[tor-bugs] #19163 [Core Tor/Tor]: Make sure clients almost always use ntor
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Aug 23 22:55:16 UTC 2016
#19163: Make sure clients almost always use ntor
-------------------------------------------------+-------------------------
Reporter: teor | Owner: teor
Type: defect | Status:
| needs_revision
Priority: Medium | Milestone: Tor:
| 0.2.9.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: rsos, tor-hs, TorCoreTeam201608, | Actual Points: 5
review-group-7 |
Parent ID: | Points: 2.0
Reviewer: nickm | Sponsor:
-------------------------------------------------+-------------------------
Comment (by teor):
Replying to [comment:17 nickm]:
> Re-review:
>
> * I worry about the security of the opportunistic upgrade stuff. It
has the potential to enable epistemic attacks.
>
> Otherwise stuff looks good.
Yes, I have the same concerns - you could probe a client / hidden service
to find out which relays it knows about. And it's hard to test.
Here are our options:
* We could control opportunistic upgrades with a consensus parameter that
we only switch on when 0.2.8 is no longer recommended. But this means the
code won't be tested.
* We could remove opportunistic upgrades entirely, and only kill off TAP
when we kill off the old hidden service protocol.
And separately, for Single Onion Services / Tor2web:
* We could always do opportunistic upgrades, because it doesn't matter if
anyone knows what consensus a Single Onion Service or Tor2web client has,
and it's more important to protect the single-hop link with ntor rather
than using the vulnerable TAP protocol.
* Or we could go with either of the above options.
What do you think?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19163#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list