[tor-dev] Different trust levels using single client instance

teor teor2345 at gmail.com
Sat Nov 5 00:36:24 UTC 2016

> On 5 Nov. 2016, at 11:26, Patrick Schleizer <patrick-mailinglists at whonix.org> wrote:
> Thank you for your answers!
> teor:
>> * Caching of DNS, HS descriptors, preemptive circuits, etc. 
> Can you please elaborate on 'etc.'?
> I am asking because stream isolation for DNS already has a ticket:
> https://trac.torproject.org/projects/tor/ticket/20555
> HS cache isolation also has a ticket:
> https://trac.torproject.org/projects/tor/ticket/15938
> Looks like preemptive circuits isolation does not have a ticket yet.

Preemptive circuits aren't a caching mechanism, and can't really be
isolated in the way you think - circuits are isolated by existing
mechanisms, but this is likely not enough to defend against hostile
clients sharing an instance.

Isolation is a defence against the remote end, not the client end.

> If you could please elaborate on 'etc.' we might be able to complete the
> stack of missing tickets.

Circuit cannibalisation (yet another thing that can't be isolated)

SSL state
Guard state

Consensus availability and content
Descriptor availability and content

Connectivity (or lack thereof)

ControlPort config information
ControlPort config changes

And many more.

The supported way to isolate many of these things is to run a separate
Tor instance, preferably on a separate machine on a separate network.
We don't even recommend running a SOCKS client and a hidden service
on the same instance.


Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
xmpp: teor at torproject dot org

More information about the tor-dev mailing list