Tor bug?: AllowInvalidNodes

[Nick Mathewson]

On Wed, Aug 16, 2006 at 08:59:12PM +0000, crackedactor at supanet.com wrote:
> 
> On Wed, Aug 16, 2006  Nick Mathewson wrote:
 [...]
> >It works. It just doesn't mean what you thought.
> 
> You obviously didnt read Arrakistor 16 August 2006 00:44 Tor bug?:  AllowInvalidNodes
> 
> who wrote
> 
> "Roger, Nick, et al,
> 
> Tor *.23
> 
> AllowInvalidNodes  seems  to  having a problem.  We've  tried a few versions,
> including the deprecated AllowUnverifiedNodes to no avail. However the
> exit node of the circuit is still often invalid according to
> http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1

See Roger's message, which you quote below:

   > The exit.pl script that Geoff wrote and runs on Serifos uses the
   > phrase "not a valid Tor server" to mean "not a Tor server as far
   > as I know".

This is the serifos script that Roger is talking about.  It lists IP
addresses as "invalid" if they are not the IP of a tor server it
knows.  Some "valid" (according to the directory authorities) Tor
servers exit on IPs that are not the same as the IP they listen on.
This means that the IP they exit on will not appear on serifos's list
of valid nodes.

 [...]
> >> Now I find out that it was never intended to work and that it was
> >> never an  "AllowUnverifiedNodes" replacement.
> >
> >Sure it was.  "Unverified" and "Invalid" are the same concept:
> >'attested to as likely to be okay by the directory server.'  The only
> >that has changed is the name.
> >
> 
> Did you read Roger Dingledine 16 Aug 2006 13:42:17 -0400   Re: Tor bug?: AllowInvalidNodes
> 
> who wrote (short version):
> 
> "The fundamental confusion here is that the word 'invalid' means many
> things to many people, but it means pretty much nothing to Tor. The
> exit.pl script that Geoff wrote and runs on Serifos uses the phrase "not
> a valid Tor server" to mean "not a Tor server as far as I know". The
> word "valid" with respect to the AllowInvalidNodes config option is
> simply defined as "not manually designed by the directory authorities
> as invalid".
> 
> "
> 
> Are you argueing with this definition of INVALID as opposed to the
> original "Unverified" definition? Or are you now informing us that
> for some whole now the term "unverified" has always mbeen
> meaningless? if so for how long has this been so?)

Hm?  No, they both meant "attested to as likely to be ok".  In the old
days, directory authorities attested to servers as ok when they admins
told them to, and the admins told them to as they got mail claiming to
be from server admins.  We thought that this was a bad idea and
created a false sense of security.  Now, directory authorities attest
to servers as ok when the servers seem to be running, and the admins
have not told them to consider the servers suspicious.

The version 2 directory specification came into use during the Tor
0.1.1.x series, says:

    "Valid" -- a router is 'Valid' if it seems to have been running
    well for a while, and is running a version of Tor not known to be
    broken, and the directory authority has not blacklisted it as
    suspicious.

 [...]
> >Because "Verified" was a stupid name.  It implied that we had a good
> >way to go out and tell whether a node's operator was honest, upright,
> >and competent, and whether the node was physically secure and
> >non-eavesdropped.
> >
> It implied you at least knew who they said they were (not that you
> knew they were what they said).

Though that's what it meant in practice, that's not the interpretation
of "verified" that I'd have made.  Moreover, it's not IMO a useful
property to have.  Knowing who the adversary claims to be is only
effective against an adversary who can't or won't lie about who they
are.

 [...]
> >If you know a way to do this, please let us know.  We're all ears.
> >Please keep in mind that we haven't got much cash to do this with, and
> >what cash we do have, we'd rather spend on rent and food and)
> >developing Tor.
>
> You poor penniless, overworked person. Why dont you ask all the
> VERIFIED TOR operators to VERIFY the new TOR operators, within say
> 50-100miles (100-200km) of them (or closest one).
>
> I'll do 100mile radius (UK) of Portsmouth UK - but only if you "veryify" me. 

It's not a bad idea.  Time permitting, a web-of-trust kind of system
might be neat to do.  Of course, we'd need think about what effect
this will have on route-based partitioning, and on possibly
discouraging operators from running servers if they need to meet other
operators face-to-face to do so.  And how hard is it really to foil a
face-to-face meeting?  These are neat questions.

