tor-dev February 2014

tor-dev@lists.torproject.org

61 participants
60 discussions

Re: [tor-dev] 2014WinterDevMeeting/notes/TBBReleaseProcess
by intrigeri 17 Feb '14

17 Feb '14

Hi, FWIW, from my Tails PoV: * I concur, it would be very helpful for us to have some better visibility on what's coming in the next TBB. * Mike has answered us in a very kind, timely and detailed way every time we've asked him this information. Many thanks! Also, I figured it would be good if the Tor Browser team was aware that we've been playing a kinda dangerous game lately: we are generally building our browser and ISO on the Sunday before a Firefox release is scheduled, so that we can test it on Monday, and release on Tuesday at the same time as Firefox. The rebased Tor browser patches are usually published at a time when we've already built our browser. Until now, it has been fairly smooth and painless: the slightly older patches apply nicely on the new tree, and the resulting browser works fine. Worst case, we've missed some last-minute improvements. However, I'm a bit scared that one these days, Tails users are hit by an important problem caused by this scheduling mismatch. I'm not expecting the Tor Browser folks to work week-ends and make our life easier, so the best we can do is possibly to go on automatizing things, so that we can reduce the time manual testing of Tails releases takes, and build our browser later. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

2 1

gsoc-2014
by G.VAMSHI KRISHNA REDDY 16 Feb '14

16 Feb '14

hi, I am vamshi pursuing B-Tech in CSE and MS by Research in CSE at IIIT Hyderabad(currently second year). I am interested in participating gsoc-2014 by doing project under your organization. I am familiar with python and interested doing the project in python language by contributing to the python tool Chutney.Can anyone suggest me how to get started with this tool and how to go further in applying for this organization for doing project this summer. Thanks, vamshi

