tor-dev February 2014

tor-dev@lists.torproject.org

61 participants
60 discussions

Proposal 228: Cross-certifying identity keys with onion keys
by Nick Mathewson 03 Mar '14

03 Mar '14

Here's a proposal that's been kicking around on my laptop for a while. I cleaned it up to use the revised certificate format from the revised proposal 220. My math and crypto claims might be incorrect here; I'm sure hoping somebody will tell me if they are. Filename: 228-cross-certification-onionkeys.txt Title: Cross-certifying identity keys with onion keys Author: Nick Mathewson Created: 25 February 2014 Status: Open 0. Abstract In current Tor router descriptor designs, routers prove ownership of an identity key (by signing the router descriptors), but not of their onion keys. This document describes a method for them to do so. 1. Introduction. Signing router descriptors with identity keys prevents attackers from impersonating a server and advertising their own onion keys and IP addresses. That's good. But there's nothing in Tor right now that effectively stops you (an attacker) from listing somebody else's public onion key in your descriptor. If you do, you can't actually recover any keys negotiated using that key, and you can't MITM circuits made with that key (since you don't have the private key). You _could_ do something weird in the TAP protocol where you . Nonetheless, it's probably undesirable that this is possible at all. Just because it isn't obvious today how to exploit this doesn't mean it will never be possible. 2. Cross-certifying identities with onion keys 2.1. What to certify Once proposal 220 is implemented, we'll sign our Ed25519 identity key as described in proposal 220. Since the Ed25519 identity key certifies the RSA key, there's no strict need to certify both separately. On the other hand, this proposal may be implemented before proposal 220. If it is, we'll need a way for it to certify the RSA1024 key too. 2.2. TAP onion keys We add to each router descriptor a new element, "onion-key-crosscert", containing a RSA signature of: A SHA1 hash of the identity key [20 bytes] The Ed25519 identity key, if any [32 bytes] If there is no ed25519 identity key, or if in some future version there is no RSA identity key, the corresponding field must be zero-filled. Parties verifying this signature MUST allow additional data beyond the 52 bytes listed above. 2.3. ntor onion keys Here, we need to convert the ntor key to an ed25519 key for signing. See the appendix A for how to do that. We'll also need to transmit a sign bit. We can add an element "ntor-onion-key-crosscert", containing an Ed25519 certificate in the format from proposal 220 section 2.1, with a sign indicator to indicate which ed25519 public key to use to check the key: "ntor-onion-key-crosscert" SP SIGNBIT SP CERT NL SIGNBIT = "0" / "1" Note that this cert format has 32 bytes of of redundant data, since it includes the identity key an extra time. That seems okay to me. The TYPE field in this certificate should be set to [0A] - ntor onion key cross-certifying ntor identity key 3. Authority behavior Authorities should reject any router descriptor with an invalid onion-key-crosscert element or ntor-onion-key-crosscert element. Both elements should be required on any cert containing an ed25519 identity key. See section 3.1 of proposal 220 for rules requiring routers to eventually have ed25519 keys. 4. Performance impact Routers do not generate new descriptors frequently enough for them to need to Checking an extra ed25519 signature when parsing a descriptor is very cheap, since we can use batch signature checking. The point decompression algorithm will require us to calculate 1/(u+1), which costs as much as an exponentiation in GF(2^255-19). Checking an RSA1024 signature is also cheap, since we use small public exponents. Adding an extra RSA signature and an extra ed25519 signature to each descriptor will make each descriptor, after compression, about 128+100 bytes longer. (Compressed base64-encoded random bytes are about as long as the original random bytes.) Most clients don't download raw descriptors, though, so it shouldn't matter too much. A. Converting a curve25519 public key to an ed25519 public key Given a curve25519 x-coordinate (u), we can get the y coordinate of the ed25519 key using y = (u-1)/(u+1) and then we can apply the usual ed25519 point decomporession algorithm to find the x coordinate of the ed25519 point to check signatures with. Note that we need the sign of the X coordinate to do this operation; otherwise, we'll have two possible X coordinates that might have correspond to the key. Therefore, we need the 'sign' of the X coordinate, as used by the ed25519 key expansion algorithm. To get the sign, the easiest way is to take the same private key, feed it to the ed25519 public key generation algorithm, and see what the sign is. B. Security notes It would be very bad for security if we provided a diffie-hellman oracle for our curve25519 ntor keys. Fortunately, we don't, since nobody else can influence the certificate contents.

