tor-dev October 2015

tor-dev@lists.torproject.org

64 participants
82 discussions

Reminders: this week's Tor dev meeting is still at 1330 UTC today
by Nick Mathewson 28 Oct '15

28 Oct '15

Hi! Reminder 1: There is a weekly meeting where we talk about development progress on the program "tor". Reminder 2: It has been at 1330 UTC; it is still at 1330 UTC for this week. (Remember, some of the world has made DST changes, but not all of the world.) Reminder 3: It will be at a different time (TBD) next week. Thanks, all! -- Nick

1 0

TB 5.0.3 for OpenBSD released
by attila 28 Oct '15

28 Oct '15

The Tor BSD Diversity Project (TDP) is proud to announce the release of Tor Browser (TB) version 5.0.3 for OpenBSD. TDP (https://torbsd.github.io) is an effort to extend the use of the BSD Unixes into the Tor ecosystem, from the desktop to the network. The 5.0.3 release is the sixth release of the Tor Browser from TDP. To install TB for OpenBSD, please see http://mirrors.nycbug.org/pub/snapshots/packages/amd64/README if you are running OpenBSD -current on amd64. TDP is focused on diversifying the Tor network, with TB being the flagship project. Additional efforts are made to increase the number of *BSD relays on the Tor ntwork. Since its launch in March 2015, TDP has made significant contributions. In addition to the TB releases, both BSDCan and BSDCon Brasil featured TDP-focused meetings. In early October, the TDP focused presentation (http://www.queair.net/br-pres) prompted a significant increase in Tor relays in Brazil. Before the presentation, there were around 22 Tor relays, all of which were Linux in addition to two Windows nodes. In the weeks after the presentation, several new *BSD Tor relays appeared, accounting for up to 35% of bandwidth provided by new Tor relays in Brazil. Finally, TDP is working to convince BSD-using businesses to follow Mozilla's December 2014 example to run Tor relays. At this point, New York Internet has commited to running two high-bandwidth relays, one FreeBSD and the other OpenBSD, at its facility in Bridgewater, New Jersey. TDP's source code repository resides at http://github.com/torbsd. If you want to build the ports from source under OpenBSD-current the current tarball is available at http://bits.haqistan.net/~attila/tbb.tgz Feel free to bug me if you need help (contact infos on my home page: http://trac.haqistan.net/~attila). TDP is seeking funding to continue and extend its efforts. Please contact us if interested in assisting TDP, allowing us to dedicate more time to the project. Pax, -A -- http://trac.haqistan.net | attila(a)stalphonsos.com | 0xE6CC1EDB

2 1

Feedback on CollecTor web redesign
by Karsten Loesing 28 Oct '15

28 Oct '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi devs, I just finished a redesign of the CollecTor website and would appreciate your feedback: https://metrics.torproject.org/index2.html For reference, the old CollecTor website is still available here: https://metrics.torproject.org/index.html https://metrics.torproject.org/formats.html Let me add that I'm not a web designer, and let me prove that statement by telling you that <i>all</i> HTML on that website was written using vim. I'm more than happy to accept patches or suggestions, though I'll likely ask you to explain them to me. Thanks! All the best, Karsten -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJWJpaaAAoJEJD5dJfVqbCr8/YIAIimH7j5Z2qr7OwfhBrH20MJ fNoBEdFBjSveWTYsB/77yZx1mEtDTXI/FCCQM5AURmE82SUJQ1Ocumn+J2mVgdmh hobxFrQBnsSWdK0qDtyNc7U5oDX7P6ruoBdfwBtFppXpp/VHkFsU0TIiMxcqGcUH yuHzRlaSIUpOXzaFl4STeEM9zmFqaR8+qayteWrWQpLMHf3SOksXKcr14+8CZmsl C7YopnoLqglo0dQA9FjM3U+w9MnEoHHskN4Yl4ZkQFGYPziqNRFTHmvCoKEMUz3u 0o1Emcmxc9jaZbyBU8Vbh474uEXM2ZtWSlMUt9M3dBRkIyuHy6lcBMS5q3i2wXc= =hHc4 -----END PGP SIGNATURE-----

5 9

[Metrics Team] Metrics Team mailing list and Metrics Team wiki page
by Karsten Loesing 28 Oct '15

