tor-dev January 2013

tor-dev@lists.torproject.org

40 participants
27 discussions

Re: [tor-dev] [tor-talk] Open streams on the fly
by benjaminlincoln＠lavabit.com 23 Jan '13

23 Jan '13

> On Mon, Jan 21, 2013 at 2:56 PM, <benjaminlincoln(a)lavabit.com> wrote: >>>> I see, tor already implements such a flag, ISO_STREAM. >> >> I attached a simple formal proposal for this idea. Please discuss. > > Proposals go to tor-dev, not tor-talk. > > Before you re-send, you should check out the discussion (what there is > of it) on ticket #7553 at > https://trac.torproject.org/projects/tor/ticket/7553 . The major > concern at the time was the performance impact from a large number of > users all activating this option. The discussion on the ticket has > stalled; it would be nice to reboot the discussion on tor-dev and try > to bring it to a conclusion. > > In particular, if people think *this* is a good way to "maintain > separate identities" for something like web browsing, that's an > accidental DOS attack waiting to happen. > > Following Nicks's advice I would like to start a discussion on ticket 7553. https://trac.torproject.org/projects/tor/ticket/7553 I think this feature should be exposed to the user. I refrained from writing "implemented" because this feature is already implemented. Not exposing it to the user will not stop Bad Guy(TM) from using it because it can easily be enabled by a trivial 2-line patch to tor. This will not lead to DOS. Circuits being created is slow for the user. I doubt anyone will enable this for real-time, interactive communication like surfing. It hurts anonymity, too. Cypherpunks patch mentions this. 895 **IsolateStream**;; 896 Don't share circuits at all, i.e. isolate each stream to an individual 897 circuit. (Not suitable for browsing or general use, where it *will hurt 898 your anonymity* due to the noisy request profile. The constant creation 899 of new circuits will also be excruciatingly slow for you and put 900 unnecessary load on the Tor network.) Most protocols, in particular HTTP(S), explicitly request their connections to be kept alive. IsolateStream will not have a real effect on these protocols.

2 1

Simple example in C
by monet＠tormail.org 21 Jan '13

21 Jan '13

Anybody can help me? I search a simple program in C to read information from hiden services in tor. Services is simple perl script. and only tcp

1 0

Re: [tor-dev] [tor-talk] Open streams on the fly
by benjaminlincoln＠lavabit.com 19 Jan '13

19 Jan '13

>> The implementation of proposal 171 and subsequent release of tor >> 0.2.3.25 >> fills my heart with joy. Yet, as far as I can tell, there is one use >> case >> that is not adequately covered. I would like to open and close Streams >> (TransPort's, DNSPort's and SOCKSPort's) at run-time without interfering >> with other, existing Streams and Circuits. SETCONF does not work here >> because it resets all existing streams. > > I think tor lacks an isolation flag which specifies to isolate each and > every stream, even those going to the same address and port. I see, tor already implements such a flag, ISO_STREAM. /** Isolate based on destination port */ #define ISO_DESTPORT (1u<<0) /** Isolate based on destination address */ ... /** Isolate all streams (Internal only). */ #define ISO_STREAM (1u<<7) diff --git a/src/or/config.c b/src/or/config.c index 90a5dfb..648bfba 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -5929,6 +5929,8 @@ parse_port_config(smartlist_t *out, isoflag = ISO_CLIENTPROTO; } else if (!strcasecmp(elt, "IsolateClientAddr")) { isoflag = ISO_CLIENTADDR; + } else if (!strcasecmp(elt, "IsolateStream")) { + isoflag = ISO_STREAM; } else { log_warn(LD_CONFIG, "Unrecognized %sPort option '%s'", portname, escaped(elt_orig)); This looks like a reasonable addition to me - an addition that could be backported to 0.2.3.x.

