[tor-bugs] #29583 [Core Tor/Tor]: HSv3: Faulty cross-certs in introduction point keys (allows naive onionbalance for v3s)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Feb 26 14:55:14 UTC 2019
#29583: HSv3: Faulty cross-certs in introduction point keys (allows naive
onionbalance for v3s)
-----------------------------------------+---------------------------------
Reporter: asn | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor:
| unspecified
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-hs scaling onionbalance | Actual Points:
Parent ID: #26768 | Points:
Reviewer: | Sponsor:
-----------------------------------------+---------------------------------
Comment (by nickm):
If we do decide to fix this (and I think we should), I think we'll need a
multistep process. Something like this:
1. Begin including the correct versions of these certificates. Continue
including the current (incorrect) versions so as not to break existing
clients, but mark them with an extension to indicate that you should only
accept them when the correct certificates are present too.
2. Check the new (correct certificates) when they are present.
3. Stop including the old (incorrect) certificates.
For step 1 and step 2, we'll probably want to use a consensus-triggered
feature to avoid fingerprinting. We can't do step 3 until 2022, when
support for 0.3.5.x ends, unless we decide to backport this or something,
which would be ... questionable.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29583#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list