[tor-commits] [tor-browser-spec/master] Add selfsigned-user-safety proposal as 103

gk at torproject.org gk at torproject.org
Mon Apr 8 08:00:35 UTC 2019 

commit aa4789f02be3a60c9288a00d42e32fc153c22f98
Author: Georg Koppen <gk at torproject.org>
Date:   Mon Apr 8 07:30:47 2019 +0000

    Add selfsigned-user-safety proposal as 103
---
 proposals/103-selfsigned-user-safety.txt | 111 +++++++++++++++++++++++++++++++
 1 file changed, 111 insertions(+)

diff --git a/proposals/103-selfsigned-user-safety.txt b/proposals/103-selfsigned-user-safety.txt
new file mode 100644
index 0000000..35de1c8
--- /dev/null
+++ b/proposals/103-selfsigned-user-safety.txt
@@ -0,0 +1,111 @@
+Filename: 103-selfsigned-user-safety.txt
+Title: Protecting Against Malicious Exit Nodes Performing TLS Interception
+Author: Tom Ritter
+Created: 06-Mar-2019
+Status: Open
+
+1. Motivation
+
+  Sometimes, exit nodes are malicious and perform TLS interception using self-
+  signed or otherwise invalid TLS certificates. Tor Project and volunteers
+  scan and report malicious exit relays where-upon they are given the BadExit
+  flag.
+
+  In the period of time between the nodes being identified and being
+  blocklisted, users are put at risk from these nodes.
+
+2. Proposal
+
+2.1. Classifying TLS Certificate Errors
+
+  First we classify TLS Certificate Errors into two categories. We will use
+  these classifications later.
+
+  Class 1: Suspicious Certificate Errors
+
+   - A self-signed certificate
+   - A certificate signed by a Trust Anchor but for a different hostname
+   - A certificate that appears to be signed by a Trust Anchor, but is
+     missing an intermediate allowing a full path to be built
+
+  Class 2: Unsuspicious Certificate Errors
+
+   - An expired certificate signed by a Trust Anchor
+   - A certificate that requires an OCSP staple, but the staple is not
+     present
+
+2.2. Browser Logic
+
+  If the browser encounters an invalid TLS certificate when connecting to a
+  hostname, and the type of invalidness is a Suspicious Certificate Error,
+  the browser will not _immediately_ allow the user to bypass the error and
+  add an exception.
+
+  Instead it will create a new circuit through a new exit node (making sure
+  to check the Family of the nodes), begin a TLS handshake, and obtain the
+  certificate offered.
+
+  If the certificate is the same as the one offered through the initial
+  circuit, the user is allowed to add an exception and continue. If the
+  certificate is different, the user is not allowed to bypass the error.
+
+2.3. Optional Extension
+
+  If a certificate mismatch occurs, the browser could prompt the user to
+  send a report to Tor Project.
+
+  The simple version of this feature could open an email message with
+  details prepopulated and addressed to badrelays at .
+
+  The more advanced version could submit the information to an onion
+  service operated by Tor Project. On the backend, we could build an
+  automatic verification process as well.
+
+  The details would include the hostname visited, time, exit nodes, and
+  certificates received over which exit nodes.
+
+3. False Positives
+
+  It is possible, although I suspect uncommon, that a server may have
+  geographic or other load balancing that presents different self-signed
+  certificates to different exit nodes.
+
+  If we receive reports of such occurances, we could either relax protects
+  for such domains we hardcode into the browser, or perform the new-circuit
+  verification choosing an exit node in the same country.
+
+4. User Interface/Experience
+
+  While the certificate is being verified over another circuit, it would be
+  best to provide feedback to the user.
+
+  a. The button can appear disabled and say something like
+     'Pending (Verifying Certificate)'
+  b. A small progress bar can appear under the button that tracks the progress
+     of creating and extending the circuit, sending the request and getting
+     the reply.
+  c. A small 'Retry' underlined, clickable link could sit by the progress
+     bar to retry the circuit in case it gets stalled.
+
+  If the certificate comes back and is a mismatch, we could replace the entire
+  error page with more information, including a cloudflare-style diagram[0] showing
+  the malicious exit node, and prompting the user to submit the information.
+
+  If the certificate comes back with a match, we could add some text noting that
+  some amount of verification has been performed. However it seems bad to
+  automatically accept the certificate or relax the warning too much, since it
+  is still possible a TLS attack is occuring (just not inside the Tor network.)
+  Alternately, we could not change the warning page at all.
+
+5. Concerns
+
+  An exit node who observes an aborted TLS handshake will learn that a user
+  encountered a self-signed certificate error for this server on another circuit.
+  What would this tell them? It leaks a user's browsing activity. It also leaks
+  the prescence of a malicious exit node on the network (assuming the exit node
+  observes a valid TLS certificate.)
+
+  Exit nodes who lie about their family have a chance to successfully attack the
+  user.
+
+  [0] https://external-preview.redd.it/S65-yhtC6IAqpzS6AMhMnrrFwvtyRA6WjuM_hQpJLg0.png?auto=webp&s=285e86af8e638df6ecc143a52af024f006389151

More information about the tor-commits mailing list