4 4

Call for testing/review: obfsclient-0.0.1rc1
by Yawning Angel 02 Mar '14

02 Mar '14

Hello all, Due to a moment of surprising productivity, I have a release candidate of obfsclient available now. For those of you that missed the last thread regarding this, it is a C++11 client implementation of obfs2, obfs3, and ScrambleSuit that works as a drop in replacement for obfsproxy. Notable changes since the last time I posted: * ScrambleSuit code is now up to spec. * Packet length and Inter-packet Arrival Times are randomized. * Session Ticket Handshake is supported. * obfsclient will give up on handshaking after 60 seconds. * Needed because obfsproxy servers do not close the connection for certain protocols. * SIGINT is hooked and handled per the pt spec. * Some dumb bugs were fixed. Places where obfsclient behaves differently from obfsproxy: * Current production obfsproxy releases disable Scramblesuit IAT obfuscation. obfsclient also uses slightly different logic for sending with it enabled. (May change for final release) * WELL512 is used instead of MT for the ScrambleSuit packet length obfuscation. * obfsclient gives up when the handshaking stalls. * The SOCKS5 response is sent post obfuscation protocol handshake instead of before. * obfsclient uses SOCKS5 instead of SOCKS4. * The ScrambleSuit Session Ticket store is a plain text file. Things that are not bugs: * ScrambleSuit requires the client side tor to be 0.2.5.x. * The code will not build if the compiler is from the stone age. To what I assume will be a sigh of relief from Fabian, I tested on FreeBSD as well this time. The systems used for testing are in the release notes. Where: https://github.com/Yawning/obfsclient/releases/tag/v0.0.1-rc1 Thanks in advance, -- Yawning Angel

3 4

[weather-rewrite] Update on hourly-script
by Oliver Baumann 01 Mar '14

01 Mar '14

Hi Team, please see [1] for the current status of the hourly bandwidth script and feel free to comment on any improvements! Currently it's just a script calling several functions and performing some work 'off hand'. Once we move into integrating with a webapp, refactoring should make this nice and object-oriented :) Have a nice weekend and happy hacking, Oliver [1] https://trac.torproject.org/projects/tor/ticket/10697

3 3

tor2web proposal: comments appreciated before I commit this
by Virgil Griffith 01 Mar '14

01 Mar '14

Filename: ???-quickening-tor2webmode.txt Title: Making Tor2Web mode faster Author: Virgil Griffith, Fabio Pietrosanti, Giovanni Pellerano Created: 2014-02-23 Status: Open 1. Introduction While chatting with the Tor archons at the winter meeting, two speed optimizations for tor2web mode [1] were put forward. This proposal specifies concretizes these two optimizations. As with the current tor2web mode, this quickened tor2web mode negates any client anonymity. 2. Tor2web optimizations 2.1) self-rendezvous In the current tor2web mode, the client establishes a 0-hop circuit (direct connection) to a chosen rendezvous point. We propose that, alternatively, the client set *itself* as the rendezvous point. This coincides with ticket #9685 [2]. 2.2) direct-introduction Identical to the non-tor2web mode, in the current tor2web mode, the client establishes a 3-hop circuit to the introduction point. We propose that, alternatively, the client build a 1-hop (or 0-hop?) circuit to the introduction point. 4. References [1] Tor2web mode: https://trac.torproject.org/projects/tor/ticket/2553 [2] Self-rendezvous: https://trac.torproject.org/projects/tor/ticket/9685

2 1

TIMB - how may I contribute?
by CIURANA EUGENE (pr3d4t0r) 28 Feb '14

28 Feb '14

Greetings! 30 years of experience; proficient in Java, C, Python, Objective-C, Smalltalk, and R, with a pile of other languages too for minor or one-time projects. Work primarily with OS X and Linux. Familiar with most CLI Linux project management tool, not familiar at all with Gnome/KDE/etc. Coding, testing, translation, and server resources contributor to a wide range of open source projects like Jetty, Mule, Vim, WeeChat, Linux (looooong time ago; 1998), iPhone jailbreaks, DAViCal, etc. In the real world I specialize in designing and building scalable, highly available systems (including gathering and managing the team to build them). Rolling my sleeves up, ready to help. Cheers! E -- pr3d4t0r @ #tor, #tails, #tor-dev irc.oftc.net

3 3

Tor proposal status updates: interesting! (Feb 2014)
by Nick Mathewson 28 Feb '14

