-to-end correlation capabilities, meaning they are potentially chosen by tor clients for the guard _and_ exit position, even if the odds are (hopefully) not very high. These potentially dangerous relay groups - are run in multiple /16 netblocks - have an exit _and_ guard probability of > 0 (because they run exits and guards) Examples (generated daily): https://raw.githubusercontent.com/ornetstats/stats/master/o/potentially_dan… (see CC) How could the risk for tor clients be reduced? (options after enough dir auths came to the conclusion that these relays are in fact operated by a single entity) 1) try to contact the operators and give them time to fix it I've done that multiple times but haven't been successful [1] 2) build tools to easily/automatically manage MyFamily done[2], but it is unlikely to be used 3) assign them the badexit flag since exits are a scarce resource, not very wise 4) assign them the badguard flag there is no such thing ;) 5) blacklist the entry guards (that are outside the configured family) 6) change tor's path selection algorithm to never choose more than one relay with a given non-empty non-default contact string? This would basically turn the ContactInfo field into the PoS token mentioned by Mike in [3]. Since there are a few common contactInfo strings this is probably not the best option without excluding them. [1] https://lists.torproject.org/pipermail/tor-relays/2016-November/010965.html [2] https://github.com/nusenu/ansible-relayor [3] https://trac.torproject.org/projects/tor/ticket/5565 * if we can assume onionoo's values to be accurate and realistic ** they are considered to be operated by a single group due to their contactInfo descriptor field. This string is not verified in any way and can therefore result in false-positives.

2 5

Is it safe for second_elapsed_callback() to be called less often?
by Michael Rogers 07 Dec '16

07 Dec '16

Hi, When running hidden services on Android I've found it's necessary to hold a wake lock to keep the CPU awake. Otherwise Tor's second_elapsed_callback() doesn't get called once per second. When the CPU eventually wakes and the callback is called, if 100 seconds or more have passed since the last call, second_elapsed_callback() calls circuit_note_clock_jumped(), which marks any dirty circuits as unusable. If I understand right, this will have the effect of breaking any existing connections to the hidden service and making the service unreachable until it's built new intro circuits and published a new descriptor. #8239, #16387 and #19522 might help to reduce the downtime by improving our chances of reusing the same intro points, but we'd still lose the existing circuits. It would be nice if we could avoid this downtime without holding a permanent wake lock, which has a big impact on battery life. A possible workaround would be to use Android's alarm API to wake the controller process once per minute. The controller process can acquire a wake lock for a couple of seconds to allow second_elapsed_callback() to be called, then release the lock until the next alarm. However, it's pretty clear that Tor wants the callback to be called once per second and gets nervous if that doesn't happen, so I wanted to ask about the implications of calling the callback once or twice per minute before pursuing this idea further. Is it in any way sane? Another possibility would be to look into how Libevent's timers work. Perhaps we can ensure that the timers wake the CPU on Android, so second_elapsed_callback() and any other timer-based functions get called without keeping the CPU permanently awake? Thanks, Michael

3 3

sketch: An alternative prop224 authentication mechanism based on curve25519
by Nick Mathewson 06 Dec '16

06 Dec '16

Hi! I thought I'd write this up while it was fresh in my mind. It could be used as an alternative method to the current proposed client authentication mechanism. We could implement both, or just this, or just the other. My description here will be a bit terser than we'd want in a proper proposal, but I wanted to share it. This design is based on George Kadianakis's client authentication design; it won't make sense unless you've read it. ============= Let every client generate a curve25519 keypair, and tell the hidden service operator about the public key. This keypair takes the place of the long-term shared secret. For some client C, denote the secret key as x_X and the public key as X_C. For every descriptor, the hidden service generates a fresh keypair <y, Y>, and includes Y in the the outer encrypted layer. Now, for each client, the hidden service computes curve25519(X_C, y) and uses this as the input for two KDF functions. Call these outputs K1_C and K2_C. The hidden service generates an auth-client line for each client as follows: "auth-client" SP client-id SP encrypted-cookie This is the same as in George's proposal, except that client-id is derived from a truncated version of K1_C, and the encrypted-cookie portion is encrypted based on K2_C. When the client receives the descriptor, it decrypts the outer layer, then sees the value of Y that the hidden server advertised. It computes curve25519(Y, x_c), and derives K1_C and K2_C. It uses K1_C to find the appropriate entry on the list, and then uses K2_C to decrypt it and find the descriptor cookie. ============= Advantages: * managing public keys can be easier than managing shared secrets. * The encoding is slightly shorter, since no IV is needed, since K2 is different every time. * probably others? Disadvantages: * Curve25519 costs more computationally than non-public-key operations * probably others? -- Nick