3 2

[Discussion] 5 hops rendezvous circuit design
by Qingping Hou 14 Feb '14

14 Feb '14

Hi all, We are a university research group and following is a proposal for possible optimization on Tor's rendezvous circuit design. It's not written as a formal Tor proposal yet because I want to have a discussion with the community first, get some feedbacks and make sure it does not introduce new vulnerabilities. So please feel free to comment if you have any thoughts or find any holes :) PS: a txt version of the proposal is attached in this mail as well. ------------------------------------------------------ The changes described in this document is focused on speeding up hidden service while at least keeping the same level of anonymity as current version provides. Naming conventions: HSv3: current version of hidden service protocol HS5h: hidden service protocol that uses 5 hops HS: hidden service client: The onion proxy that tries to communicate with HS HSDir: hidden service directory RP: rendezvous point 1. The 5 hops rendezvous circuit The setup on HS side is the same as HSv3. HS picks couple introduction points and uploads the descriptor to HSDir. The main difference is how to pick the RP. In HS5h, Instead of letting the client pick whatever node it wants, both client and HS use negotiation protocol to pick a RP collaboratively. Following is a high level description for the rendezvous circuit setup process in HS5h: (0) client fetches descriptor for a hidden service. (1) client connects to introduction point. (2) since client and HS are connected via introduction point, they can negotiate a random number using this channel. (For more details, see [RAND_NEGO]) (3) both client and HS maps that random number to a random onion router using the same scheme, so they end up with the same node. This is the candidate RP. (4) both client and HS create a 3 hops circuit using RP as last hop. (5) RP joins the circuit originates from HS to the circuit originates from client. (6) now client and HS are connected. Because their original circuits share the same endpoint(the RP), the length of the path is 5 hops. Improvement: (1) Reduction in circuit setup time. Both the client and HS only build 3 hops circuit now. While In current protocol(HSv3), HS needs to build a 4 hops circuit. (2) A shorter circuit means less transmission delay. It uses only one more hop compared to HSv3's Tor2Web mode. Also the circuit length for HS5h's Tor2Web mode can be further reduced to 3 hops. (3) Less setup time on client side for the first connection. In HSv3, a client has to first setup a 3 hops circuit to RP before sending INTRODUCTION1 cell to the introduction point. While in HS5h, this process is removed. Possible drawback: (1) An extra step is needed: random number negotiation. This result ins more communication between two nodes and Introduction point needs to remember states for the negotiation. We think this negotiation step will not introduce a noticeable delay to the whole process. Firstly, it reuses the connection to introduction point for both sides so it requires no extra circuits build up. Secondly, the bottle neck is circuit setup, cell/stream transmission delay is actually pretty low. 2. Negotiate random numbers between two nodes [RAND_NEGO] H(a) here means digest of message a. (1) client generates a random number R_a and sends the digest H(R_a) to HS (2) HS remembers H(R_a), generates a random number R_h and sends it back to the client (3) client receives R_h and sends back R_a to HS (4) HS checks R_a against H(R_a) to make sure it's not generated after client receives R_h. (5) Now both client and HS compute a shared random number using R_a and R_c. (for instance, simply add up these two number) The negotiation protocol can be very simple here because only two parties are involved and the random number does not need to be remained secret. Note that at step 2), if HS is able to recover R_a from H(R_a), it can take control over R_c. So to mitigate this, we can use a variant of Diffie-Hellman handshake: (1) client generates a public key g^x and sends the digest H(g^x) to HS (2) HS remembers H(g^x), generates a public key g^y and sends it back to the client (3) client receives g^y and sends back g^x to HS (4) HS checks g^x against H(g^x) to make sure it's not generated after client receives g^y. (5) Now both client and HS compute a shared random number: R_c = g^(xy) 3. Rough anonymity analysis for HSv3 and HS5h 3.1. Assumptions, attack rules and constraints In this section, we assume 3 hops being the minimal circuit length to keep the origin node of a circuit anonymous from the destination. Two simple attack rules are used to remove nodes from a circuit: 1. If node A is picked by the attacker, then he can pick himself as node A. 2. If the identity of node A is known by the attacker, then he can connect directly to it. To defense against these attack rules, following constraints need to be enforced for a circuit: 1. No one except the circuit originator can have total control over choice of all nodes on the circuit. Note that it's OK even if the originator does not have total control. 2. Identity for all nodes on the circuit, except the last hop, must remain secret. i.e. only known by circuit originator. 3.2. Why 6 hops is the minimal circuit length for HSv3 First let's begin with an ASCII graph for HSv3 rendezvous circuit: Client -> (a1) -> (a2) -> (RP) <- (b3) <- (b2) <- (b1) <- HS Client chooses 3 ORs: a1, a2, RP. HS chooses the other 3 ORs: b3, b2, b1. Now consider HS as the malicious side. In order to get closer to client, the best it can do is to connect directly to RP, which reduces the circuit length to 3 hops: Client -> (a1) -> (a2) -> (RP) <- HS If client is the malicious side, the best it can do is to choose itself as RP, which also reduces the circuit length to 3 hops: Client <- (b3) <- (b2) <- (b1) <- HS Taking any node from the original 6 hops circuit will result in 2 hops circuit in either case. As noted above, 3 hops is assumed to be the minimal circuit length. 3.3. Why HS5h only needs 5 hops HS5h makes use of the fact that the last hop of a circuit is different from all previous hops. Since last hop will be in direct contact with the destination host, its identity does not need to be remain secret. We only have to make sure the last hop cannot be determined by any malicious host at will. Otherwise the malicious side can just pick himself as last hop and thus shorten the circuit. This is where hop negotiation come into play. A negotiated hop is guaranteed to be a random node and cannot be determined by anyone. So it can be used as the last hop for both client and HS. Since the last hop for both sides overlaps, it's effectively acting as a rendezvous point. In comparison, in HSv3, the rendezvous point is picked and controlled by the client. Therefore it can not be used as the last hop for HSs' rendezvous circuit. Again, following is an ASCII graph for a HS5h rendezvous circuit: Client -> (a1) -> (a2) -> (RP) <- (b2) <- (b1) <- HS Now if the client is malicious, it can only connects directly to the RP, i.e. pick the second last hop as himself. Therefore HS can still maintain a 3 hops distance from the malicious client: Client -> (RP) <- (b2) <- (b1) <- HS While in HSv3, the client can pick himself as the RP. And because this is a symmetric scheme, the same argument goes for malicious HS: Client -> (a1) -> (a2) -> (RP) <- HS Either cases, we maintained a 3 hops circuit. 3.4. Summary We took 3 as the minimal circuit length because that's the default setup in Tor. The analysis should work for any number. To generalize it, if N is the minimal circuit length, then: 1) without node negotiation, the minimal rendezvous circuit length is 2N. 2) with node negotiation, the minimal rendezvous circuit length is 2N-1. 4. Other possible speed optimization under HS5h 4.1 Optimistic rendezvous mode Similar to optimistic_data for AP connections, we can implement optimistic_rendezvous mode under HS5h. The basic idea is to optimistically assume any picked candidate RP will be willing to act as a RP. Since now we need to maintain state in introduction point to help with node negotiation, we can use it to communicate with HS when establishing the rendezvous circuit. So both client and HS can launch circuits to newly negotiated RP simultaneously. If this candidate RP refuses to be a rendezvous point to one side, the other side can be notified via introduction point. Then client and HS can go through the negotiation process again to pick a new candidate RP. This mode can also be implemented under HSv3 as well. In HSv3, wait for RENDEZVOUS_ESTABLISHED cell and sending INTRODUCE1 cell has to be a sequential operation. With optimistic_rendezvous mode, this can be done in parallel. NOTE: we need to test RENDEZVOUS_ESTABLISHED rate in real tor network. If the rate is low, then this mode will slow down the setup process instead. To make this mode work even better, we can have all OR explicitly mark whether it is willing to be a rendezvous point in it's descriptor. This should greatly increase the success rate for receiving RENDEZVOUS_ESTABLISHED. 5. Hazards a) How to design the scheme for mapping a random number to the same node between client and server? This will be trivia if it's easy to synchronize node list between two onion proxy. The problem is: how much overhead will be caused by synchronizing node list (or consensus). b) How much overhead will be introduced by maintaining state for node negotiation? Since in HS5h, both introduction point and hidden service need to maintain state for node negotiation. To do so, the client can send something like a negotiation identifier in the initial introduction request. Then for introduction point, it can mark the circuit from the client with this ID. For HS, it can hash the negotiation state structure into a hash table with ID as the key. Theoretically, this overhead should be low, because the "negotiation ID" is just like rendezvous cookie.

