[tor-dev] Much-revised draft, RFC: removing current obsolete clients from the network

Nick Mathewson nickm at alum.mit.edu
Fri Feb 12 00:45:08 UTC 2016 

On Sun, Jan 17, 2016 at 12:32 PM, Spencer <spencerone at openmailbox.org> wrote:
> Hi,
>
>>>
>>> Nick Mathewson:
>>> [This is a significantly revised version of the last
>>> version of this proposal draft, sent here for comment.]
>>>
>
> Questions?
>
>>>
>>> The last version of this draft was
>>> https://lists.torproject.org/pipermail/tor-dev/2015-September/009587.html
>>>
>
> I asked some questions to this draft [0] that you may have forgotten to
> answer that still seem relevant; I have sniped them here.

Hi, Spencer!  Indeed, these are relevant, and since the discussion
meeting for the latest incarnation of these proposals is soon (see
https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/MeetingSchedule
) I should try to clarify!

However, a bunch of your questions don't seem to apply to proposal 266.

>>>>
>>>> Nick Mathewson:
>>>> Draft proposal -- no number yet: How to safely drop
>>>> support for old clients.
>>>>
>
> I had made an observation about the title's "fluffy and not reflective of
> the proposal" nature and offered some options but I feel now like the
> current title still isn't as clear as it is intended to be.
>
> 'Current' suggests there are past or future clients that are being
> overlooked.
>
> 'Obsolete' suggests that the clients are no longer used or have fallen into
> disuse, which is quite a presumption given the encouragement behind
> "upgrading" that kinda forces people to show up as
> current-clients-in-the-wild data points.
>
> I still recommend:
>   - How to depreciate support for old clients
>
> Though 'Network' is a valuable descriptor (:

I've tried to split the first version of the proposal into 2.

Section 4 of Proposal 264, "Putting version numbers on the Tor
subprotocols" might also be called "How we can make clients that
follow this proposal stop connecting to the network."

Proposal 266 might be called "How to make clients that exist today
stop connection to the Tor network.

>>>>
>>>> Frequently, we find that very old versions of Tor
>>>> should no longer be supported on the network.
>>>>
>
> Where can we find research on the impact?

I'm not aware of anything published.  There are a few important
reasons why very old clients shouldn't be supported.

  1) A non-updated Tor is insecure. Nobody backports bugfixes back to
0.2.0, for example.

  2) For some old versions, the bulk of deployed versions appear to be
one or more defunct botnets; have a look around tor-dev around 2 years
ago for threads about dealing with said botnets.

  3) Some TLS protocol features used in very old Tor versions (such as
SSL renegotiation and tricky games with the ciphersuites listed in the
ClientHello), force us to tie our implementation to OpenSSL and its
close derivatives, and make our code significantly harder to maintain
seceurly so long as they remain.


>>>> Disabling all versions that don't support this proposal
>>>>
>
> With all due respect, doesn't Microsoft do stuff like this?  Is the impact
> so large that they require this level of action?

Yes, the impact is so large it requires this level of action.

Microsoft, on the other hand, has millions of Windows XP clients still
running today, making the internet less secure.

(Also, the actual content of proposal is far milder than this heading
makes it sound. My goal with proposal 266 is to work under the
assumption that every current Tor MAY eventually prove so broken it
needs to go away; not to take as a given that (eg) 0.2.7 will
eventually need to get deprecated this hard.)



>>>> if we want to disable all Tor versions before today
>>>> that do not support this proposal.
>>>>
>
> Is the proposal for 5 years in the past, pre this version, or can/will the
> cutoff be specified willy-nilly?

See above; proposal 266 attempts to describe a way to disable all
clients that do not support proposals 264 and 266.  The extent to
which this will ever be necessary, or the time at which any of this
will be necessary, is unknown.

To do this would require the cooperation of a majority of directory authorities.

And I'm not planning to advocate that anything be deprecated without
good reason.


Right now, for example, I think we should stop 0.2.3 and earlier from
using Tor: their use of RSA1024 / DH1024 makes their security quite
questionable, and the zombie vestigial botnet on 0.2.2, even though
it's slowly decaying, is doing nobody any favors.

I'd suggest that everybody actually _running_ a client or server
should really be on 0.2.6 or later, but I'm not aware of any current
need to kick 0.2.4 or 0.2.5 off the network.

hth,
-- 
Nick

More information about the tor-dev mailing list