[tor-bugs] #15774 [Tor]: Signed Fallback Directory File

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Apr 22 14:24:11 UTC 2015 

#15774: Signed Fallback Directory File
--------------------+------------------------------------
 Reporter:  teor    |          Owner:
     Type:  defect  |         Status:  new
 Priority:  minor   |      Milestone:  Tor: 0.2.???
Component:  Tor     |        Version:  Tor: 0.2.4.7-alpha
 Keywords:  lorax   |  Actual Points:
Parent ID:          |         Points:
--------------------+------------------------------------
 See
 https://lists.torproject.org/pipermail/tor-dev/2015-April/008682.html
 and #15642, in which I say:

     The function which loads fallback directories currently loads from a
 string array inside the function, so it would need to be modified to load
 from a signed file. I support the security benefits of signed fallback
 directories enough to write client code and unit tests for it, but I'm not
 sure how the code for the authorities would work - is the proposal to sign
 a section of the consensus, and output it as a separate file?

     If so, we would either need to backport, and/or wait until a majority
 of the authorities update to tor versions with the feature. And perhaps a
 majority of clients as well, controlled by a consensus parameter?
 (Otherwise, using any entry in the file itself would allow clients to
 effectively be partitioned from the rest of the network by their
 behaviour.)

     While I'm making a list, do we need to modify the existing proposal
 which describes fallback directories?

     Is this change proposed for 0.2.7?
     Or all currently supported releases?

     Do we need a new configuration option to give the location of the
 (signed) Fallback Directories file?
     How should this interact with the existing FallbackDir option?
     Cumulative?

 And nickm says:

     I think making the file signed is a different ticket, and I don't
 really understand the threat model for it.

 Before we make this change, we need to understand how the threat model is
 different from, for example:
 * a package maintainer adding their own directory
 * a package maintainer removing the signature check code
 * a package maintainer replacing all the authorities

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15774>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list