28 Oct '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Metrics Team members, hello devs, the Metrics Team now has a team wiki page and a team mailing list: https://trac.torproject.org/projects/tor/wiki/org/teams/MetricsTeam https://lists.torproject.org/cgi-bin/mailman/listinfo/metrics-team As described on the wiki page, the mailing list "is public in the sense that anyone can subscribe and read archives. But it's moderated on first post, meaning that your first post will be reviewed to make sure it's not spam and on topic and all further posts will go directly to the list. Feel free to subscribe and just listen if you want, and feel free to post if you have a question that you think is on topic." Everyone here should feel free to subscribe if they're interested in Metrics Team discussions. We should still move all discussions that are interesting to more people in Tor than just the Metrics Team to the tor-dev@ mailing list. Let's see how this works out. Note that future announcements, including meeting reminders, will go to the metrics-team@ list. (FWIW, there will be NO meeting tomorrow but next week.) All the best, Karsten -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJWMIJHAAoJEJD5dJfVqbCrpZcIALEmgZuRxflQHm5mTYhevYAn T5+tbclKDjjo3hfVmMdQOTtJFkLzkoO/jX4zTTuRiN3O+3jtcAcAtQ/xLLxA/wP3 wMJ76aRe6GIJ7lfO1+GQGKQCO1wO8lWDrY5vEr3yARWZB2KiSaFfWofe7nHq1G2V HjlUz+JeuAEWsLTxlkq+g3nrLpGtsEip3h85NA7pIicik35D1/W7S3jy/L1UKKO9 noH2QUBbQpfO0oW+Tjq+aYLO7hp98ThNO6JFDVM5tVOoDsxAnlMWtJQihDAlK7b0 5+sH6ixYBuvOOvoOCRl/3DJqTuQO+IpCcAGI7qLJOpMCIrAcsq0Lwaz5tJrieSk= =8Zhk -----END PGP SIGNATURE-----

1 0

1-1-1 task exchange meeting on Thursday, Oct 29, 15:00 UTC in #tor-dev
by Karsten Loesing 28 Oct '15

28 Oct '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello devs, we'll have another 1-1-1 task exchange meeting on Thursday, October 29, 2015, 15:00 UTC in #tor-dev https://www.timeanddate.com/worldclock/fixedtime.html?iso=20151029T15 Note how this may be a different time in your timezone based on the insight that we have all saved enough daylight for the year. Quick reminder: The idea of the 1-1-1 task exchange meeting is that participants get 1 minute to describe a task that would take somebody else roughly 1 hour and that they will do within 1 week. It could be to review a document, write some analysis code, fix a small bug, and so on. It's best to come prepared with a task or two to get the most out of this. In a perfect world people would give one task for each task they take, but that is not required. https://trac.torproject.org/projects/tor/wiki/doc/1-1-1-task-exchange Talk to you tomorrow. All the best, Karsten -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJWMHz2AAoJEJD5dJfVqbCr5e8H/3hPCDeEmrXuzEX4UZXxHoa+ RAsl5RN/Q2XFXMFayxno5BaGRBclusCDlbadOHcBcJeaZmETrfLmV1pN4OJA0yO9 RpNMcujl5VdOJSNcw5zxXn+QnHQPEqOUX4wFXuj/1BoAVRaek43IuqPTDTECNMRh 92vMaSJIQWxtudk5h0qhzB+DAEJSyTAU3gHH1yFecOITT2Nr69h6//WJIVn83rKW ViwLkQ4CoRfpp3aXyNRmMBEFj08bx09EAhI7bEkXYKf5oug5S/ah/YmHkHtfq+2D L9iz6vV/DdgXja/kcjMkakUvRAcSZPdNmmJwAqym2jCk+8FN9MsLW1ktL/R12xQ= =wU4R -----END PGP SIGNATURE-----

