[tor-dev] Tor proposals implemented in Tor 0.2.3.x

Nick Mathewson nickm at freehaven.net
Mon Jun 18 21:24:41 UTC 2012

Hi, all!

Since 0.2.3 just entered beta (and will be in release-candidate status
soon if I have anything to say about it!) I wanted to put out a
summary of the Tor proposals that got merged, to the best of my
knowledge, in the Tor 0.2.3.x series.

My next email will summarize still-open proposals.

(Note on credits: I'm copying the listed credits from the proposals,
their acknowledgments sections, and my incredibly lossy memory.  But
in every case, these designs were improved enormously through
feedback from the entire Tor community, including some design
stalwarts who take the time to give feedback on all nearly all the
proposals they see. Thanks to everyone, and apologies to everybody
whom I'm forgetting here.)


   110  Avoiding infinite length circuits

     We started this one a while ago back in  It
     provides a mechanism to try to limit the resource-multiplier that
     a DOS attacker can get against the Tor network by building very
     long circuits, by limiting the maximum circuit length.  We
     had clients implement the new behavior in, and
     fixed some bugs related to it in the 0.2.2.x series.  It's only
     now that all of the older versions that don't support it are
     obsolete that we can actually turn on the attack prevention.

     (Proposal by Roger Dingledine based on ideas by Christian Grothoff.)

   158  Clients download consensus + microdescriptors
   162  Publish the consensus in multiple flavors

     In the "Microdescriptors" design, clients download a summary of
     router descriptors rather than the entire set of signed router
     descriptors.  This can save a large amount of directory
     bandwidth -- both because microdescriptors are smaller than
     router descriptors, and because they're designed to change much
     less frequently.

     Rather than being signed by the routers themselves,
     microdescriptors are listed by their digests in a consensus
     document signed by a threshold of directory authorities.  (This
     change doesn't change the threat model, since a successful
     attack against either system requires adversary who can subvert
     a majority of directory authorities.)

     We anticipate that we might want to serve the consensus in more
     than one format in the future, so proposal 162 introduces a
     notion of "consensus flavors" such that any every consensus
     vote produces a signed consensus in all the formats, caches
     cache all the formats, and clients download only those they

     (Proposal 158 by Roger Dingledine, revised a bunch by Nick
     Mathewson. Proposal 162 by Nick Mathewson, influenced by design
     discussions with Marian on IRC.)

   180  Pluggable transports for circumvention

     We introduce "Pluggable transports": a specified way for Tor
     bridges and Tor bridge users to configure external programs to
     obfuscate or re-route traffic to avoid censorship.

     This is a pretty big deal: it's what lets Tor integrate will
     with Obfsproxy and similar tools.  As we've hoped, having a
     specified way to integrate with Tor has encouraged others to
     work on obfuscation tools.  Having it ready to go has helped us
     deal with unexpected censorship events over the past year, and
     we think that having a couple of other obfuscators up our
     sleeve will help more in the future.

     (Proposal by Jacob Appelbaum and Nick Mathewson, with heavy
     revisions based on George Kadianakis's experience implementing

   171  Separate streams across circuits by connection metadata

     Here's a big security improvement.

     In earlier versions of Tor, there wasn't a good way to force
     streams onto separate circuits.  This could make for trouble,
     since all streams sent over the same circuit are definitively
     linkable by the exit node, and probabilistically linkable by
     the destinations. (For example, if you make a connection to an
     SSH host and log into a website over the same circuit, the exit
     node can learn that the same person has accounts both at the
     SSH host and the website.  If the SSH host and website are
     colluding, then over time, they can become certain which
     account on the SSH host corresponds with which activities on
     the website.)

     Starting with Tor 0.2.3, we provide a number of ways for users
     and integrators to tell Tor not to put the two streams on the
     same circuit.  By default, two streams won't go on the same
     circuit if they arrive at different Tor client ports (one goes
     to SOCKSPort 9050 and one goes to SOCKSPort 9051); or if they
     come from different client addresses (one came from,
     the other from; or if they provide different
     username/password information in their SOCKS handshakes.
     Additionally, you can configure Tor to isolate connections by
     destination address, destination port, and chosen client
     protocol.  See the manual page for SOCKSPort for more

     (Proposal by Robert Hogan, Jacob Appelbaum, Damon McCoy, and
     Nick Mathewson, based on ideas from a whole bunch of people.)

