I've had an IRC session with the designer of cjdns (on cjdns) who made a few interesting points, and suggestions. Comments?
Verbatim chat snip below.
18:03 <@cjd> if you took the components from cjdns, you could build a TOR like protocol which used UDP if possible and made connections much faster 18:04 <+eleitl> I wonder why they didn't choose UDP 18:05 <@cjd> you need to fall back on tcp in case you're firewalled to hell 18:05 <+eleitl> Apparently, they're thinking about it https://blog.torproject.org/blog/moving-tor-datagram-transport 18:06 <@cjd> problem with tor is (correct me if I) 18:06 <@cjd> 'm wrong) 18:06 <@cjd> the directory is signed by the tor foundation 18:07 <@cjd> so they can sign a fake directory and run a bunch of directory servers and when Alice connects to their directory server, they give her a bunch of fake nodes 18:07 <@cjd> run their own botnet with fake tor nodes so your circuit is always owned 18:07 <+eleitl> I don't really know for sure, but there's intrinsic trust to Tor developers, yes. 18:08 <+eleitl> You can run your own Tor network, though. 18:08 <+eleitl> Some botnets do that. 18:08 <@cjd> I trust them to make the software right, esp. since I could check if they did. 18:09 <@cjd> But a little arm twisting can change someone's motives pretty fast. 18:09 <+eleitl> Maintaining signing secrets is a problem. 18:09 <+eleitl> They should have used a P2P design. 18:10 <@cjd> If someone (with government hat?) tells you they can make your life hell... I wouldn't fault them for doing what the man says. 18:10 <@cjd> *wouldn't fault you 18:10 <+eleitl> I'll try bugging some Tor developers about that scenario, and see how they squirm. 18:11 <+eleitl> Also, the UDP connection thing. 18:11 <@cjd> You can "stack" your circuit setup packets if you're using UDP 18:11 <@cjd> stack -> all headers in the same packet 18:12 <@cjd> cjdns does the same thing 18:13 <+eleitl> Can I use snippage from this chat verbatim, or will I need to rephrase? 18:14 <@cjd> sure go ahead 18:14 <+eleitl> Thanks! 18:14 <@cjd> can only speak for myself ofc 18:14 <+eleitl> Sure.
On 10/4/12, Eugen Leitl eugen@leitl.org wrote:
I've had an IRC session with the designer of cjdns (on cjdns) who made a few interesting points, and suggestions. Comments?
Verbatim chat snip below.
18:03 <@cjd> if you took the components from cjdns, you could build a TOR like protocol which used UDP if possible and made connections much faster 18:04 <+eleitl> I wonder why they didn't choose UDP
Presumably because TCP was easier.
18:05 <@cjd> you need to fall back on tcp in case you're firewalled to hell 18:05 <+eleitl> Apparently, they're thinking about it
https://blog.torproject.org/blog/moving-tor-datagram-transport
Yes. TCP was a bad choice for Tor.
18:06 <@cjd> problem with tor is (correct me if I) 18:06 <@cjd> 'm wrong) 18:06 <@cjd> the directory is signed by the tor foundation 18:07 <@cjd> so they can sign a fake directory and run a bunch of directory servers and when Alice connects to their directory server, they give her a bunch of fake nodes
The v3 network consensus document must be signed by a majority of the (currently nine) directory authorities' signing keys. None of the directory authorities are operated by Tor Project, Inc..
18:07 <@cjd> run their own botnet with fake tor nodes so your circuit is always owned
TPI does not have the expertise needed to run a botnet for this purpose.
18:07 <+eleitl> I don't really know for sure, but there's intrinsic trust to Tor developers, yes. 18:08 <+eleitl> You can run your own Tor network, though. 18:08 <+eleitl> Some botnets do that.
Interesting. Do you have a reference describing one of these botnets?
18:08 <@cjd> I trust them to make the software right, esp. since I could check if they did. 18:09 <@cjd> But a little arm twisting can change someone's motives pretty fast. 18:09 <+eleitl> Maintaining signing secrets is a problem. 18:09 <+eleitl> They should have used a P2P design.
Do you have a ‘P2P design’ for Tor which doesn't rely on trusted parties ‘maintaining signing secrets’ and which isn't broken? (Hint: No, you don't.)
Do you have any ‘P2P design’ for Tor at all which isn't broken?