8 20

TBB Isolation Impact on Alternative Anon Nets
by bancfc＠openmailbox.org 06 Dec '16

06 Dec '16

TBB sandboxing is a great hardening measure. I was wondering if there are side-effects such as breaking setups that involve using anonymous networks other than Tor. Such as: https://thetinhat.com/tutorials/darknets/i2p-browser-setup-guide.html As a workaround we can document how to toggle the TBB variable to disable this. Of course the best solution is having the isolation compatible with alternative setups if you consider this (minority) use-case worthy of your effort.

2 1

Scheduling future Tor proposal reading groups
by George Kadianakis 04 Dec '16

04 Dec '16

Hello people, in the beginning of 2016 we started organizing little-t-tor proposal reading groups in IRC, where we would discuss the current status of Tor proposals and coordinate on how to move them forward. You can see a list of previous such meetings here: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/Meeting… Unfortunately at some point, 2016 started showing its true self, and we kind of stopped doing those meetings in March. But they were useful, and we should probably start doing them again! I went through the mailing list and found a few interesting subjects that could benefit from group discussion. Here are some ideas: - Post-Quantum key exchanges for Tor There are a few proposals falling under this topic that were developed in the past months. Here are a few: https://gitweb.torproject.org/torspec.git/tree/proposals/263-ntru-for-pq-ha… https://gitweb.torproject.org/torspec.git/tree/proposals/269-hybrid-handsha… https://gitweb.torproject.org/torspec.git/tree/proposals/270-newhope-hybrid… https://lists.torproject.org/pipermail/tor-dev/2016-October/011553.html I'm far from an expert on this field, so I'm not sure about the current status of this project and the right direction to approach it. However, it seems that there have been enough developments here lately that a group discussion might be useful. - A name system API for Tor This is a proposal suggesting a single API that allows us to integrate secure name systems with Tor hidden services: https://lists.torproject.org/pipermail/tor-dev/2016-October/011514.html The proposal received useful feedback in and out of the mailing list. It seems that implementing the proposal as part of a Tor controller might be an easier way to test it. Some discussion on future directions might be helpful here, as this is something that will be needed sooner than later. - New topics in Next Gen Hidden Services We've done multiple IRC meetings on prop224, but it keeps on growing as it's being developed. Here are a few topics that might be worth discussing as a group: - Control port API for hidden services (https://trac.torproject.org/projects/tor/ticket/20699) - torrc UX for hidden services (https://lists.torproject.org/pipermail/tor-dev/2016-November/011661.html) - torrc/control UX for hidden service client auth (https://lists.torproject.org/pipermail/tor-dev/2016-November/011617.html) - UX for offline keys (https://trac.torproject.org/projects/tor/ticket/18098) - UX of hidden services on Tor Browser - Prop271: Another algorithm for guard selection We've also done a few IRC meetings on future guard algorithms, but we are now closer to completing that project than ever. After we have a few results and statistics of the new guard algorithm, it might be worth scheduling a meeting to discuss how well it works and ways to improve it. - And here are some more misc projects that might be worth discussing further: - The Tor browser sandbox that Yawning is developing and UX implications? - prop273: Exit relay pinning for web services ? Please let me know if you are excited talking about any of these topics (feel free to +1 in private email if you feel it's too spammy), or if there are any topics I forgot to mention. If we get enough participation we can schedule the first such meeting for December. Thanks!

5 4

Hidden Services and identity-based encryption (IBE)
by bancfc＠openmailbox.org 04 Dec '16

04 Dec '16

Read the Alpenhorn paper. Really neat stuff. It is able to guarantee forward-secrecy for identities and metadata and doesn't need out-of-band identity sharing. Can any of this stuff be borrowed for HSs? https://vuvuzela.io/alpenhorn-extended.pdf

2 1