   174  Optimistic Data for Tor: Server Side
   181  Optimistic Data for Tor: Client Side

     This one is a performance hack that hasn't seen its full impact
     yet.  Starting with Tor 0.2.3.x, clients MAY send data to the
     exit node before finding out whether the exit has been able to
     successfully connect to the destination server.  Previously, it
     took an extra round trip for clients to wait to see whether the
     exit said "Yes, I'm connected" before they were allowed to send
     data for the exit.

     This should make connection startup faster in many protocols
     where the client speaks first (http, https), as more and more
     client programs gain support for it.

     (Proposal by Ian Goldberg.)

   176  Proposed version-3 link handshake for Tor
   184  Miscellaneous changes for a v3 Tor link protocol
   187  Reserve a cell type to allow client authorization

     Here's the crypto-heavy one for 0.2.3.  In earlier Tors, we
     used two different link protocol variants to get the TLS
     authentication we wanted without being too fingerprintable.  In
     Tor before 0.2.0, we used a "v1" link protocol, where both
     sides swapped pretty stereotyped certificate chains in the
     initial handshake, and were as fingerprintable as all
     get-out. From 0.2.0 through 0.2.2, we've been using a "v2" link
     protocol, where the connection initiator launched a
     renegotiation immediately upon making a successful connection.
     But as anybody who's used TLS renegotiations knows, they are a
     pain to work with.  Moreover, their presence on the wire is
     visible, and provides another fingerprint for Tor connections.

     With the new "v3" link protocol, clients perform an initial TLS
     handshake, and then use that handshake to bootstrap the trust
     and authentication they wanted in a less fragile, less
     fingerprintable manner.

     Proposal 184 made variable-length cells more pratical, and
     added a variable-length padding type.

     Since proposal 176 introduced a requirement that no extraneous
     cells be sent during the handshake, proposal 187 reserves an
     extra cell type for future use in pre-handshake authentication.

     (Proposal 176 by Nick Mathewson, based on an earlier idea by
     Steven Murdoch, with feedback from Gladys Shufflebottom.
     Proposal 184 by Nick Mathewson. Proposal 187 by Nick Mathewson
     based on/influenced by discussions with George Kadianakis and
     Robert Ransom.)

   178  Require majority of authorities to vote for consensus parameters

     This one makes us more robust against a rogue directory
     authority.  Previously, a misbehaving authority could set an
     integer parameter unilaterally, so long as it was the first to
     hear of that parameter, or the only one to have an opinion.
     With this proposal implemented, a larger number of authorities
     must want to vote on a consensus parameter for any vote on that
     parameter to take place.

     (Proposal by Sebastian Hahn.)

   179  TLS certificate and parameter normalization

     This proposal made a bunch of small but important tweaks to try
     to emit more normal-looking TLS certificates, to help prevent
     certificate-based fingerprinting.  It didn't all get
     implemented and stable in time for 0.2.3.x; the remainder is
     now proposal 195.

     (Proposal by Jacob Appelbaum and Gladys Shufflebottom.)

   183  Refill Intervals

     Tor uses a token-bucket implementation for its rate- limiting
     strategy.  Previously, Tor refilled these token buckets once
     per second.  But this approach seems to have led to choppy
     behavior, where we exhaust our bandwidth early in the second,
     and spend the rest of the second sitting around.  The new
     default is 100 msec, but now it's configurable.

     (Proposal by Florian Tschorsch and Bjorn Scheuermann.)


   186  Multiple addresses for one OR or bridge

     We've implemented this to the extent of letting a bridge have a
     single IPv6 address.  Supporting this for regular relays will
     need to wait for 0.2.4.x.  We're still deciding on whether it's
     worthwhile to allow more than one IPv4 and one IPv6 address.

     (Proposal by Nick Mathewson, revised based on extensive feeback
     by Roger Dingledine and Linus Nordberg.)

   198  Restore semantics of TLS ClientHello

     In an attempt to impersonate Firefox clients under the eyes of
     watchful censors, earlier versions of Tor would sometimes claim
     to support TLS ciphersuites that they didn't.  This would cause
     trouble if we ever wanted to negotiate a cipher other than
     those which we happen to know that all Tor clients support,
     since we can't count on the TLS ClientHello actually telling
     which ciphers are supported.

     This proposal provides us with a backward compatible way to
     migrate ciphersuite lists, emulate new browser fingerprints,
     and actually use ciphersuites that didn't exist in 2005.

     The client side of this proposal is implemented in 0.2.3; the
     server side will have to wait for 0.2.4.

     (Proposal by Nick Mathewson.)

More information about the tor-dev mailing list