[tor-bugs] #20212 [Core Tor/Tor]: Tor can be forced to open too many circuits by embedding .onion resources

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Aug 27 08:10:02 UTC 2019 

#20212: Tor can be forced to open too many circuits by embedding .onion resources
-------------------------------------------------+-------------------------
 Reporter:  gacar                                |          Owner:  tbb-
                                                 |  team
     Type:  enhancement                          |         Status:  new
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.4.2.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  guard-discovery,                     |  Actual Points:
  TorBrowserTeam201803, 034-roadmap-proposed,    |
  security, tor-hs                               |
Parent ID:  #29995                               |         Points:  6
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor27-must
-------------------------------------------------+-------------------------

Comment (by asn):

 Replying to [comment:22 teor]:
 > We might need some fixes in Tor, and some fixes in Tor Browser.
 >
 > If we make all (non-single onion service) clients rate-limit onion
 circuits, then some applications may need to rate-limit individual tabs
 (Tor Browser), contacts (Ricochet), or peers (Bitcoin).

 Yep. I was thinking that an initial MVP here could be to just improve the
 situation in Tor Browser for now. The benefit here is that we can gear the
 defence to just web users, so that we don't have to think about all the
 possible applications that use onions.

 Still that seems pretty hard to do:

 Here is a version of the attack: The attacker makes 10k different onions
 with different traffic patterns. The attacker also sets up some middle
 nodes around the network. The attacker forces the victim to visit them (in
 a hidden iframe or through redirects or whatever), and then check its
 middle nodes for the given traffic patterns. If we assume that the
 "confirm traffic patterns" step is instant and accurate, then an attacker
 that runs 5% of the middle node capacity, can get 50% chance of guard
 discovery after about 14 circuits (also see prop292 calculations)... So
 this looks pretty bad...

 The good part is that the attacker needs to persuade the victim to visit
 their website (not so hard), and also leave the tab open for as long as
 the attack needs to succeed.

 Still it's hard to rate limit this sufficiently to block 5% adversaries,
 without also blocking legitimate websites (especially if in the future
 onions become more prevalent and well connected)...

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20212#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list