8 16

Tor Weather: Running background script
by Abhiram Chintangal 14 Feb '14

14 Feb '14

Karsten, From last meetings discussion, I tried a few things to figure out why the script, "listener" (invoked by django command runlistener) fails to do its job : 1. make the event listener listen to a different type 2. Add "UseMicroDescriptors 0" to tor client config 3. Enable debug log for the tor process The script gets invoked from the django command and then after some log messages it calmly dies. The debug log from tor has a details about the brief activity on its control port [1]. Let me know what you think. Thanks! Abhiram Chintnagal [1]: https://gist.github.com/achintangal/9002896

1 0

Re: [tor-dev] [Discussion] 5 ^H 3 hops rendezvous circuit design
by str4d 14 Feb '14

14 Feb '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02/13/2014 11:43 AM, Zack Weinberg wrote: > (Four hops is what I2P uses, with two chosen entirely by the client > and two entirely by the server; but there appears to be nothing to > guarantee that a malicious peer can't connect directly to its > counterparty's two-hop chain, sacrificing some of its own anonymity > but getting closerfor a while now to the counterparty. I did just > argue that that shouldn't matter, though...) Just FTR, since 0.9.7.1 I2P defaults to 3 hops for "client" tunnels (so default of 6 hops end-to-end, and 12 hops round-trip). And yes, there is nothing stopping a malicious peer building zero-hop tunnels (acting as its own Outbound Endpoint/Inbound Gateway), just as honest clients or servers can choose to use zero-hop tunnels (e.g. a website or IRC network that requires no anonymity of its own, but wants its users to benefit). str4d > > zw > > > > _______________________________________________ tor-dev mailing > list tor-dev(a)lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQEcBAEBCgAGBQJS/f/RAAoJENXeOJaUpGWyUB8H/RI45Bc7TXc7y2SN0Tj1Sabz Wwjqb4tb4fhcFV7C6biJEFg6sKR1GPnNAa6AsadoMREJ/KD64t9eoii1g38x/UdN GxwHLk/h7zJCTRxMR0W89S7nIGimzp/I12urLXwYvvIoKjbytX1a9e3TkZpBmOvS D1JvAhVeoMa2dUfjT4jZH83kGQ3PlWvYPOvyv5CiSgoE6KHXWn2pYfNiOQF8mzWU oDU0TaNMsATjX/y1bwPAdf6w+DoKOw2xmpVyutY5+CYRC9BrvqAyV5WWwVvOTZHz gTIYVToLGN79PBsMDT0nJoxvm58a734qR9XANo5fDegkJIWKY+Ac/cBwadq25A0= =1wAz -----END PGP SIGNATURE-----

