[tor-bugs] #13154 [- Select a component]: Debian's "popularity contest" package as threat vector?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Sep 14 20:30:16 UTC 2014
#13154: Debian's "popularity contest" package as threat vector?
--------------------------------------+------------------------------------
Reporter: saint | Owner: saint
Type: enhancement | Status: accepted
Priority: normal | Milestone:
Component: - Select a component | Version:
Resolution: | Keywords: tor-hs, Debian, Stormy
Actual Points: | Parent ID:
Points: |
--------------------------------------+------------------------------------
Comment (by proper):
* [http://popcon.debian.org/README popcon readme]
* [http://popcon.debian.org/FAQ popcon faq]
* [http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=popularity-contest
popcon bugs]
* [http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/popcon-
developers popularity contest mailing list]
* [http://lists.alioth.debian.org/pipermail/popcon-
developers/2012-October/002172.html popularity contest mailing list: Drop
atime and ctime for privacy reasons possible?]
* The connection would obviously need to go over its own Tor circuit
(stream isolation). At the moment popcon tries to go through http and if
it fails (no internet connectivity) it goes into the mail queue.
(sendmail) Sendmail probably works though TransPort, but we don't know if
it can be torified for proper stream isolation or if you want to implement
TransPort.
* (From the popcon readme) "''Each popularity-contest host is identified
by a random 128bit uuid (MY_HOSTID in /etc/popularity-contest.conf).''" -
This would allow to enumerate a quite good guess about the amount number
of users.
* If you were to ship a VM image, MY_HOSTID would probably get created at
build time and all users would have the same MY_HOSTID, which would make
it useless. A new MY_HOSTID would have to be created at first boot. But as
long you are using a script, that won't be an issue.
* Popcon runs at a random day. Good.
* If the machine is powered on: it runs at 6:47, which is bad, because a
local adversary (ISP or hotspot) could guess popcon runs over Tor (traffic
pattern).
* If the machine is powered off at 6:47, it sends the report later, only
if anachron is installed. It shouldn't run instantly after powering on,
also for fingerprinting reasons. The time would have to be truly
randomized.
* As long as the transmission is not encrypted, see
[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480860 popularity-
contest should encrypt contents] Malicious Tor exit relays could modify
the transmission, but this is only a minor issue. Such malicious Tor exit
relays could send fake transmissions on their own. Encryptoin has been
added (see debian bug ticket), but I am not sure it landed in the repos
yet.
* It's questionable if and if yes, how long Debian will accept popularity
contest transmissions from Tor exit relays. There is potential for
electoral fraud.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13154#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list