On Sun, Jan 17, 2016 at 12:32 PM, Spencer spencerone@openmailbox.org wrote:
Hi,
Nick Mathewson: [This is a significantly revised version of the last version of this proposal draft, sent here for comment.]
Questions?
The last version of this draft was https://lists.torproject.org/pipermail/tor-dev/2015-September/009587.html
I asked some questions to this draft [0] that you may have forgotten to answer that still seem relevant; I have sniped them here.
Hi, Spencer! Indeed, these are relevant, and since the discussion meeting for the latest incarnation of these proposals is soon (see https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/MeetingS... ) I should try to clarify!
However, a bunch of your questions don't seem to apply to proposal 266.
Nick Mathewson: Draft proposal -- no number yet: How to safely drop support for old clients.
I had made an observation about the title's "fluffy and not reflective of the proposal" nature and offered some options but I feel now like the current title still isn't as clear as it is intended to be.
'Current' suggests there are past or future clients that are being overlooked.
'Obsolete' suggests that the clients are no longer used or have fallen into disuse, which is quite a presumption given the encouragement behind "upgrading" that kinda forces people to show up as current-clients-in-the-wild data points.
I still recommend:
- How to depreciate support for old clients
Though 'Network' is a valuable descriptor (:
I've tried to split the first version of the proposal into 2.
Section 4 of Proposal 264, "Putting version numbers on the Tor subprotocols" might also be called "How we can make clients that follow this proposal stop connecting to the network."
Proposal 266 might be called "How to make clients that exist today stop connection to the Tor network.
Frequently, we find that very old versions of Tor should no longer be supported on the network.
Where can we find research on the impact?
I'm not aware of anything published. There are a few important reasons why very old clients shouldn't be supported.
1) A non-updated Tor is insecure. Nobody backports bugfixes back to 0.2.0, for example.
2) For some old versions, the bulk of deployed versions appear to be one or more defunct botnets; have a look around tor-dev around 2 years ago for threads about dealing with said botnets.
3) Some TLS protocol features used in very old Tor versions (such as SSL renegotiation and tricky games with the ciphersuites listed in the ClientHello), force us to tie our implementation to OpenSSL and its close derivatives, and make our code significantly harder to maintain seceurly so long as they remain.
Disabling all versions that don't support this proposal
With all due respect, doesn't Microsoft do stuff like this? Is the impact so large that they require this level of action?
Yes, the impact is so large it requires this level of action.
Microsoft, on the other hand, has millions of Windows XP clients still running today, making the internet less secure.
(Also, the actual content of proposal is far milder than this heading makes it sound. My goal with proposal 266 is to work under the assumption that every current Tor MAY eventually prove so broken it needs to go away; not to take as a given that (eg) 0.2.7 will eventually need to get deprecated this hard.)
if we want to disable all Tor versions before today that do not support this proposal.
Is the proposal for 5 years in the past, pre this version, or can/will the cutoff be specified willy-nilly?
See above; proposal 266 attempts to describe a way to disable all clients that do not support proposals 264 and 266. The extent to which this will ever be necessary, or the time at which any of this will be necessary, is unknown.
To do this would require the cooperation of a majority of directory authorities.
And I'm not planning to advocate that anything be deprecated without good reason.
Right now, for example, I think we should stop 0.2.3 and earlier from using Tor: their use of RSA1024 / DH1024 makes their security quite questionable, and the zombie vestigial botnet on 0.2.2, even though it's slowly decaying, is doing nobody any favors.
I'd suggest that everybody actually _running_ a client or server should really be on 0.2.6 or later, but I'm not aware of any current need to kick 0.2.4 or 0.2.5 off the network.
hth,