28 Feb '14

Hi, all! This list of open Tor proposals is based on one I sent out back in December[0], based on the one I did in November[1] based on the one I did in June of 2012[2], based on the one I did in May[3] of 2011. Future versions of this document will be maintained in the torspec repository as "proposals/proposal-status.txt". I'll still send them to tor-dev periodically. If you're looking for something to review, think about, or comment on: Review 212 (using older consensuses) or 215 (obsoleting consensus methods) if you understand the directory system even a little bit; they are quite simple. Review 219 if you're a DNS geek, or you'd like Tor to work better with more DNS types. Review 220 (ed25519 identity keys) and 228 (cross-certification) if you like designing signature things, if you have good ideas about future-proofing key type migration, or if you care about making Tor servers' identity keys stronger. Review 223 (ACE handshake) if you're a cryptographer, or a cryptography implementer, and you'd like an even faster replacement for the ntor handshake. Review 224 if you want to look through a big, complex protocol with a lot of pieces. Also review it if you care about hidden services and making them better. Review 226 if you're interested in bridgedb development. Review something else if you want to take a possibly good idea that needs more momentum and promote it, fix it up, or finally kill it off. I note in passing that many of the proposals below seem stalled, perhaps permanently: some because we don't know how to answer their open questions, others because we're not sure if they're a good idea, others because they don't seem implementable yet. Is that the best way to characterize it? Should we have a new "stalled" proposal status or something? Should we have a "rejected-pending-revision" status that we use effectively for everything that doesn't seem likely to get revised or implemented any time soon? Other suggestions would be welcome. Finally: if you've sent something to tor-dev or to me that should have a proposal number, but doesn't have one yet, please ping me again to remind me! [0] https://lists.torproject.org/pipermail/tor-dev/2013-December/005957.html [1] https://lists.torproject.org/pipermail/tor-dev/2013-November/005798.html [2] https://lists.torproject.org/pipermail/tor-dev/2012-June/003641.html [3] https://lists.torproject.org/pipermail/tor-dev/2011-May/002637.html **NOTE**: The dates after each paragraph indicate when I last revised the paragraph. 127 Relaying dirport requests to Tor download site / website The idea here was to make it easier to fetch and learn about Tor by making it easy for relays to automatically act as proxies to the Tor website. It needs more discussion, and there are some significant details to work out. It's not at all clear whether this is actually a good idea or not. Probably, there are better choices when it comes to distributing software and updates. (11/2013) 131 Help users to verify they are using Tor [NEEDS-REVISION] This one is not a crazy idea, but I marked it as needs-revision since it doesn't seem to work so well with our current designs. It seems mostly superseded by proposal 211. (11/2013) 132 A Tor Web Service For Verifying Correct Browser Configuration This proposal was meant to give users a way to see if their browser and privoxy (yes, it was a while ago) are correctly configured by running a local webserver on 127.0.0.1. I'm not sure the status here. Generally, I'm skeptical of designs that run webservers on localhost, since they become a target for cross-site attacks. (11/2013) 133 Incorporate Unreachable ORs into the Tor Network This proposal had an idea for letting ORs that can only make outgoing connections still relay data usefully in the network. It's something we should keep in mind, and it's a pretty neat idea, but it radically changes the network topology. Anybody who wants to analyze new network topologies should definitely have a look. (5/2011) 140 Provide diffs between consensuses This proposal describes a way to transmit less directory traffic by sending only differences between consensuses, rather than the consensuses themselves. It is mainly languishing for lack of an appropriately licensed, well-written, very small, pure-C implementation of the "diff" and "patch" algorithms. (The good diffs seem to be GPL (which we can't use without changing Tor's license), or spaghetti code, or not easily usable as a library, or not written in C, or very large, or some combination of those.) (5/2011) 141 Download server descriptors on demand The idea of this proposal was for clients to only download the consensus, and later ask nodes for their own server descriptors while building the circuit through them. It would make each circuit more time-consuming to build, but make bootstrapping much cheaper. Microdescriptors obsolete a lot of this proposal, and present some difficulties in using in a way compatible with it. (6/2012) 143 Improvements of Distributed Storage for Tor Hidden Service Descriptors Here's a proposal from Karsten about making the hidden service DHT more reliable and secure to use. It could use more discussion and analysis. We should look into it as part of efforts to improve designs for the next generation of hidden services. One problem with the analysis here, though, is that it assumes a fixed set of servers that doesn't change. One reason that we upload to N servers at each chosen point in the ring is that the hidden service host and the hidden service client may have different views of which servers exist. We need to re-do the analysis with some fraction of recent consensuses. (11/2013) 144 Increase the diversity of circuits by detecting nodes belonging the same provider This is a version of the good idea, "Let's do routing in a way that tries to keep from routing traffic through the same provider too much!" There are complex issues here that the proposal doesn't completely address, but I think it might be a fine idea for somebody to see how much more we know now than we did in 2008, particularly in light of the relevant paper(s) by Matt Edmann and Paul Syverson. (5/2011) 145 Separate "suitable as a guard" from "suitable as a new guard" [NEEDS-RESEARCH] Currently, the Guard flag means both "You can use this node as a guard if you need to pick a new guard" and "If this node is currently your guard, you can keep using it as a guard." This proposal tries to separate these two concepts, so that clients can stop picking a router once it is full of existing clients using it as a guard, but the clients currently