[tor-bugs] #25573 [Core Tor/Tor]: Create a RELAY_COMMAND_END_ACK cell type
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Mar 21 18:10:29 UTC 2018
#25573: Create a RELAY_COMMAND_END_ACK cell type
------------------------------+-----------------------------------
Reporter: mikeperry | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords: guard-discovery-stats
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: SponsorV-can |
------------------------------+-----------------------------------
In order to eliminate a side channel attack described in
https://petsymposium.org/2018/files/papers/issue2/popets-2018-0011.pdf we
need a way to determine if a stream id is invalid.
Many clients (particularly Firefox) will hang up on streams that still
have data in flight. In this case, Tor clients send RELAY_COMMAND_END when
they are done with a stream, and immediately remove that stream ID from
their valid stream mapping. The remaining application data continues to
arrive, but is silently dropped by the Tor client. The result is that this
ignored stream data currently can't be distinguished from injected dummy
traffic with completely random stream IDs, and this fact can be used to
mount side channel attacks.
A similar situation exists for spurious RELAY_ENDs.
This isn't a full fix, because malicious relays can withhold the ack, but
having it in place would simplify a lot of the code for dealing with
unexpected packets.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25573>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list