18:10 <@cjd> If someone (with government hat?) tells you they can make your life hell... I wouldn't fault them for doing what the man says. 18:10 <@cjd> *wouldn't fault you 18:10 <+eleitl> I'll try bugging some Tor developers about that scenario, and see how they squirm. 18:11 <+eleitl> Also, the UDP connection thing. 18:11 <@cjd> You can "stack" your circuit setup packets if you're using UDP 18:11 <@cjd> stack -> all headers in the same packet 18:12 <@cjd> cjdns does the same thing
If this refers to including the circuit-extension packet which caused a relay to open an OR connection in the first UDP packet that it sends in order to open that connection, I agree that that would be a good thing to do, although mostly for reasons that cjd isn't mentioning.
If this refers to setting up a complete three-node Tor circuit with only one outgoing packet sent by the client, that can be implemented without a UDP-based transport (and early versions of Tor did implement it).
Robert Ransom
On Thu, Oct 04, 2012 at 01:50:47PM -0400, Robert Ransom wrote:
The v3 network consensus document must be signed by a majority of the (currently nine) directory authorities' signing keys. None of the
Nice.
directory authorities are operated by Tor Project, Inc..
Is there a documented process by how these authorities are chosen, and ways for third parties to audit that it's not a tentacle operation?
18:07 <@cjd> run their own botnet with fake tor nodes so your circuit is always owned
TPI does not have the expertise needed to run a botnet for this purpose.
TPI being...?
18:07 <+eleitl> I don't really know for sure, but there's intrinsic trust to Tor developers, yes. 18:08 <+eleitl> You can run your own Tor network, though. 18:08 <+eleitl> Some botnets do that.
Interesting. Do you have a reference describing one of these botnets?
Sorry, that was typed in haste. The only botnet using Tor I'm aware of is
http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_...
which uses the regular Tor network. Not aware of a botnet running a private Tor network, though such a thing can be not far behind.
18:08 <@cjd> I trust them to make the software right, esp. since I could check if they did. 18:09 <@cjd> But a little arm twisting can change someone's motives pretty fast. 18:09 <+eleitl> Maintaining signing secrets is a problem. 18:09 <+eleitl> They should have used a P2P design.
Do you have a ‘P2P design’ for Tor which doesn't rely on trusted parties ‘maintaining signing secrets’ and which isn't broken?
No need to be snarky, I mean well. There are obviously ways in which network quorum can eliminate authorities as a single point of failure (see Bitcoin, Tahoe LAFS, etc).
(Hint: No, you don't.)
Do you have any ‘P2P design’ for Tor at all which isn't broken?
What very few people know: I'm actually a dog. W00f. I don't have the money or the skills to do anything which would survive more than a friendly sandbox. Don't ask me for patches, I'll drag you in a wet skunk which has been dead for a while.
18:10 <@cjd> If someone (with government hat?) tells you they can make your life hell... I wouldn't fault them for doing what the man says. 18:10 <@cjd> *wouldn't fault you 18:10 <+eleitl> I'll try bugging some Tor developers about that scenario, and see how they squirm. 18:11 <+eleitl> Also, the UDP connection thing. 18:11 <@cjd> You can "stack" your circuit setup packets if you're using UDP 18:11 <@cjd> stack -> all headers in the same packet 18:12 <@cjd> cjdns does the same thing
If this refers to including the circuit-extension packet which caused a relay to open an OR connection in the first UDP packet that it sends in order to open that connection, I agree that that would be a good thing to do, although mostly for reasons that cjd isn't mentioning.
If this refers to setting up a complete three-node Tor circuit with only one outgoing packet sent by the client, that can be implemented without a UDP-based transport (and early versions of Tor did implement it).
Thanks, I'll pass that on when I'm cjdnsland again.
By the way, I would be very interested in Tor developer's opinions about the design of cjdns (of course, that's still pretty much in flux, and parts of infrastructure missing, particularly P2P DNS).
Eugen Leitl:
18:08 <@cjd> I trust them to make the software right, esp. since I could check if they did. 18:09 <@cjd> But a little arm twisting can change someone's motives pretty fast. 18:09 <+eleitl> Maintaining signing secrets is a problem. 18:09 <+eleitl> They should have used a P2P design.
Do you have a ‘P2P design’ for Tor which doesn't rely on trusted parties ‘maintaining signing secrets’ and which isn't broken?
No need to be snarky, I mean well. There are obviously ways in which network quorum can eliminate authorities as a single point of failure (see Bitcoin, Tahoe LAFS, etc).
He isn't being snarky - he's being honest and knows the research better than most.
(Hint: No, you don't.)
Do you have any ‘P2P design’ for Tor at all which isn't broken?
What very few people know: I'm actually a dog. W00f. I don't have the money or the skills to do anything which would survive more than a friendly sandbox. Don't ask me for patches, I'll drag you in a wet skunk which has been dead for a while.