1 1

Affect of Proposal 207 on user metrics
by Abel Luck 18 Jan '13

18 Jan '13

Question: How does proposal 207 (relay fetching through entry guards) affect the user metric data? Is it possible to keep that data accurate (for the current value of accurate)? ~abel

2 1

Tor Browser repository for Fedora 17 and 18
by Jamie Nguyen 17 Jan '13

17 Jan '13

Hi, I'm the maintainer for Tor package on Fedora EPEL. I've set-up a (GPG signed) repository for Fedora 17 and 18 with Tor Browser RPM packages. It optionally includes SELinux protection for the Tor Browser. (Tor client/server already has SELinux protection on Fedora.) More info here: https://jamielinux.com/articles/2013/01/tor-and-tor-browser-repository-on-f… -- Jamie Nguyen

1 0

Multiple Tor
by Bin Wang 17 Jan '13

17 Jan '13

Dear Guys, I am brand new to TOR and I feel like multiple TORs should be considered. The multiple tors I mentioned here are not only multiple instances, but also using different proxy ports for each, like what has been done here http://www.howtoforge.com/ultimate-security-proxy-with-tor) I am trying to get started with 4 tors. However, the tutorial applies to Arch Linux and I am using a headless EC2 ubuntu 64bits. It is really a pain going through the differences between Arch and Ubuntu. And here I am wondering is there anyone could offer some help to implement my idea simplicitly. 1. Four TORs running at the same time each with an individual port, privoxy or polipo or whatever are ok once it works. Like: 8118 <- Privoxy <- TOR <- 9050 8129 <- Privoxy <- TOR <- 9150 8230 <- Privoxy <- TOR <- 9250 8321 <- Privoxy <- TOR <- 9350 2. In this way, if I try to return the ip of 127.0.0.1:8118, 8129, 8230 and 8321, they should return four different ips, which indicates there are four different tors running at the same time. Then, a few minutes later, check again, all four of them should have a new ips again. I know my simple 'dream' could come true in many ways, however... I am not only new to tor, but even also to bash and python... That is why I come here and see whether some of you could light me up. These links might be useful: http://blog.databigbang.com/distributed-scraping-with-multiple-tor-circuits/ https://www.torservers.net/wiki/setup/server#multiple_tor_processes http://www.howtoforge.com/ultimate-security-proxy-with-tor Best, Bin Wang

3 4

All the problems about Stegotorous
by vmonmoonshine＠gmail.com 16 Jan '13

16 Jan '13

Hello everybody, I was talking to Roger yesterday on the IRC, and he mentioned that "[S]tegotorus ... has a whole lot of problems". I have heard this many times in different forms by now (in Florence, The sponsor F discussion, etc). But I never saw these "lot of problems" are broken down in a list, so at least one can attack them one by one. It was always "lots of problem". So, let this email be an appeal to all of you who have some problem, deficiency, architectural dissatisfaction, etc with Stegotorus, write back on this thread, so at least we have written account of these problems and dissatisfactions? Then I'll turn them into the tickets as the very first step toward their solution. Also it can serve as written account of difficulties involving the making of any HTTP transport. Thank you for your contribution in advance. Cheers, Vmon

3 2

Re: [tor-dev] All the problems about Stegotorous
by vmonmoonshine＠gmail.com 16 Jan '13