on it won't all drop it. It's not clear whether this has anonymity issues, and it's not clear whether the imagined performance gains are actually worthwhile. (5/2011) 156 Tracking blocked ports on the client side This proposal provides a way for clients to learn which ports they are (and aren't) able to connect to, and connect to the ones that work. It comes with a patch, too. It also lets routers track ports that _they_ can't connect to. I'm a little unconvinced that this will help a great deal: most clients that have some ports blocked will need bridges, not just restriction to a smaller set of ports. This could be good behind restrictive firewalls, though. The router-side part is a little iffy: routers that can't connect to each other violate one of our network topology assumptions, and even if we do want to track failed router->router connections, the routers need to be sure that they aren't fooled into trying to connect repeatedly to a series of nonexistent addresses in an attempt to make them believe that (say) they can't reach port 443. This one is a paradigmatic "open" proposal: it needs more discussion. The patch probably also needs to be ported to 0.2.3.x; it touches some code that has changed. (5/2011) 159 Exit Scanning This is an overview of SoaT, with some ideas for how to integrate it into Tor. (5/2011) 164 Reporting the status of server votes This proposal explains a way for authorities to provide a slightly more verbose document that relay operators can use to diagnose reasons that their router was or was not listed in the consensus. These documents would be like slightly more verbose versions of the authorities' votes, and would explain *why* the authority voted as it did. It wouldn't be too hard to implement, and would be a fine project for somebody who wants to get to know the directory code. (5/2011) 165 Easy migration for voting authority sets This is a design for how to change the set of authorities without having a flag day where the authority operators all reconfigure their authorities at once. It needs more discussion. One difficulty here is that we aren't talking much about changing the set of authorities, but that may be a chicken-and-egg issue, since changing the set is so onerous. If anybody is interested, it would be great to move the discussion ahead here. (5/2011) 168 Reduce default circuit window This proposal reduces the default window for circuit sendme cells. I think it's implemented (or mostly implemented) in 0.2.1.20? If so, we should make sure that tor-spec.txt is updated and close it. (11/2013) 172 GETINFO controller option for circuit information 173 GETINFO Option Expansion These would help controllers (particularly arm) provide more useful information about a running Tor process. They're accepted and some parts of 173 are even implemented: somebody just needs to implement the rest. (5/2011) 175 Automatically promoting Tor clients to nodes Here's Steven's proposal for adding a mode between "client mode" and "relay mode" for "self-test to see if you would be a good relay, and if so become one." It didn't get enough attention when it was posted to the list; more people should review it. (5/2011) 177 Abstaining from votes on individual flags Here's my proposal for letting authorities have opinions about some (flag,router) combinations without voting on whether _every_ router should have that flag. It's simple, and I think it's basically right. With more discussion and review, somebody could/should build it, I think. (11/2013) 182 Credit Bucket This proposal suggests an alternative approach to our current token-bucket based rate-limiting, that promises better performance, less buffering insanity, and a possible end to double-gating issues. (6/2012) 185 Directory caches without DirPort The old HTTP directory port feature is no longer used by clients and relays under most circumstances. The proposal explains how we can get rid of the requirement that non-bridge directories have an open directory port. (6/2012) 188 Bridge Guards and other anti-enumeration defenses This proposal suggests some ways to make it harder for a relay on the Tor network to enumerate a list of Tor bridges. Worth investigating and possibly implementing. (6/2012) 189 AUTHORIZE and AUTHORIZED cells 190 Bridge Client Authorization Based on a Shared Secret [NEEDS-REVISION] 191 Bridge Detection Resistance against MITM-capable Adversaries Proposal 187 reserved the AUTHORIZE cell type; these proposals suggests how it could work to try to make it harder to probe for Tor bridges. They need more alternatives and attention, and possibly some revision and analysis. Number 190 needs revision, since its protocol isn't actually so great. (11/2013) 192 Automatically retrieve and store information about bridges This proposal gives an enhancement to the bridge information protocol, where clients remember more things about bridges, and are able to update what they know about them over time. Could help a lot with bridge churn. (6/2012) 194 Mnemonic .onion URLs Here's one of several competing "let's make .onion URLs human-usable" proposals. This one makes sentences using a fixed map. This kind of approach is likely to obsoleted if we go ahead with current plans for hidden services that would make .onion addresses much longer, though. (11/2013) 195 TLS certificate normalization for Tor 0.2.4.x Here's the followup to proposal 179, containing all the parts of proposal 179 that didn't get built, and a couple of other tricks besides to try to make Tor's default protocol less detectable. I'm pretty psyched about the part where we let relays drop in any any self-signed or CA-issued certificate that they like. Some of this is done in ticket #7145; we should decide, however, how much we want to push towards normalizing the main Tor protocol. (11/2013) 196 Extended ORPort and TransportControlPort Here are some remaining pieces of the pluggable transport protocol that give Tor finer control over the behavior of its transports. Much of this is implemented in 0.2.5 now; we should figure out what's left, and whether we want to build that. (11/2013) 197 Message-based Inter-Controller IPC Channel This proposal is for an architectural enhancement in Tor deployments, where Tor coordinates communications between the various programs (Vidalia, TorBrowser, etc) that are using it. (6/2012) 199 Integration of BridgeFinder and BridgeFinderHelper Here's a proposal for how Tor can integrate with a client program that finds bridges for it. I've seen some work being done on things called "BridgeFinder"; I don't know what the status