1 0

Release Candidate: TBB 3.6 + fteproxy 0.2.6
by Kevin P Dyer 13 Feb '14

13 Feb '14

Hi all, Please see [2] for a patch that integrates fteproxy into dcf's 3.6-beta branch [3] of the TBB. This integration targets version v0.2.6 of fteproxy [1]. asn/mikeperry - What do you need from me to merge this patch to master? -Kevin [1] https://github.com/kpdyer/fteproxy/releases [2] https://trac.torproject.org/projects/tor/ticket/10362#comment:11 [3] https://gitweb.torproject.org/user/dcf/tor-browser-bundle.git

3 4

ScrambleSuit issue in old bridges
by George Kadianakis 12 Feb '14

12 Feb '14

(Forwarding this mail to tor-dev, since I accidentally sent it to tor-assistants) Hey Philipp, another thing we should think about is what should happen when ScrambleSuit is run in bridges that don't support server-side PT parameters. In the past this was not a problem, because ScrambleSuit would not run at all in those older versions of Tor. However, after we introduced the automatic generation of scramblesuit fallback passwords, scramblesuit will happily startup, generate a fallback password, and pass it to Tor. The problem is that Tor will simply ignore the fallback password (see parse_smethod_line() in tor-0.2.4.x), but still pass the scramblesuit bridge to BridgeDB. So if I'm not mistaken, BridgeDB might see some scramblesuit bridges without a password. Such bridges are pretty much useless, since clients can't connect to them. What should we do about this? One solution might involve scramblesuit somehow recognizing the version of Tor, and refusing to start if Tor doesn't support server-side bridge parameters.

1 0

A threshold signature-based proposal for a shared RNG
by Nicholas Hopper 11 Feb '14

