[tor-dev] Tor proposals implemented in Tor 0.2.3.x
nickm at freehaven.net
Mon Jun 18 21:24:41 UTC 2012
Since 0.2.3 just entered beta (and will be in release-candidate status
soon if I have anything to say about it!) I wanted to put out a
summary of the Tor proposals that got merged, to the best of my
knowledge, in the Tor 0.2.3.x series.
My next email will summarize still-open proposals.
(Note on credits: I'm copying the listed credits from the proposals,
their acknowledgments sections, and my incredibly lossy memory. But
in every case, these designs were improved enormously through
feedback from the entire Tor community, including some design
stalwarts who take the time to give feedback on all nearly all the
proposals they see. Thanks to everyone, and apologies to everybody
whom I'm forgetting here.)
IMPLEMENTED IN 0.2.3.x
110 Avoiding infinite length circuits
We started this one a while ago back in 0.2.1.3-alpha. It
provides a mechanism to try to limit the resource-multiplier that
a DOS attacker can get against the Tor network by building very
long circuits, by limiting the maximum circuit length. We
had clients implement the new behavior in 0.2.1.3-alpha, and
fixed some bugs related to it in the 0.2.2.x series. It's only
now that all of the older versions that don't support it are
obsolete that we can actually turn on the attack prevention.
(Proposal by Roger Dingledine based on ideas by Christian Grothoff.)
158 Clients download consensus + microdescriptors
162 Publish the consensus in multiple flavors
In the "Microdescriptors" design, clients download a summary of
router descriptors rather than the entire set of signed router
descriptors. This can save a large amount of directory
bandwidth -- both because microdescriptors are smaller than
router descriptors, and because they're designed to change much
Rather than being signed by the routers themselves,
microdescriptors are listed by their digests in a consensus
document signed by a threshold of directory authorities. (This
change doesn't change the threat model, since a successful
attack against either system requires adversary who can subvert
a majority of directory authorities.)
We anticipate that we might want to serve the consensus in more
than one format in the future, so proposal 162 introduces a
notion of "consensus flavors" such that any every consensus
vote produces a signed consensus in all the formats, caches
cache all the formats, and clients download only those they
(Proposal 158 by Roger Dingledine, revised a bunch by Nick
Mathewson. Proposal 162 by Nick Mathewson, influenced by design
discussions with Marian on IRC.)
180 Pluggable transports for circumvention
We introduce "Pluggable transports": a specified way for Tor
bridges and Tor bridge users to configure external programs to
obfuscate or re-route traffic to avoid censorship.
This is a pretty big deal: it's what lets Tor integrate will
with Obfsproxy and similar tools. As we've hoped, having a
specified way to integrate with Tor has encouraged others to
work on obfuscation tools. Having it ready to go has helped us
deal with unexpected censorship events over the past year, and
we think that having a couple of other obfuscators up our
sleeve will help more in the future.
(Proposal by Jacob Appelbaum and Nick Mathewson, with heavy
revisions based on George Kadianakis's experience implementing
171 Separate streams across circuits by connection metadata
Here's a big security improvement.
In earlier versions of Tor, there wasn't a good way to force
streams onto separate circuits. This could make for trouble,
since all streams sent over the same circuit are definitively
linkable by the exit node, and probabilistically linkable by
the destinations. (For example, if you make a connection to an
SSH host and log into a website over the same circuit, the exit
node can learn that the same person has accounts both at the
SSH host and the website. If the SSH host and website are
colluding, then over time, they can become certain which
account on the SSH host corresponds with which activities on
Starting with Tor 0.2.3, we provide a number of ways for users
and integrators to tell Tor not to put the two streams on the
same circuit. By default, two streams won't go on the same
circuit if they arrive at different Tor client ports (one goes
to SOCKSPort 9050 and one goes to SOCKSPort 9051); or if they
come from different client addresses (one came from 127.0.0.1,
the other from 10.0.10.10); or if they provide different
username/password information in their SOCKS handshakes.
Additionally, you can configure Tor to isolate connections by
destination address, destination port, and chosen client
protocol. See the manual page for SOCKSPort for more
(Proposal by Robert Hogan, Jacob Appelbaum, Damon McCoy, and
Nick Mathewson, based on ideas from a whole bunch of people.)