of the current proposal is, though. (11/2013) 201 Make bridges report statistics on daily v3 network status requests Here's a proposal for bridges to better estimate the number of bridge users. (6/2012) 202 Two improved relay encryption protocols for Tor cells Here's a sketch of the two broad classes of alternatives for improving how relay encryption works. Right now, progress on this proposal is stalled waiting for the ideal wide-block construction to come along the line. (11/2013) 203 Avoiding censorship by impersonating an HTTPS server This one is a design for making a bridge that acts like an HTTPS server (by *being* an HTTPS server) until the user proves they know it's a bridge. (11/2013) 209 Tuning the Parameters for the Path Bias Defense In this proposal, Mike discusses alternative parameters for getting better result out of the path-bias-attack detection code. (11/2013) 210 Faster Headless Consensus Bootstrapping This proposal suggests that we get our initial consensus by launching multiple connections in parallel, and fetching the consensus from whichever one completes. In my opinion, that would be a fine idea when we're fetching our initial consensus from non-Authority DirSources, but we shouldnt' do anything to increase the load on authorities. (11/2013) 211 Internal Mapaddress for Tor Configuration Testing Here, the idea is to serve an XML document over HTTP that would let the know when it's using Tor. The XML document would be returned when you make a request over Tor for a magic address in 127.0.0.0/8. I think we need to do _something_to solve this problem, but I'm not thrilled with the idea of having any more magical addresses like this; we got rid of .noconnect for a reason, after all. (11/2013) 212 Increase Acceptable Consensus Age This proposal suggests that we increase the maximum age of a consensus that clients are willing to use when they can't find a new one, in order to make the network robust for longer against a failure to reach consensus. In my opinion, we should do that. If I recall correctly, there was some tor-dev discussion on this one that should get incorporated into a final, implementable version. (11/2013) 215 Let the minimum consensus method change with time This proposal describes how we can raise the minimum allowable consensus method that all authorities must support, since the ancient "consensus method 1" would not actually be viable to keep the Tor network running. We should do this; see ticket #10163. (11/2013) 219 Support for full DNS and DNSSEC resolution in Tor Here's a design to allow Tor to support a full range of DNS request types. It probably isn't adequate on its to make DNSSEC work realistically, since naive DNSSEC requires many round trips that wouldn't be practical over Tor. It has a ton of inline discussion that needs to get resolved before this is buildable. One thing to consider here is whether we can get the server-side done with reasonable confidence, and figure out the client side once more servers have upgraded. (12/2013) 220 Migrate server identity keys to Ed25519 This one is a design to migrate server identity keys to Ed25519 for improved security margin. It needs more analysis of long-term migration to other signing key types -- what do we do if we want to add support for EdDSA over Curve3617 or something? Can we make it easier than this? And it also needs analysis to make sure it enables us to eventually drop RSA1024 keys entirely. I've started building this, though, so we'd better figure out out fairly soon. Other proposals, like 224, depend on this one. (2/2014) 223 Ace: Improved circuit-creation key exchange Here's an interesting one. It proposes a replacement for the ntor handshake, using the multi-exponentiation optimization, to run a bit faster at an equivalent security level. Assuming that more cryptographers like the security proof, and that the ntor handshake winds up being critical-path in profiles as more clients upgrade to 0.2.4 or 0.2.5, this is something we should consider. (12/2013) 224 Next-Generation Hidden Services in Tor This proposal outlines a more or less completely revised version of the Tor hidden services protocol, improved to accomodate better cryptography, better scalability, and defenses for several attacks we'd never considered when we did the original design. Some parts of this one are clearly right; some (like scalability) are entirely unwritten. This proposal needs a lot of attention and improvements to get it done right. I hope to implement this over the course of 2014. (12/2013) 225 Strawman proposal: commit-and-reveal shared rng Proposal 224's solutions for bug #8244 require that authorities regularly agree upon a shared random value which none of them could have influenced or predicted in advance. This proposal outlines a simple one that isn't perfect (it's vulnerable to DOS and to limited influence by one or more collaborating hostile authorities), but it's quite simple, and it's meant to start discussion. I hope that we never build this, but instead replace it with something better. Some alternatives have already been discussed on tor-dev; more work is needed, though. (12/2013) 226 Scalability and Stability Improvements to BridgeDB: Switching to a Distributed Database System and RDBMS This one outlines design and behavior changes for a seriously refactored bridgedb. (2/2014) 227 Include package fingerprints in consensus documents Here we outline a scheme for including the digests of the latest versions of Tor software in consensuses, to help with update security. (2/2014) 228 Cross-certifying identity keys with onion keys This proposal signs each server's identity key with its onion keys, to prove onion key ownership in the router descriptor. It's not clear that this actually improves security, but it fixes an annoying gap in our key authentication. (2/2014) 229 Further SOCKS5 extensions Here's a nice idea for how we can support a new SOCKS5 protocol extension to relay information between clients and Tor, and between Tor and pluggable transports, more effectively. It also adds some additional SOCKS5 error codes. There are some open questions to answer. (2/2014) Since last time: 147 was closed as unnecessary. See discussion in the new "Reasons for Rejection" section at the end of that proprosal. 165 got clarified a little. 185 has been tweaked based on commentary from Karsten: the flag it proposes now works a little differently. 220 has been revised to have a more unified certificate format. 224 has been cleaned up, expanded, revised, and tightened. Proposals 226, 227, 228, and 229 are new.

