[tor-dev] Proposal #291 Properties (was IRC meeting)

George Kadianakis desnacked at riseup.net
Thu May 3 11:14:02 UTC 2018 

Mike Perry <mikeperry at torproject.org> writes:

> Mike Perry:
>> teor:
>> > 
>> > 
>> > > On 25 Apr 2018, at 18:30, Mike Perry <mikeperry at torproject.org> wrote:
>> > > 
>> > > 1. Hidden service use can't push you over to an unused guard (at all).
>> > >  2. Hidden service use can't influence your choice of guard (at all).
>> > >  3. Exits and websites can't push you over to an unused guard (at all)
>> > >  4. DoS/Guard node downtime signals are rare (absent)
>> > >  5. Nodes are not reused for Guard and Exit positions ("any" positions)
>> > >  6. Information about the guard(s) does not leak to the website/RP (at all).
>> > >  7. Relays in the same family can't be forced to correlate Exit traffic.
>> > 
>> > I think this list is missing some important user-visible properties, or it's
>> > not clear which property above corresponds to these properties:
>> > 
>> > * Is Tor reliable and responsive when guards go down, or when I move
>> >   networks, or when I have lost and regained service?
>> 
>> I think this is implicitly provided by #4. Downtime is a security issue.
>> If (any of) a client Guard(s) are down, and the adversary can detect
>> this based on client behavior, well, that is a side channel signal that
>> provides information about the Guard. So by satisfying #4, we also
>> satisfy the weaker conditions of general reliability and responsiveness.
>>  
>> > I also think it's missing an implicit property, which we should make explicit:
>> > 
>> > * Can Tor users be fingerprinted by their set of guards or directory guards?
>> > 
>> > Perhaps this property is out of scope.
>> 
>> I think it is worth considering. We should add it if we need to do
>> another round of evaluation.
>
> Alright, for the sake of argument, let's call this Property #8:
>   8. Less information from guard fingerprinting (the least information)
>
> I argue that this #8 is also equivalent to a #9 that Roger would ask
> for:
>   9. Fewer points of observation into the network (the fewest points).
>

If we are actually aiming for 8 and 9 we need to do something about the
numdirguard=3 situation, otherwise we still have a huge guard fpr and we
still expose ourselves to more of the network even if we keep one guard.

> To avoid TL;DR, that argument is an exercise to the reader ;).
>
> Here is a proposal that beats my previous proposal on Property #8 and
> #9, while trying to preserve as many of the other properties as
> possible:
>
>  * Set "num primary guards"=1 and "num primary guards to use"=1
>  * Set "num directory guards"=1 and "num directory guards to use"=1
>  * Don't give Exit nodes the Guard flag.
>  * Allow "same node, same /16, same family" between guard and last hop,
>    but only for HS circuits (which are at least 4 hops).
>  * Allow same /16 and same family for HS circuits.

This's for all hops? So all service-side HS circ hops can share the same
family? I gues that's OK since we don't know what's happening on the
other side of the HS circuit anyhow? Or what?

>  * When a primary guard leaves the consensus, pick a new one.
>  * When a primary guard fails circuits, do $MAGIC_FAILURE_HEURISTIC.

What is the $MAGIC_FAILURE_HEURISTIC supposed to do? Also I doubt we can
do anything magic here, we even have trouble doing very naive stuff when
it comes to network-uptime response.

>
> This proposal gets strong:
>   1. Hidden service use can't push you over to an unused guard (at all).
>   2. Hidden service use can't influence your choice of guard (at all).
>   3. Exits and websites can't push you over to an unused guard (at all)
>   8. Less information from guard fingerprinting (the least information)
>
> It loses #4 (and your reliability point above), because if we transition
> to a second guard too quickly when the first one starts failing, then we
> lose the winning fingerprinting property we want to keep. So then
> therefore, we must tolerate failure and RESOURCELIMIT issues and suffer
> through connectivity issues during DoS:
>   4. DoS/Guard node downtime signals are rare (absent) 
>
> It then gets us regular:
>   5. Nodes are not reused for Guard and Exit positions ("any" positions)
>   6. Information about the guard(s) does not leak to the website/RP (at all).
>   7. Relays in the same family can't be forced to correlate Exit traffic.
>
> And again, we could get strong #6 if we allow the guard node for both RP
> and the node before the RP:
>   6. Information about the guard(s) does not leak to the website/RP (at all).
>
> So the key thing (in this property list) that forcing one guard causes us
> to lose is reliability under DoS, which is a guard discovery vector (and
> probably a source of other side channels, too).
>

More information about the tor-dev mailing list