(Please forgive us if someday we eventually start doing this, and pick
trust seeds in the UK from among people we already know and trust.
I'm sure you would do the same.)

> >[...]
> >> If some "unverifiednode" exit server adversary has set themselves up
> >> in business of monitoring TOR users then isnt it because
> >> "AllowUnverifiedNodes" was removed (effectively).
> >
> >Right, you're confirming that we were right to change "Verified" to
> >"Valid".  Apparently, you *did* think that "verified" was a magicial
> >stamp of good intentions.
> >
> Well darling that is what it said... no?

Sorry, I don't think it ever said it was a magical stamp of good
intentions.  If we said that, that was a stupid thing for us to say,
and I'm glad we changed it.

> >[...]
> >> Personally, I think its irrelevant today, that at one time persons
> >> had to be known personally to run a verified server. Quaint but
> >> irrelevant. But hey, I dont mind having someone round to my place
> >> from the UK to verify me. Why not have 3 levels of security - level
> >> 2 - Registered - just what we have now. Level 1 - Verified - visit
> >> their setup. Level 3 - unregistered & unverified. And give us a
> >> config statement to use these levels or not.
> >
> >Dude, we're not going to impose a worldwide server auditing system.
> >We're not going to visit server operators' houses.   Even if it did,
> >what would it prove?  Any organization could set up servers in a bunch
> >of its members' houses.  Are we supposed to do background checks?
> >
> Chikita, you really must put your thinking cap on and stop ignoring
> the obvious. I said..

ITYM "chiquita", but I am not a little girl.

> Level 2 - registered - eg those that register their server name,
> provide their real name and address. Do a web credit check - simple
> and cheap. Get them to donate a COUPLE OF DOLLARS FOR THAT. Just
> send them a registration code in the post to their credit card
> address - the one they donated with and the address they gave for
> it. Of course they can still forge this - but would they? With lots
> of servers?
>
> Level 1 - verified - eg a visit from a VERIFIED operator after
> provision (copies) of household bills, local tax statement, or
> identification of company or org if an org, isp verification. Once
> again, of course they can still forge this darling - but would they?
> With lots of servers?
>
> You could even sub-level the Levels with a safety value.

Wow.  In my opinion, this would be tons of effort, would not pay for
itself, would turn operators away, would create a risk of information
leakage leading to identity theft, and would still be easy for
governments and nefarious organizations to subvert.  (Your security
model above seems based on the idea that the attacker can do things,
but wouldn't think it was worth the resources.  I worry that the
resource cost on server operators would also discourage them from
running good nodes.)

I realize that I could be wrong here; I'm just pointing out that this
is not a trivial idea, and it's not an obviously unalloyed win.

> >> On a related issue, I have attempted to the "ExcludeNodes" config
> >> and it doesnt seem to work. I am sure that of the dozens of nodes
> >> I've tried to exclude (and failed to exclude - test only) ALL of
> >> them cannot be my "guard" nodes. Ok this might only be winOS,
> >> perhaps everyone should check it out for themselves. Just to be
> >> sure. I've noticed others have seen similar. Re-check.
> >
> >ExcludeNodes *is* supposed to work.  If it doesn't, submit a bug
> >report.  Warning! You will need to describe *exactly* what you did,
> >and *exactly* what Tor did in response.  Logs will help. This is too
> >hard for many people.
> 
> Well hey thankyou for the advice. Without Vidalia working on Win2k
> i'm stuffed, buit then you knew that didnt you.

No, I'm afraid I didn't know that; I genuinely would like this feature
to work.  If vidalia isn't working for you, you could possibly try
editing your torrc?  No pressure; I don't mean for this to be any kind
of accusation or anything.  Just... if you want us to fix something
that seems to work for us, we need information on how it's broken.

> >frustratedly yrs,
>
> I believe you. Its always frustrating when people start asking
> questions about subjects you would really like swept under the
> carpet and forgotten.
>
> Just remember to answer them with politeness and integrity. And you
> wont go far wrong. If not you might be mistaken for a dictatorial
> pleb with an axe to grind.

My apologies for my unprovoked rudeness.  I like to think of free
software as a darwinian meritocracy rather than a dictatorship, and
would certainly hope that if Roger and I do a bad job as developers,
the community will realize this, try to talk us info doing something
sensible, fork Tor if we don't, and stop us from harming the world any
further.

But seriously, we're trying to do our best here.

yrs,
-- 
Nick Mathewson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 652 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20060816/26879510/attachment.pgp>