16 Jan '13

Hi Roger, Thank you very much for replying to my appeal. I hope that other people who are critical of Stegotorus jump-in along the line. > 1) Like the FTE paper... I'm going to discuss your first point at the end because it is not criticism of Stegotorus per se, but of http transport in general. > 2) There also remains the issue of where you get your > covertexts. While > FTE says "we will build a brilliant regexp to characterize the format > of the thing we hide our content in" (which has its own problems -- > anything your regexp misses is a crack in the armor), Stegotorus says > "we will build a big library of example things, by crawling the > Internet, > and then we'll hide our content in them". Where does this library come > from? How does every Stegotorus bridge gets its own library? What > happens > when you reuse an item in your library? How do *clients* generate > their > own library? I think there are lots of ways to lose plausibility that > haven't been explored. > > 2') One of the proposed ways for clients to generate their library of > plausible covertexts is to basically wiretap the user and then replay > her own traffic later with the Tor flow embedded in it. First there > are messy engineering questions to tapping the user in a portable way; > but I worry even more about the privacy issues introduced by repeating > earlier traffic. Also, does it introduce new distinguishing attacks, > like "look for variations on the same request"? So one thing I implemented last summer to address 2 and 2' at least on plausibility level is this: - To setup, ST-server, you give it the address of an http server and list of files stored on that server (alternatively you are running Apache httpd on the same machine and ST-Server will go and make a list of all files in Apache document_root). - The client request the "http://ST-server/". - In reply ST-server will send the hash of the list of files - ST-client compare with the hash of its own file list (which can be zero if the client has no list). - If it matches they starts serving right away. - If not, ST-server will send the list of file to the client. (these all happens inside the steg layer of course). Moreover, now not only the steg modules are pluggable, the payload (covertext) loader is also pluggable, so if you don't like this way of loading payloads you can write your payload loader and ask ST to use that instead. > I recognize that *not* > using real client traffic also allows problems, e.g. "why is that > user, > who usually uses IE, sending a user-agent of chromium?" > This can be address as a ticket. CURL already has the option to pretend being other agents. You can just ask the user to browse 127.0.0.1:ST-Port and get the agent that way. After all I don't think, this is as a critical issue. First most people are sharing valid IPs. (I can't remember one place in Iran that I got a valid IP) So the filter has no way to say if two people are using the connection, or one person using two browsers. Let alone that, it is not uncommon to use two browsers on a same computer. The other thing is that HTTP GET request doesn't have lots of place to maneuver so it is much easier to make it exactly look like a specific browser. Long term we can make a Firefox plug-in to interact with ST on the client side. It shouldn't be hard because the payload provider is pluggable now (which also take care of the communication on the client side). > 3) What's the overhead of putting your Tor traffic through each of the > steg modules? It's my understanding that some of the Stegotorus steg > modules produce immense size overhead (since the cover-item is large, > and the part of the cover-item you can hide your message in is > relatively > small). Well, this is a usual efficiency/security trade off question. What would you tell somebody who says "but I browse the web much faster without tor...", The answer is if you have idea to provide the same service with higher efficiency then go for it. Between no access or inefficient access, personally, prefer the latter. If Obfproxy can get by, I'm not going to use ST, but what if not. Practically speaking, I have watched the entire "behind enemy lines" of you and Jacob using ST using a quite good connection, and beside 2 or 3 times that it stopped, I had a OK experience watching it. I can come up with exact value of the overhead (traffic size in bytes with st)/(traffic size without st) if you give me some time. > What are the numbers for the current steg modules that people > are > talking about / have built? There's still 3/4 of them, pdf, swf, js and js in html. Adding steg module, seems to be the least of the problems and the most out source-able task. It is relatively easy to take an existing steg algorithm and feed it to ST as a steg module. >Is there some correlation between > inefficiency > (overhead) and plausibility (indistinguishability)? Obviously. You can choose the "no-steg" steg module and then you won't have any overhead. >What are the > tradeoffs > if we adopt some sort of "choose the covertext from your library that > minimizes your overhead" policy? Stegotorus, already has something like that, it consider 10 