1 0

New conventions for Tor ticket milestones
by Nick Mathewson 28 Feb '14

28 Feb '14

(This is going to be interesting for people who use trac to look at tickets for the component "Tor" -- that is, the core Tor network daemon -- and basically nobody else.) Hi, all! 0.2.5 is getting close to feature-freeze time: by default, any feature for which the code is not already implemented is now targeted for 0.2.6 or later. We can make smart exceptions, but we need to be careful. Yes, I'm trying to get major releases out more frequently. My target is still 2-3 per year. But this isn't a freeze announcement: it's a trac milestone announcment. You see, around when we do a freeze for Tor 0.2.N, we usually take one or two passes through the tickets labelled "Tor: 0.2.N-final" and move most of them --the ones that we can defer-- into "Tor: 0.2.(N+1)-final". That's a silly way to handle milestones, and it's only going to get sillier as we do more frequent releases. It means that 0.2.5-final, for instance, contains "everything we want to do in 0.2.5.x-final" plus "everything we *would like to do* in 0.2.5.x-final, given infinite resources" So, as discussed at the dev meeting, now that I'm doing the first pass of ticket triage for 0.2.5.x-final, I'm splitting tickets into three places, not 1: * Tickets that we should really take another look at and try to resolve before 0.2.5.x is stable remain in "Tor: 0.2.5.x-final". * Tickets that I really believe we should do in the 0.2.6 go into "Tor: 0.2.6.x-final". As usual, no guarantees. * Tickets which I want to do "real soon now", maybe in the next release, but where they aren't blocking any particular release go into "Tor: 0.2.???". This is the new "We would like to do this any day now" milestone. Also, as before: * Tickets where I'm clueless go into "Tor: unspecified" I'm trying to mark tickets where we should consider a backport with the appropriate keywords. "025-backport" means "A fix for this is backportable into 0.2.5 if we solve it soon enough and the fix is clean enough", and so forth. These are, necessarily, fuzzy categories. I'm also going to make some triage mistakes over the next few days. If there's anything that I'm putting in the wrong milestone IYO, let's talk. best wishes, -- Nick Mathewson

