Tor bug?: AllowInvalidNodes

Arrakistor arrakistor at gmail.com
Wed Aug 16 22:48:21 UTC 2006


Nick,

Let  us say we did verify people within X miles of us... what would be
the  protocol?  What  keeps  me from meeting the respresentative of an
evil agent dressed as John Q Public?

Regards,
 Arrakistor

Wednesday, August 16, 2006, 5:00:47 PM, you wrote:

> On Wed, Aug 16, 2006 at 08:59:12PM +0000, crackedactor at supanet.com wrote:
>> 
>> On Wed, Aug 16, 2006  Nick Mathewson wrote:
>  [...]
>> >It works. It just doesn't mean what you thought.
>> 
>> You obviously didnt read Arrakistor 16 August 2006 00:44 Tor bug?:  AllowInvalidNodes
>> 
>> who wrote
>> 
>> "Roger, Nick, et al,
>> 
>> Tor *.23
>> 
>> AllowInvalidNodes  seems  to  having a problem.  We've  tried a few versions,
>> including the deprecated AllowUnverifiedNodes to no avail. However the
>> exit node of the circuit is still often invalid according to
>> http://serifos.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1

> See Roger's message, which you quote below:

>    > The exit.pl script that Geoff wrote and runs on Serifos uses the
>    > phrase "not a valid Tor server" to mean "not a Tor server as far
>    > as I know".

> This is the serifos script that Roger is talking about.  It lists IP
> addresses as "invalid" if they are not the IP of a tor server it
> knows.  Some "valid" (according to the directory authorities) Tor
> servers exit on IPs that are not the same as the IP they listen on.
> This means that the IP they exit on will not appear on serifos's list
> of valid nodes.

>  [...]
>> >> Now I find out that it was never intended to work and that it was
>> >> never an  "AllowUnverifiedNodes" replacement.
>> >
>> >Sure it was.  "Unverified" and "Invalid" are the same concept:
>> >'attested to as likely to be okay by the directory server.'  The only
>> >that has changed is the name.
>> >
>> 
>> Did you read Roger Dingledine 16 Aug 2006 13:42:17 -0400   Re: Tor bug?: AllowInvalidNodes
>> 
>> who wrote (short version):
>> 
>> "The fundamental confusion here is that the word 'invalid' means many
>> things to many people, but it means pretty much nothing to Tor. The
>> exit.pl script that Geoff wrote and runs on Serifos uses the phrase "not
>> a valid Tor server" to mean "not a Tor server as far as I know". The
>> word "valid" with respect to the AllowInvalidNodes config option is
>> simply defined as "not manually designed by the directory authorities
>> as invalid".
>> 
>> "
>> 
>> Are you argueing with this definition of INVALID as opposed to the
>> original "Unverified" definition? Or are you now informing us that
>> for some whole now the term "unverified" has always mbeen
>> meaningless? if so for how long has this been so?)

> Hm?  No, they both meant "attested to as likely to be ok".  In the old
> days, directory authorities attested to servers as ok when they admins
> told them to, and the admins told them to as they got mail claiming to
> be from server admins.  We thought that this was a bad idea and
> created a false sense of security.  Now, directory authorities attest
> to servers as ok when the servers seem to be running, and the admins
> have not told them to consider the servers suspicious.

> The version 2 directory specification came into use during the Tor
> 0.1.1.x series, says:

>     "Valid" -- a router is 'Valid' if it seems to have been running
>     well for a while, and is running a version of Tor not known to be
>     broken, and the directory authority has not blacklisted it as
>     suspicious.

>  [...]
>> >Because "Verified" was a stupid name.  It implied that we had a good
>> >way to go out and tell whether a node's operator was honest, upright,
>> >and competent, and whether the node was physically secure and
>> >non-eavesdropped.
>> >
>> It implied you at least knew who they said they were (not that you
>> knew they were what they said).

> Though that's what it meant in practice, that's not the interpretation
> of "verified" that I'd have made.  Moreover, it's not IMO a useful
> property to have.  Knowing who the adversary claims to be is only
> effective against an adversary who can't or won't lie about who they
> are.

>  [...]
>> >If you know a way to do this, please let us know.  We're all ears.
>> >Please keep in mind that we haven't got much cash to do this with, and
>> >what cash we do have, we'd rather spend on rent and food and)
>> >developing Tor.
>>
>> You poor penniless, overworked person. Why dont you ask all the
>> VERIFIED TOR operators to VERIFY the new TOR operators, within say
>> 50-100miles (100-200km) of them (or closest one).
>>
>> I'll do 100mile radius (UK) of Portsmouth UK - but only if you "veryify" me.

> It's not a bad idea.  Time permitting, a web-of-trust kind of system
> might be neat to do.  Of course, we'd need think about what effect
> this will have on route-based partitioning, and on possibly
> discouraging operators from running servers if they need to meet other
> operators face-to-face to do so.  And how hard is it really to foil a
> face-to-face meeting?  These are neat questions.