random candidates and between them it chooses the one with the least overhead that offer the capacity requested by the chopper. It is matter of few lines of codes to say only use xx% of least overhead covertext (size/capacity which payload loader is aware of both). Other possible approach to this is to ask user for a security factor (between 0-1) and based on that the steg module knows how much of change is allowed to be done to a covertext. Writing a simple classifier (using scikit-learn e.g.) which computes simple stat features to test the effectiveness of the security factor (telling http from st) isn't a terribly ambitious task either. > 4) And then the last issue isn't so much a design issue as a community > or > resource issue -- Zack is busy being a student, I think by now, I have made change to all part of the code beside the crypto module and I know the code quite well. Though I have the same problem as Zack, but I'm expecting to graduate soon. But if we tell every potential contributor don't touch ST it will burn, then the community won't grow. Anyway, I hope putting all above points on the trac as tickets, probably is the first step. If ST get a page with a short explanation and a link to its ticket (like Flashproxy does) maybe attracts more attention. > and further > development > by SRI is complicated by their pub review requirement (which alas > applies > to their code contributions too). > I don't know about this "pub review requirement". Could you give a ref to read more about it? And now item 1. > 1) Like the FTE paper > (https://www.torproject.org/docs/pluggable-transports), the main > contribution of Stegotorus is to provide a framework for plugging in > steg > modules. There are several example steg modules to choose from. The > idea > is that even if the ones they offer now aren't suitable, if you *had* > a good one, you could just pop it in. The trouble is that I don't know > of any good ones, and I think that's a harder problem than people > think. > I think the actual question is that "are we going to provide http transport or not?" I think the situation that "I'm going to close many ports beside 80 and X and Y, then do a simple DPI so people don't divert their https on 80" is a very likely scenario. The problem that you think is "a harder problem than people think" is the secure steg problem, which we are not trying to solve here. We are banking on the fact that a accurate multilevel stat analysis is too expensive for a DPI that needs to judges GBs of data per second. In expense of efficiency you can make the steg quite hard to be detected. Suppose you only use jpeg images and you only use the LSB of the cosine coefficients. I don't see any easy way to detect the steg for a DPI on the go. > I think having some thorough explorations of 1-3 would put us in a > much > better position. > In nutshell, ST doesn't stop you from writing better steg/payload loaders so that is for 2,2' and 3 while providing a working version of them right now. Item 1, is asking "if a http transport is worth it", I think the answer is yes. Thanks again, I'm going to make some tickets for more concrete aspects of above point and share them with the list. Bests, Vmon > ------------------------------ > > Message: 2 > Date: Sun, 13 Jan 2013 23:47:44 -0700 > From: Bin Wang <binwang.cu(a)gmail.com> > To: tor-dev(a)lists.torproject.org > Subject: [tor-dev] Multiple Tor > Message-ID: > <CAJHCcVbzQcXkQZurORupLLEJBm9cJATkKqYOYkUr=km-bo34pA(a)mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Dear Guys, > > I am brand new to TOR and I feel like multiple TORs should be > considered. > The multiple tors I mentioned here are not only multiple instances, > but > also using different proxy ports for each, like what has been done > here > http://www.howtoforge.com/ultimate-security-proxy-with-tor) > > I am trying to get started with 4 tors. However, the tutorial applies > to > Arch Linux and I am using a headless EC2 ubuntu 64bits. It is really a > pain > going through the differences between Arch and Ubuntu. And here I am > wondering is there anyone could offer some help to implement my idea > simplicitly. > 1. Four TORs running at the same time each with an individual port, > privoxy > or polipo or whatever are ok once it works. > Like: > 8118 <- Privoxy <- TOR <- 9050 > 8129 <- Privoxy <- TOR <- 9150 > 8230 <- Privoxy <- TOR <- 9250 > 8321 <- Privoxy <- TOR <- 9350 > > 2. In this way, if I try to return the ip of 127.0.0.1:8118, 8129, > 8230 and > 8321, they should return four different ips, which indicates there are > four > different tors running at the same time. Then, a few minutes later, > check > again, all four of them should have a new ips again. > > I know my simple 'dream' could come true in many ways, however... I am > not > only new to tor, but even also to bash and python... That is why I > come > here and see whether some of you could light me up. > > These links might be useful: > > http://blog.databigbang.com/distributed-scraping-with-multiple-tor-circuits/ > https://www.torservers.net/wiki/setup/server#multiple_tor_processes > http://www.howtoforge.com/ultimate-security-proxy-with-tor > Best, > Bin Wang >