1 0

Proposal 229: Further SOCKS5 extensions
by Nick Mathewson 28 Feb '14

28 Feb '14

On Fri, Feb 28, 2014 at 3:53 AM, Yawning Angel <yawning(a)schwanenlied.me> wrote: > Hello all, > > Based on feedback from nickm/arma, I have extended the proposal to also > cover Tor's SOCKS port, including response codes related to hidden > service status. > > Additionally, instead of having a username/password field pre-defined, > the extended authentication method has been generalized to contain > key/value pairs for extra flexibility in the future. > > Questions, comments, feedback appreciated as always, This is now proposal 229! (I've wrapped the lines a little, but made no additional changes.) After adding it to Git, I made some redundancy tweaks and asked a bunch of annoying questions that we'll probably want to figure out before implementing anything like this. Filename: 229-further-socks5-extensions.txt Title: Further SOCKS5 extensions Author: Yawning Angel Created: 25-Feb-2014 Status: Draft 0. Abstract We propose extending the SOCKS5 protocol to allow passing more per-session metadata, and to allow returning more meaningful response failure codes back to the client. 1. Introduction The SOCKS5 protocol is used by Tor both as the primary interface for applications to transfer data, and as the interface by which Tor communicates with pluggable transport implementations. While the current specifications allow for passing a limited amount of per-session metadata via hijacking the Username/Password authentication method fields, this solution is limited in that the amount of payload that can be conveyed is restricted to 510 bytes, does not allow the SOCKS server to return a response, and precludes using authentication on the SOCKS port. The first part of this proposal defines a new authentication method to overcome both of these limitations. The second part of this proposal defines a range of SOCKS5 response codes that can be used to signal Tor specific error conditions when processing SOCKS requests. 2. Proposal 2.1. Tor Extended SOCKS5 Authentication We introduce a new authentication method to the SOCKS5 protocol. The METHOD number to be returned to indicate support for or select this method is X'97', which belongs to the "RESERVED FOR PRIVATE METHODS" range in RFC 1928. After the authentication method has been negotiated following the standard SOCKS5 protocol, the actual authentication phase begins. If any requirement labeled with a "MUST" below in this protocol is violated, the party receiving the violation MUST close the connection. All multibyte numeric values in this protocol MUST be transmitted in network (big-endian) byte order. The initiator will send an Extended Authentication request: +----+----------+-------+-------------+-------+-------------+--- |VER | NR PAIRS | KLEN1 | KEY1 | VLEN1 | VALUE1 | ... +----+----------+-------+-------------+-------+-------------+--- | 1 | 2 | 2 | KLEN1 bytes | 2 | VLEN1 bytes | ... +----+----------+-------+-------------+-------+-------------+--- VER: 8 bits (unsigned integer) This field specifies the version of the authentication method. It MUST be set to X'01'. NR PAIRS: 16 bits (unsigned integer) This field specifies the number of key/value pairs to follow. KLEN: 16 bits (unsigned integer) This field specifies the length of the key in bytes. It MUST be greater than 0. KEY: variable length This field contains the key associated with the subsequent VALUE field as an ASCII string, without a NUL terminator. VLEN: 16 bits (unsigned integer) This field specifies the length of the value in bytes. It MAY be X'0000', in which case the corresponding VALUE field is omitted. VALUE: variable length, optional The value corresponding to the KEY. The responder will verify the contents of the Extended Authentication request and send the following response: +----+--------+----------+-------+-------------+-------+-------------+--- |VER | STATUS | NR PAIRS | KLEN1 | KEY1 | VLEN1 | VALUE1 | ... +----+--------+----------+-------+-------------+-------+-------------+--- | 1 | 1 | 2 | 2 | KLEN1 bytes | 2 | VLEN1 bytes | ... +----+--------+----------+-------+-------------+-------+-------------+--- VER: 8 bits (unsigned integer) This field specifies the version of the authentication method. It MUST be set to X'01'. STATUS: 8 bits (unsigned integer) The status of the Extended Authentication request where: * X'00' SUCCESS * X'01' AUTHENTICATION FAILED * X'02' INVALID ARGUMENTS If a server sends a response indicating failure (STATUS value other than X'00') it MUST close the connection. [XXXX What should a client if it gets a value here it does not recognize?] NR PAIRS, KLEN, KEY, VLEN, VALUE: These fields have the same format as they do in Extended Authentication requests. The currently defined KEYs are: * "USERNAME" The username for authentication. * "PASSWD" The password for authentication. [XXXX What do these do? What is their behavior? Are they client-only? Right now, Tor uses SOCKS5 usernames and passwords in two ways: 1) as a way to control isolation, when receiving them from a SOCKS client. 2) as a way to encode arbitrary data, when sending data to a PT. Neither of these seem necessary any more. We can turn 1 into a new KEY, and we can turn 2 into a new set of keys. -NM] [XXX - Add some more here, Stream isolation? -YA] [XXXX What should a client if it gets a value here it does not recognize? -NM] [XXXX Should we recommend any namespace conventions for these? -NM] 2.2. Tor Extended SOCKS5 Reply Codes We introduce the following additional SOCKS5 reply codes to be sent in the REP field of a SOCKS5 message. Implementations MUST NOT send any of the extended codes unless the initiator has indicated that it understands the "Tor Extended SOCKS5 Authentication" as part of the version identifier/method selection SOCKS5 message. [Actually, should this perhaps be controlled by additional KEY? (I'm not sure.) -NM] Where: * X'E0' Hidden Service Not Found The requested Tor Hidden Service was not reachable. * X'E1' Hidden Service Not Reachable The requested Tor Hidden Service was not found. * X'F0' Temporary Pluggable Transport failure, retry immediately Pluggable transports SHOULD return this status code if the connection attempt failed, but the pluggable transport believes that subsequent connections with the same parameters are likely to succeed. Example: The ScrambleSuit Session Ticket handshake failed, but reconnecting is likely to succeed as it will use the UniformDH handshake. * X'F1' Pluggable transport protocol failure, invalid bridge Pluggable transports MUST return this status code if the connection attempt failed in a manner that indicates that the remote peer is not likely to accept connections at a later time. Example: The obfs3 handshake failed. * X'F2' Pluggable transport internal error Pluggable transports SHOULD return this status code if the connection attempt failed due to an internal error in the pluggable transport implementation. Tor might wish to restart the pluggable transport executable, or retry after a delay. 3. Compatibility SOCKS5 negotiates authentication methods so backward and forward compatibility is obtained for free, assuming a non-broken SOCKS5 implementation on the responder side that ignores unrecognised authentication methods in the negotiation phase. 4. Security Considerations Identical security considerations to RFC 1929 Username/Password authentication applies when doing Username/Password authentication using the keys reserved for such. As SOCKS5 is sent in cleartext, this extension (like the rest of the SOCKS5 protocol) MUST NOT be used in scenarios where sniffing is possible. The authors of this proposal note that binding any of the Tor (and associated) SOCKS5 servers to non-loopback interfaces is strongly discouraged currently, so in the current model this is believed to be acceptable. 5. References Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., Jones L., "SOCKS Protocol Version 5", RFC 1928, March 1996. Tor Project, "Tor's extensions to the SOCKS protocol" Leech, M. "Username/Password Authentication for SOCKS V5", RFC 1929, March 1996. Appelbaum, J., Mathewson, N., "Pluggable Transport Specification", June 2012. [XXX - Changelog (Remove when accepted) -YA] 2014-02-28 (Thanks to nickm/arma) * Generalize to also support tor * Add status codes for bug #6031 * Switch from always having a username/password field to making them just predefined keys. * Change the auth method number to 0x97 2014-02-28 (nickm's fault) * check it into git * clean text a little, fix redundancy * ask some questions