11 Feb '14

A Threshold Signature-based Shared RNG 0. Overview This proposal is for a design of a shared RNG to address ticket #8244 - "The HSDirs for a hidden service should not be predictable indefinitely into the future," /without/ requiring byzantine agreement protocols at each RNG period. The basic idea of this proposal is to have directory authorities use a deterministic threshold signature scheme to sign Hash(time-period) in each consensus document. This is done simply by having each authority contribute a publicly-verifiable share of the signature during the voting process. As long as at least ceiling(n/2) authorities are honest, the signature can be re-constructed by each client. Since the signature is hard to compute if you don't control at least ceiling(n/2) authorities, its inclusion in the input to a hash function (e.g. for use in constructing the HS hash ring) will make the output of the hash function pseudorandom. (In the strong cryptographic sense that unless you can break the signature scheme, you can't distinguish the hash from a truly random string of the same length) 1. Notation and such This protocol can work over a group G, using a subgroup generated by an element B of prime order p. We'll use Curve25519 [Curve25519] for concreteness, but any group where the Computational Diffie-Hellman problem is difficult would do. We'll denote multiplication of scalars (e.g. mod p) by *, e.g. a*b; we'll denote multiplication of a group element P by scalar a by a.P. We will make use of Shamir threshold secret sharing, described, e.g. in Handbook of Applied Cryptography [HAC], over the integers mod p. For a subset S = {P_1,...,P_t} of size t, we'll denote the lagrange multipliers for S by m_1,...m_t (eg. if each P_i has share s_i of secret x, then m_1*s_1 + m_2*s_2 + ... + m_t*s_t = x.) We assume that each authority S_i has a publicly known verification key VK_i and signing key sk_i for a digital signature scheme (Sign, Verify). We model network communications as point-to-point with bounded delay and assume at most t-1 authorities are compromised. (Without these assumptions, the consensus voting protocol is also broken) We'll need a hash function H that can output elements of the subgroup generated by B with unknown discrete logarithms. For Curve25519, it should work to compute H(x) by computing SHA256(x), and mapping this 256-bit string to the curve as in the Curve25519 paper. A security proof would model this H as a random oracle. We'll need a distributed threshold key generation algorithm which works as follows: Input: Parties S_1,...,S_n Output: to all players: group public key P = x.B. player public key shares s_1.B, ..., s_n.B to each player P_i: secret key s_i) such that the secret keys s_i are (n,t) secret shares of the (unknown) secret key x. We discuss choices to implement this protocol in section [DKG] We will also require a noninteractive zero-knowledge "signature of knowledge" that can be bound to a message m, to prove that two points P, Q have a common discrete logarithm to bases B and R respectively. We denote this proof by SK { s : s.B = P && s.R = Q } (m) and discuss its implementation in section [SKDH]. 2. Overall Protocol description [CONSENSUS-RANDOM] The protocol requires that periodically the authorities run the distributed key generation procedure to produce the threshold public key P = s.B, and public key shares P_1 = s_1.B, ... , P_n = s_n.B. This can be done infrequently, since its only purpose is to limit key exposure. For the time period starting at time T, the authorities generate the shared random value as follows: Step 1. [Period Base] Each authority (and anyone else interested) generates the "time period base point" R in G, by computing R = H("tor-hs-rand-base-point " || period valid-after time) Step 2. [Signature Share] Each authority S_i uses its secret share s_i and signing key sk_i to generate its signature share SHARE_i as follows: SHARE_i = R || Q_i || PROOF_i || Sign_i(R || Q_i || PROOF_i) Q_i = s_i.R PROOF_i = SK { s_i : s_i.B == P_i && s_i.R == Q_i }(S_i || T) Each SHARE_i is appended by S_i to the network consensus document for time period T in a separate section. Step 3. [Validation] Tor clients locally validate SHARE_i from server S_i for time period T as follows: i. Verifythe signature using verification key vk_i. ii. Check that R = H("tor-hs-rand-base-point " || T). iii. Verify PROOF_i for points (P_i, Q_i) with bases (B,R) . SHARE_i is considered valid if and only if all three checks succeed. Step 4. [Aggregation] If at least t = ceiling(n/2) valid shares appear in the consensus, Tor clients locally compute the randomizer string RAND for time period T as follows: i. Let (S[j], Q[j]) for j = 1,...,t denote the identities (S_i) and signature shares (Q_i) associated with t valid SHARE_i values. ii. Compute the Lagrange multipliers m[j] for x points S[1]...S[t] iii. Compute RAND = m[1].Q[1] + m[2].Q[2] + ... + m[t].Q[t] Notice that RAND = m[1]*s[1].R + ... + m[t]*s[t].R = x.R If there are not enough valid shares, the protocol fails; this indicates that a majority of the directory authorities are faulty or compromised. If we wanted a fail-open solution, possibilities include hashing the list of valid SHARE values, or taking the hash of the previous consensus RAND value. [XXX - other options or opinions?] 3. Signature of knowledge scheme [SKDH] Given values (R,S), bases (P,Q), and exponent s such that R=s.P, S = s.Q, we use the "Fiat-Shamir Heuristic" with the proof of equality of discrete logarithms due to Chaum-Pedersen [CP92, Sec. 3.2] to generate SK { s : s.P == R && s.Q == S } (m) As follows: i. Choose random integer a in [0,p-1] ii. Compute: U = a.P V = a.Q c = Hash(U || V || m) z = a + s*c (mod p) iii. Output (U,V,z) The proof is verified by computing cc = Hash(U || V || m) and checking that z.P == U + cc.R z.Q == V + cc.S 4. Distributed Key Generation [DKG] We'll need a protocol satisfying the following specs: Input: Parties S_1,...,S_n Output: to all players: group public key P = x.B. player public key shares s_1.B, ..., s_n.B to each player P_i: secret key s_i such that the secret keys s_i are (n,t) secret shares of the (unknown) secret key x. There are several options for such a protocol, depending on what we want to assume about the network over which the authorities will run the protocol (Presumably, the Internet): - If we assume "weak synchrony" (messages are eventually delivered without unbounded delay), the protocol of Kate and Goldberg [KG09] can tolerate floor((n-1)/3) corruptions and still run to completion. - If we assume bounded delay but allow "rushing" adversaries and adaptive corruptions, the protocol of Garay et al [GKKZ11] can be used to realize the broadcast channel required for Pedersen's protocol [Ped91] while tolerating up to t-1 = floor(n/2) corruptions. - If we assume bounded delay and static corruptions, the protocol of Dolev and Strong [DS83] can be used to realize the broadcast channel required for Pedersen's protocol and tolerate up to t-1 corruptions. I'm not an expert on byzantine agreement protocols, so it is possible that there exist other, more easy to implement/manage options as well. 5. References [CP92] David Chaum, Torben Pryds Pedersen. "Wallet Databases with Observers", CRYPTO 92, pp 89-105. http://link.springer.com/chapter/10.1007/3-540-48071-4_7 [CURVE25519] Daniel J. Bernstein. "Curve25519: new Diffie-Hellman speed records", PKC 2006, pp 207-228. http://cr.yp.to/papers.html#curve25519 [DS83] D. Dolev and H. Strong. "Authenticated algorithms for Byzantine agreement", SIAM J. Computing 12(4):656-666, 1983. http://www.cse.huji.ac.il/~dolev/pubs/authenticated.pdf [GKKZ11] Juan Garay, Jonathan Katz, Ranjit Kumaresan, Hong-Sheng Zhou. "Adaptively Secure Broadcast, Revisited", PODC 11, pp 179-186. http://chess.cs.umd.edu/~jkatz/papers/asb-final.pdf [HAC] Alfred Manezes, Paul van Oorschot, Scott Vanstone. "Handbook of Applied Cryptography", CRC Press, 1996. http://cacr.uwaterloo.ca/hac/ [KG09] Aniket Kate, Ian Goldberg. "Distributed Key Generation for the Internet", 29th International Conference on Distributed Computing Systems, June 2009. https://cs.uwaterloo.ca/~iang/pubs/DKG.pdf [Ped91] Torben Pryds Pedersen. "Non-interactive and information-theoretic secure verifiable secret sharing," CRYPTO91. http://www.cs.huji.ac.il/~ns/Papers/pederson91.pdf -- ------------------------------------------------------------------------ Nicholas Hopper Associate Professor, Computer Science & Engineering, University of Minnesota Visiting Research Director, The Tor Project ------------------------------------------------------------------------

