[tor-bugs] #6537 [Tor Client]: Possible timing side-channel in router selection
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Aug 3 15:42:44 UTC 2012
#6537: Possible timing side-channel in router selection
------------------------+---------------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.2.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Robert Ransom found a possible timing side-channel in how we select
routers by bandwidth: we finish faster if we're selecting a router earlier
in the list than we do if we select a router later in the list. If this
timing information is available on the wire, it could be used to tell
which nodes a client is selecting based on how long it takes to pick them.
This is probably not an end-of-the-world attack, since:
* There is a lot of noise in client timing information, especially in
this case, since after picking a circuit we do a bunch of crypto, pk, and
network ops too.
* For exit nodes at least, we pick them at circuit_establish_circuit(),
before we send any data to the network.
* The timing information isn't likely to be finegrained enough to leak
particular nodes; rather, if it is available at all, it is likelier to
leak which general segment of the node list was selected.
Nevertheless, this isn't something we should even risk exposing, and there
might be other factors here too that I'm not analyzing right. Better safe
than sorry. Let's fix this one.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6537>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list