1 0

Pluggable transports meeting today (Friday 28th of February 2014)
by George Kadianakis 28 Feb '14

28 Feb '14

Greetings humans, this is an email to remind you that the regular biweekly pluggable transports meeting is going to happen today. Place is the #tor-dev IRC channel in OFTC. Time is 17:00 UTC (it's in an hour!). Cheers!

1 0

Translation priority
by Colin C. 28 Feb '14

28 Feb '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi everyone, Our contact at OpenITP has requested a list of resources / strings that we would like to potentially give priority to. If anyone has a project that is currently on our Transifex (or one that isn't and should be), and would like to see certain things translated with priority, please let me know and I will pass that information along. Thanks! - -- - -Phoul -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJTEE0BAAoJEJ01Zvx7KO7YSuMP/A1YvtZyOi+eb2vW0xqS1/+L YhffGKah5aGD8jEeAU/7kO7UQwOjOkTo7gCJGGtufIHcHDCxEqY2E6NyH0yhVQ1c qKMy6tZ/CL22ddSV0C2qz073R+YJ5oGjUM3rpYk7FdyxfvHBtbeb9GA/oYRxZGoQ QutNWFtl1C/UYzvBD5pGybH2dNHeHEHnCmCnMI4R9sWyBSneg/GasOwrGuNq+oKC Kc+ncfPs6C5/qqTdpgnd62EFE9LIYfChYP98FtQo8+azAcIWolaqM34j8F0IidQV yXIhWZLU7tU+efWwqAPTN7cPzIjKoBOatV1QkT/LRqhupDM27CBEm9ghGfQ1lszt nVG5GOMeobCnHJahGQiqyfngE/EcjkakOlFpygC7hfcjoiMhqdkt/r7Ar1euI9Oo HND6UvGJLP+CuRFfwAt31I5BMEHuqr0rPN3RZ8lu7QAl/L0sQDH8BQfAqoCjPurm SBq6GNbufQxzkvF4BY4c1Dw4ij6muwaV8VJBNulMVrEq5a857MD94FEm1qLlZ2OL z5p9uxfMfwWXQWVe4b8dKG2MhjphrtlFp+6zGPTYt5CN70B+F8gnVqkBrmgojoKl KnIlaULfuQBOI7E8VEge+iOAGnFUfQ5+s9hiRv82sxy0N9dx63t4Ce3U6m71dgUN CGwOz8wow4UfD0Cvdj1K =LUYK -----END PGP SIGNATURE-----

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-dev February 2014