18:10 <@cjd> If someone (with government hat?) tells you they can make your life hell... I wouldn't fault them for doing what the man says. 18:10 <@cjd> *wouldn't fault you 18:10 <+eleitl> I'll try bugging some Tor developers about that scenario, and see how they squirm. 18:11 <+eleitl> Also, the UDP connection thing. 18:11 <@cjd> You can "stack" your circuit setup packets if you're using UDP 18:11 <@cjd> stack -> all headers in the same packet 18:12 <@cjd> cjdns does the same thing
Huh. Wow. I just... Excuse me? Who suggests that no Tor developers haven't already had their arm twisted and stood their ground? Who suggests that those who run a Tor Directory Authority would comply with the "man" and what "they" say? On what evidence do they say these things? Do they understand the moral and ethical character of the people running those systems? No, they most certainly do not. Do they even know the history of harassment that Tor people have faced in various circumstances? No, they clearly do not know these things.
I certainly have had attempts, serious attempts by powerful people, to crush my spirit, to push me out of the anonymity space and to punish me for speaking out about anonymity as a fundamental human right.
I don't take kindly to anyone suggesting that 1) such harassment hasn't happened and 2) if it were to happen, we'd just roll over like a bunch of assholes.
Did I mention how offensive that uneducated kind of statement is to people who work day and night on these problems? To those who have struggled against state surveillance, state harassment and other extra-legal issues?
It's bad enough that someone would suggest a bunch of broken designs would be better. It suggests a lack of understanding of the anonymity space and that is self-evident, hardly worth refuting. However, the rest of the comments are just over the top in their absolutely ridiculous nature. Such statements are totally offensive and absurd to the core.
Run Tor nodes if you're worried about the integrity of Tor nodes and the integrity of the network as a whole; be part of the solution by taking practical action on the matter.
Sincerely, Jacob
On Fri, 05 Oct 2012 12:07:39 +0000 Jacob Appelbaum jacob@appelbaum.net wrote:
Huh. Wow. I just... Excuse me? Who suggests that no Tor developers haven't already had their arm twisted and stood their ground? Who suggests that those who run a Tor Directory Authority would comply with the "man" and what "they" say? On what evidence do they say these things? Do they understand the moral and ethical character of the people running those systems? No, they most certainly do not. Do they even know the history of harassment that Tor people have faced in various circumstances? No, they clearly do not know these things.
Towards this point, very few know who run the DirAuths, where they are, and how we vetted these people. We've done a bad job of communicating this info.
Thus spake Jacob Appelbaum (jacob@appelbaum.net):
18:10 <@cjd> If someone (with government hat?) tells you they can make your life hell... I wouldn't fault them for doing what the man says. 18:10 <@cjd> *wouldn't fault you 18:10 <+eleitl> I'll try bugging some Tor developers about that scenario, and see how they squirm. 18:11 <+eleitl> Also, the UDP connection thing. 18:11 <@cjd> You can "stack" your circuit setup packets if you're using UDP 18:11 <@cjd> stack -> all headers in the same packet 18:12 <@cjd> cjdns does the same thing
Huh. Wow. I just... Excuse me? Who suggests that no Tor developers haven't already had their arm twisted and stood their ground? Who suggests that those who run a Tor Directory Authority would comply with the "man" and what "they" say? On what evidence do they say these things? Do they understand the moral and ethical character of the people running those systems? No, they most certainly do not. Do they even know the history of harassment that Tor people have faced in various circumstances? No, they clearly do not know these things.
I certainly have had attempts, serious attempts by powerful people, to crush my spirit, to push me out of the anonymity space and to punish me for speaking out about anonymity as a fundamental human right.
I don't take kindly to anyone suggesting that 1) such harassment hasn't happened and 2) if it were to happen, we'd just roll over like a bunch of assholes.
I agree: the assumption was a little rude, and it's clear that cjd doesn't understand what we're made of. It's an easy assumption to make, though. After all, the world hasn't seen European Enlightenment values seriously defended in at least 50 years (or more). :/
However, the real problem here is that the rubberhose attack vector isn't limited to beating down the few renegade buddhists that the Tor Project manages to somehow authenticate, locate, and vet as capable of being beyond pain...
*Anyone* with *any* access to the data centers that host the directory authorities is potentially subject to either a coercive or subversive attack to gain access to a majority of the dirauth key material, and thus generate fraudulent, targeted consensuses...
As you know, I've been digging down the rabbit hole of how to ensure the integrity of a remote machine, and it seems impossible to do this without both secure boot *and* a way to verify the current runtime integrity. Without these properties, it would seem our current model is untenable long-term.