3 7

Looking up bridges in Globe et al. by fingerprint
by Karsten Loesing 11 Feb '14

11 Feb '14

Hi bridge address distribution people, hi bridge status website developers, hi bridge operators, here's a problem that recently came up when Christian and I discussed making Globe a JavaScript-free website. The current Globe uses client-side JavaScript to detect if the user entered a 40-character hex fingerprint. In that case, it runs the input through SHA-1 and sends only the digest to the Onionoo service. That's why Onionoo supports four cases and does not support a fifth case (number 3 below): 1. original relay fingerprint: return the matching relay, because it might have been a different client than Globe that sent the request and did not run the fingerprint through SHA-1; 2. SHA-1 of relay fingerprint: return the matching relay, too, because this could have been Globe running the original relay fingerprint through SHA-1; 3. original bridge fingerprint: don't return anything, because Onionoo should not see original bridge fingerprints at all; 4. SHA-1 of bridge fingerprint: return the matching bridge, because not all clients are like Globe and might not run fingerprints through SHA-1; and 5. SHA-1 of SHA-1 of bridge fingerprint: return the matching bridge that the user was looking for when they put in the SHA-1 fingerprint which was then converted to the SHA-1 of the SHA-1. That's what the current Globe can do, because it uses JavaScript on the client side. But the new server-side Globe cannot do that! And I don't have a good solution yet. Here are some ideas, each of them having pros (-) and cons (+): 1. Globe runs full fingerprints through SHA-1 on the server. - The Globe server learns a lot of bridge fingerprints, which makes it a juicy target, because bridge fingerprints can (in the future?) be used to fetch bridge descriptors containing bridge addresses. + This variant is really easy to implement. 2. Globe does not run full fingerprints through SHA-1 on the server and instead forwards everything to Onionoo. - Not only the Globe server, but also the Onionoo server learns bridge fingerprints. + We teach users that they shouldn't copy their original bridge fingerprint into the Globe search window. For example, we could tell them the single line of Python they need to run their fingerprint through SHA-1. While they might have "spoiled" their first bridge, they'll know for their other bridges. - Nobody will understand the above. 3. Tor prints out the SHA-1 fingerprint to its logs or to a hashed-fingerprint file. + Bridge users who know to read the fingerprint file can as well read the hashed-fingerprint file or the logs. We could even add a link "How do I search for my bridge" to the Globe page and explain to look out for that file or read the logs. - Only very few people will find that file or click the link. We'll have to do either 1 or 2 in addition to 3. 4. Sanitized bridge descriptors contain original fingerprints. + It will be a lot easier to search for bridges if it works the same way as searching for relays. + The sanitizing process will be easier. - We lose the option to enable bridge clients to update their bridge descriptors by sending the bridge fingerprint to the bridge authority. - This is going to keep me busy for a while for updating the various metrics code that expects SHA-1 fingerprints rather than original fingerprints. I can do that though. What do you think? All the best, Karsten

3 5

obfsproxy & openvpn
by George Kadianakis 10 Feb '14

10 Feb '14

Hey Jurre, till we fix #9221 (the issue of obfsproxy not having a SOCKS5 listener), you might be able to work around this problem by doing what kheops did here: https://github.com/kheops2713/telecomix-openvpn/commit/83984d822290f3445adf… Basically he is using the external mode of obfsproxy, where he makes the client forward traffic to a specific IP/port instead of starting up a SOCKS listener. Might work...

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-dev February 2014