> (Please forgive us if someday we eventually start doing this, and pick
> trust seeds in the UK from among people we already know and trust.
> I'm sure you would do the same.)

>> >[...]
>> >> If some "unverifiednode" exit server adversary has set themselves up
>> >> in business of monitoring TOR users then isnt it because
>> >> "AllowUnverifiedNodes" was removed (effectively).
>> >
>> >Right, you're confirming that we were right to change "Verified" to
>> >"Valid".  Apparently, you *did* think that "verified" was a magicial
>> >stamp of good intentions.
>> >
>> Well darling that is what it said... no?

> Sorry, I don't think it ever said it was a magical stamp of good
> intentions.  If we said that, that was a stupid thing for us to say,
> and I'm glad we changed it.

>> >[...]
>> >> Personally, I think its irrelevant today, that at one time persons
>> >> had to be known personally to run a verified server. Quaint but
>> >> irrelevant. But hey, I dont mind having someone round to my place
>> >> from the UK to verify me. Why not have 3 levels of security - level
>> >> 2 - Registered - just what we have now. Level 1 - Verified - visit
>> >> their setup. Level 3 - unregistered & unverified. And give us a
>> >> config statement to use these levels or not.
>> >
>> >Dude, we're not going to impose a worldwide server auditing system.
>> >We're not going to visit server operators' houses.   Even if it did,
>> >what would it prove?  Any organization could set up servers in a bunch
>> >of its members' houses.  Are we supposed to do background checks?
>> >
>> Chikita, you really must put your thinking cap on and stop ignoring
>> the obvious. I said..

> ITYM "chiquita", but I am not a little girl.

>> Level 2 - registered - eg those that register their server name,
>> provide their real name and address. Do a web credit check - simple
>> and cheap. Get them to donate a COUPLE OF DOLLARS FOR THAT. Just
>> send them a registration code in the post to their credit card
>> address - the one they donated with and the address they gave for
>> it. Of course they can still forge this - but would they? With lots
>> of servers?
>>
>> Level 1 - verified - eg a visit from a VERIFIED operator after
>> provision (copies) of household bills, local tax statement, or
>> identification of company or org if an org, isp verification. Once
>> again, of course they can still forge this darling - but would they?
>> With lots of servers?
>>
>> You could even sub-level the Levels with a safety value.

> Wow.  In my opinion, this would be tons of effort, would not pay for
> itself, would turn operators away, would create a risk of information
> leakage leading to identity theft, and would still be easy for
> governments and nefarious organizations to subvert.  (Your security
> model above seems based on the idea that the attacker can do things,
> but wouldn't think it was worth the resources.  I worry that the
> resource cost on server operators would also discourage them from
> running good nodes.)

> I realize that I could be wrong here; I'm just pointing out that this
> is not a trivial idea, and it's not an obviously unalloyed win.

>> >> On a related issue, I have attempted to the "ExcludeNodes" config
>> >> and it doesnt seem to work. I am sure that of the dozens of nodes
>> >> I've tried to exclude (and failed to exclude - test only) ALL of
>> >> them cannot be my "guard" nodes. Ok this might only be winOS,
>> >> perhaps everyone should check it out for themselves. Just to be
>> >> sure. I've noticed others have seen similar. Re-check.
>> >
>> >ExcludeNodes *is* supposed to work.  If it doesn't, submit a bug
>> >report.  Warning! You will need to describe *exactly* what you did,
>> >and *exactly* what Tor did in response.  Logs will help. This is too
>> >hard for many people.
>> 
>> Well hey thankyou for the advice. Without Vidalia working on Win2k
>> i'm stuffed, buit then you knew that didnt you.

> No, I'm afraid I didn't know that; I genuinely would like this feature
> to work.  If vidalia isn't working for you, you could possibly try
> editing your torrc?  No pressure; I don't mean for this to be any kind
> of accusation or anything.  Just... if you want us to fix something
> that seems to work for us, we need information on how it's broken.

>> >frustratedly yrs,
>>
>> I believe you. Its always frustrating when people start asking
>> questions about subjects you would really like swept under the
>> carpet and forgotten.
>>
>> Just remember to answer them with politeness and integrity. And you
>> wont go far wrong. If not you might be mistaken for a dictatorial
>> pleb with an axe to grind.

> My apologies for my unprovoked rudeness.  I like to think of free
> software as a darwinian meritocracy rather than a dictatorship, and
> would certainly hope that if Roger and I do a bad job as developers,
> the community will realize this, try to talk us info doing something
> sensible, fork Tor if we don't, and stop us from harming the world any
> further.

> But seriously, we're trying to do our best here.

> yrs,



More information about the tor-talk mailing list