Yet still, as Roger and Robert point out, there are some serious questions about the viability of decentralized directory/consensus systems. Or, at least questions that sexified attack papers can make to seem serious. (For example: I don't believe TorSK was actually broken beyond Tor's current properties...).
However, as a stopgap, perhaps we might consider a Perspectives-style component/addon to HTTPS-Everywhere/TBB/Vidalia for multipath consensus verification. For example, random people could publish signed statements of the latest SHA512 hash of the current consensus for the hour to a git repository or other append-only data structure. This repository could be easily mirrored widely, and it would be trivial for mirrors to ensure the integrity of their copies...
With such methods (which can surely start as manual-only), we can provide multiple mechanisms of consensus validation in tandem, and the security of the network directory would be governed by the security of the union of all of these systems.
In fact, it should even be possible for Tor clients to store such consensus hashes for later validation, to see if they had been compromised at points in the past. One could even physically smuggle a USB key out of a potentially targeted location to verify consensus integrity from another location, at a later date...
Unfortunately, the fake consensus attack is arguably *not* the easiest way to perform route capture on the Tor network today. It might be #2, though...
On 10/6/12, Mike Perry mikeperry@torproject.org wrote:
Yet still, as Roger and Robert point out, there are some serious questions about the viability of decentralized directory/consensus systems. Or, at least questions that sexified attack papers can make to seem serious. (For example: I don't believe TorSK was actually broken beyond Tor's current properties...).
Torsk relied on a trusted party to sign relay descriptors. Its goal was to reduce the (asymptotic) total amount of directory communication, not to remove the need for directory authorities.
Robert Ransom
On Thu, Oct 04, 2012 at 01:50:47PM -0400, Robert Ransom wrote:
18:04 <+eleitl> I wonder why they didn't choose UDP
Presumably because TCP was easier.
Yep.
18:05 <@cjd> you need to fall back on tcp in case you're firewalled to hell 18:05 <+eleitl> Apparently, they're thinking about it
https://blog.torproject.org/blog/moving-tor-datagram-transport
Yes. TCP was a bad choice for Tor.
That said, transporting IP packets end-to-end (i.e., having TCP sessions end-to-end across the network) is likely a bad choice as well. TCP is designed for a situation where the core pipes have extra capacity, and the edges are tiny. The Tor network is the opposite: the edges have lots of capacity, and the core network is overloaded. The result would be tens (hundreds?) of thousands of TCP streams all in slow-start talking over each other.
It's hard to win this one.
Do you have a ???P2P design??? for Tor which doesn't rely on trusted parties ???maintaining signing secrets??? and which isn't broken? (Hint: No, you don't.)
Do you have any ???P2P design??? for Tor at all which isn't broken?
For some reading, see http://freehaven.net/anonbib/#wpes09-dht-attack and all the papers around it.
18:10 <@cjd> If someone (with government hat?) tells you they can make your life hell... I wouldn't fault them for doing what the man says. 18:10 <@cjd> *wouldn't fault you 18:10 <+eleitl> I'll try bugging some Tor developers about that scenario, and see how they squirm.
See also https://www.torproject.org/docs/faq#KeyManagement https://gitweb.torproject.org/tor.git/blob/HEAD:/doc/contrib/authority-polic...
https://gitweb.torproject.org/tor.git/blob/HEAD:/src/or/config.c#l741
as for who the directory authority operators are, I suggest you attend one of the Tor developer meetings. I think we have enough diversity that nobody can roll over silently in a way that damages users.
If somebody wants to hack on https://metrics.torproject.org/consensus-health.html to make it better at noticing anomalies, please do.
18:11 <+eleitl> Also, the UDP connection thing. 18:11 <@cjd> You can "stack" your circuit setup packets if you're using UDP 18:11 <@cjd> stack -> all headers in the same packet 18:12 <@cjd> cjdns does the same thing
If this refers to including the circuit-extension packet which caused a relay to open an OR connection in the first UDP packet that it sends in order to open that connection, I agree that that would be a good thing to do, although mostly for reasons that cjd isn't mentioning.
If this refers to setting up a complete three-node Tor circuit with only one outgoing packet sent by the client, that can be implemented without a UDP-based transport (and early versions of Tor did implement it).
I think http://freehaven.net/anonbib/#sphinx-onion-fc10 is a good introduction to this topic.
--Roger
-
Andrew Lewman -
Eugen Leitl -
Jacob Appelbaum -
Mike Perry -
Robert Ransom -
Roger Dingledine