[tor-bugs] #16260 [Tor]: HS can repick an expired intro points or one that we've already picked
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jul 8 02:34:43 UTC 2015
#16260: HS can repick an expired intro points or one that we've already picked
-------------------------+--------------------------------
Reporter: dgoulet | Owner:
Type: defect | Status: closed
Priority: normal | Milestone: Tor: 0.2.7.x-final
Component: Tor | Version:
Resolution: fixed | Keywords: SponsorR, tor-hs
Actual Points: | Parent ID:
Points: |
-------------------------+--------------------------------
Comment (by arma):
Status from Roger: I think the performance penalty from a 4-hop intro
point is never worth it. So we could either a) only cannibalize a circuit
if it ends at the intro point we picked, and otherwise build a new one, or
b) simply not even check for cannibalization, since it'll almost never
work, or c) check, even before we pick our new intro point, whether
there's an adequate circuit to use, and if so, use it and pretend that's
the intro point we would have picked.
I would argue for 'a' or 'b' since they're simpler and don't involve
subtle anonymity questions. In particular, here is the subtle anonymity
question for 'c': let's say we built a preemptive circuit 50 minutes ago,
and since then we fetched a new consensus document with wildly different
weights for the last hop on that circuit. If we re-used it as our intro
point, we would end up with different behavior than if we had picked a new
intro point with our new weights. How bad is that? For almost all cases it
will be roughly the same. For a few cases we'll leak...what...whether we
had a preemptive circuit and used it? It's possible that we just lost our
network connection for a while, leading to all our preemptive circuits
being closed. So in a small fraction of cases we'd leak whether that was
true? Is that a big deal?
David argues for cannibalization because of the upcoming Usenix Security
paper that describes cannibalization in this case as a security
improvement. I haven't read the paper yet, but my intuition says that
there are many ways to distinguish hidden service circuits from other
types of circuits at the client side, since we never aimed to protect
that. But (uninformed) intuition is a terrible thing to use when making
these decisions.
Anyway, there we are. :)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16260#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list