2 1

Orbot: request hidden service from other app
by Bernd 09 Jan '13

09 Jan '13

Hello, I'm going to write an Android app that needs a hidden service, specifically I want to implement a client for the TorChat protocol on Android. TorChat needs a hidden service to receive incoming connections and it needs to know its own .onion name to be able to advertise it to others. Some of you might know my first implementation of it for Windows came bundled with the tor executable and simply started and stopped its very own tor process with its own configuration inside its own private directory and then simply read the hostname file from the hidden service directory to learn its own .onion hostname, this was pragmatic and probably not very elegant but it was very robust and very user friendly. On Android I would now rather make use of Orbot and Orbot's Tor process instead of bundling my own Tor executable. I have seen somewhere in the tor issue tracker it was mentioned (2 years ago) that in Orbot it was planned (and a prototype existed already) to make it possible for another app to use Android's Intent-System to: * request a hidden service on port xyz * have Orbot started automatically as a result of this * have Orbot automatically configure the HS as requested * tell the App what the hostname of that HS is. Is that implemented already? If it is, does there exist any documentation or example code that makes use of it? -Bernd

2 1

Stem code review 2013-01-03
by Sean Robinson 06 Jan '13

06 Jan '13

Stem devs, This is a review of commits made to Stem from 2012-12-22 through 2013-01-03. Happy new year. I'm a fan of the new Controller.get_circuits() method. It's a nice and clever re-use of internal code. And it makes circuit-oriented method tests much more readable. Controller.get_circuit() is another good idea. A positive feedback loop... Using defaults for getters is betters[0]. This allows developers to choose whether to accept the exception or use their own reasonable default. I like the synchronous[1] interface to Controller.extend_circuit(). It's a good idea and a good internal re-use of event handling. Even better, the sync interface is optional. I did find the 'assert extended == "EXTENDED"' test after is_ok() to be strange, I cannot find where Tor has ever returned anything other than "250 EXTENDED" on success for an EXTENDCIRCUIT command. This may be more verification of results than is warranted. If Damian and Ravi agree, I would be happy to submit a patch removing this line. With the recent changes[2] to ExitPolicy and related classes, I dove into research on this topic. But, there is still much I don't understand, so please be careful with the following comments. 1) There is a discrepancy in class naming (i.e. MicroExitPolicyRule vs MicrodescriptorExitPolicy) about which I vote to rename MicrodescriptorExitPolicy to MicroExitPolicy. 2) How can a lightweight class be a subclass of a heavy class and be lightweight? MicrodescriptorExitPolicy is a subclass of ExitPolicy and MicroExitPolicyRule is a subclass of ExitPolicyRule. I concentrated on MicroExitPolicyRule and ExitPolicyRule. What I found: a) There are a few small attributes (i.e. _address_type, _mask_bin, _addr_bin, _mask, _masked_bits) in ExitPolicyRule and not in MicroExitPolicyRule. b) There is minimal extra processing of get_*() methods in ExitPolicyRule. c) Private methods (i.e. _get_address_bin, _apply_portspec, _apply_addrspec, _get_mask_bin) from ExitPolicyRule are still in MicroExitPolicyRule and cause exceptions (e.g. "AttributeError: 'MicroExitPolicyRule' object has no attribute '_mask_bin'") when called. d) However, i) sys.getsizeof(ExitPolicy("accept 1.1.1.1:34")) == 64 bytes ii) sys.getsizeof(MicroExitPolicyRule(True, 34, 34)) == 64 bytes iii) I made a mutant MicroExitPolicyRule that was a direct subclass of object and sys.getsizeof(MicroExitPolicyRule(True, 34, 34)) == 64 bytes I'm not sure these MicroExitPolicy* classes can be considered lightweight. Would a class with least common attributes (e.g. BaseExitPolicyRule) from which ExitPolicyRule and MicroExitPolicyRule descended make sense. But, considering the size results in 2)d), is it worth the time to optimize this area? And lastly, I want to quote my favorite line from these recent commits[last]: address = address.lstrip('[').rstrip(']') Wait, you can do that? [0]: https://gitweb.torproject.org/stem.git/commit/ffdd61ea41ca844047ac57725639a… [1]: https://gitweb.torproject.org/stem.git/commit/f716fedc97ea3cc522571ad8bd505… [2]: https://gitweb.torproject.org/stem.git/commit/da65f282699d3e8e763e1f3ba3c76… and https://gitweb.torproject.org/stem.git/commit/d35b9c737e320500fa6cfdfa87453… [last]: https://gitweb.torproject.org/stem.git/commit/683b1ba479f2aff3c277e0ff53bdc… -- Sean Robinson

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-dev January 2013