174 Optimistic Data for Tor: Server Side
181 Optimistic Data for Tor: Client Side
This one is a performance hack that hasn't seen its full impact
yet. Starting with Tor 0.2.3.x, clients MAY send data to the
exit node before finding out whether the exit has been able to
successfully connect to the destination server. Previously, it
took an extra round trip for clients to wait to see whether the
exit said "Yes, I'm connected" before they were allowed to send
data for the exit.
This should make connection startup faster in many protocols
where the client speaks first (http, https), as more and more
client programs gain support for it.
(Proposal by Ian Goldberg.)
176 Proposed version-3 link handshake for Tor
184 Miscellaneous changes for a v3 Tor link protocol
187 Reserve a cell type to allow client authorization
Here's the crypto-heavy one for 0.2.3. In earlier Tors, we
used two different link protocol variants to get the TLS
authentication we wanted without being too fingerprintable. In
Tor before 0.2.0, we used a "v1" link protocol, where both
sides swapped pretty stereotyped certificate chains in the
initial handshake, and were as fingerprintable as all
get-out. From 0.2.0 through 0.2.2, we've been using a "v2" link
protocol, where the connection initiator launched a
renegotiation immediately upon making a successful connection.
But as anybody who's used TLS renegotiations knows, they are a
pain to work with. Moreover, their presence on the wire is
visible, and provides another fingerprint for Tor connections.
With the new "v3" link protocol, clients perform an initial TLS
handshake, and then use that handshake to bootstrap the trust
and authentication they wanted in a less fragile, less
Proposal 184 made variable-length cells more pratical, and
added a variable-length padding type.
Since proposal 176 introduced a requirement that no extraneous
cells be sent during the handshake, proposal 187 reserves an
extra cell type for future use in pre-handshake authentication.
(Proposal 176 by Nick Mathewson, based on an earlier idea by
Steven Murdoch, with feedback from Gladys Shufflebottom.
Proposal 184 by Nick Mathewson. Proposal 187 by Nick Mathewson
based on/influenced by discussions with George Kadianakis and
178 Require majority of authorities to vote for consensus parameters
This one makes us more robust against a rogue directory
authority. Previously, a misbehaving authority could set an
integer parameter unilaterally, so long as it was the first to
hear of that parameter, or the only one to have an opinion.
With this proposal implemented, a larger number of authorities
must want to vote on a consensus parameter for any vote on that
parameter to take place.
(Proposal by Sebastian Hahn.)
179 TLS certificate and parameter normalization
This proposal made a bunch of small but important tweaks to try
to emit more normal-looking TLS certificates, to help prevent
certificate-based fingerprinting. It didn't all get
implemented and stable in time for 0.2.3.x; the remainder is
now proposal 195.
(Proposal by Jacob Appelbaum and Gladys Shufflebottom.)
183 Refill Intervals
Tor uses a token-bucket implementation for its rate- limiting
strategy. Previously, Tor refilled these token buckets once
per second. But this approach seems to have led to choppy
behavior, where we exhaust our bandwidth early in the second,
and spend the rest of the second sitting around. The new
default is 100 msec, but now it's configurable.
(Proposal by Florian Tschorsch and Bjorn Scheuermann.)
PARTIALLY IMPLEMENTED IN 0.2.3.x
186 Multiple addresses for one OR or bridge
We've implemented this to the extent of letting a bridge have a
single IPv6 address. Supporting this for regular relays will
need to wait for 0.2.4.x. We're still deciding on whether it's
worthwhile to allow more than one IPv4 and one IPv6 address.
(Proposal by Nick Mathewson, revised based on extensive feeback
by Roger Dingledine and Linus Nordberg.)
198 Restore semantics of TLS ClientHello
In an attempt to impersonate Firefox clients under the eyes of
watchful censors, earlier versions of Tor would sometimes claim
to support TLS ciphersuites that they didn't. This would cause
trouble if we ever wanted to negotiate a cipher other than
those which we happen to know that all Tor clients support,
since we can't count on the TLS ClientHello actually telling
which ciphers are supported.
This proposal provides us with a backward compatible way to
migrate ciphersuite lists, emulate new browser fingerprints,
and actually use ciphersuites that didn't exist in 2005.
The client side of this proposal is implemented in 0.2.3; the
server side will have to wait for 0.2.4.
(Proposal by Nick Mathewson.)
More information about the tor-dev