1 0

Desired exit node diversity
by grarpamp 28 Oct '15

28 Oct '15

On Wed, Sep 23, 2015 at 8:44 AM, tor-dev had: > I agree with Roger that ideally all relays can be exits (and since > we're being ideal, we'll assume that 'exit' means to every port). And > the network location distribution of relays by bandwidth is > proportional to both the client destination selection over time and > general Internet traffic over time, which match each other since we're > being ideal, and also matter since we're using an ideal trust-aware path > selection algorithm. And network wide route selection is such that > there is no congestion (generalizing Roger's assumption of infinite > exit capacity). Guessing that... assuming you can ship and calculate all the relay data / DHT / weights / KEX / circuits / preferences without bogging down your network or cpu... More relays being exits yields higher maximum possible path diversity. More relays being exits yields higher potential aggregate throughput between the network and clearnet. More exits yields broader more complete location overlay relavent to users (more relays yields more guards), datacenteres, and clearnet services (though there's as yet no attempt to exit near a service unless done manually). However when subject to global passive adversary tapping lots of the fiber, and you turn up more relays as exits (which are also non-exit relays by nature), you're adding lots more unused bandwidth over the same current consumption, leading to lots of unused quiet portions of the network. Which seems a greater potential for the adversary to "look, user just shot a unique traffic pattern completely through the quiet zone, gotcha". Whereas when the network links are full with clocked traffic (and fill traffic if there would otherwise be slack space) that observation attack is hardly as possible, to relavently impossible. If true, it seems to me adding more [non] exits should be pegged to some metrics and solicited on need / planning rather than turning up 6000 exits all at once. > In our ongoing work on trust-aware path selection, we assume a trust > distribution that will be the default used by a Tor client if another > distribution is not specified. (Most users will not have a reasoned > understanding of who they actually need to worry most about, and even > if they somehow got that right would not have a good handle how that > adversary's resources are distributed.) We call this adversary "The > Man", who is equally likely to be everywhere (each AS) on the > network. For relay adversaries, we assume that standing up and running > a relay has costs so weight a bit to make relays that have been around > a long time slightly more likely to be trusted. tor-relays had talk of individual humans keyparty signing their relays and including that WOT along with other trust and meta metrics in the consensus or other queryable datastore that could be used by the user to select preferred relay sets in whichever sensible or silly ways suited them. An adversary standing up relays has costs. Adversaries standing their human agents in public, even if their undercover is maintained, has additional costs and risks. > You > would then be faced with the political nightmare of issuing default > policies that tells users they should route with a weighting that says > country foo has an x percent chance of being your adversary, but > country bar has a y percent chance. (Likewise also have similar > statements that substitute 'large multinational corp.', 'major > criminal organization', 'specific big government agency that is > getting all the press lately' etc. for "country" in the last > sentence.) ======== In a sense this is like the original 'valid' flag, which you got by mailing me and having me manually approve your relay (and without which you would never be used as the entry or exit point in a circuit). Periodically I wonder if we should go back to a design like that, where users won't pick exit relays that don't have the "socially connected" badge. Then I opt against wanting it, since I worry that we'd lose exactly the kind of diversity we need most, by cutting out the relays whose operators we don't know. But both sides of that are just guessing. Let's find out! ======== These type of things may be better suited to a system where the users contribute their research and knowledge about the network into the network metadata db, and the users can query it to make their own decisions, follow other users prebuilt selection templates, or stick with the provided defaults.

3 3

[FWD: Re: Apple developer account + codesigning]
by Mike Perry 28 Oct '15

28 Oct '15

Here is some info about OSX codesigning, courtesy of Mike Tigas. It sounds like undoing the codesigning to verify build (and signing machine) integrity will be tricky. If anyone has more info on how to do that, it would be appreciated. ----- Forwarded message from Mike Tigas <mike(a)tig.as> ----- Date: Fri, 10 Jul 2015 01:29:02 -0400 From: Mike Tigas <mike(a)tig.as> To: Mike Perry <mikeperry(a)torproject.org> Subject: Re: Apple developer account + codesigning Hey Mike, Cool seeing y'all at that CPJ thing briefly. Yeah, that account is what you'll need to get the Apple-signed certs that let you codesign an app & allow it to launch unimpeded -- regardless of App Store or not. Used to be separate accounts for Mac vs iOS, but looks like it's just one account for everything Apple. (More info in the middle below on how to get the cert you need, etc.) On another open-source thing I work on <http://tabula.technology/>, we have a cross-platform JRuby program that we turn into a .app for Mac. We avoid the XCode IDE altogether (using a tool called `jarbundler` that turns our jar into a Mac .app bundle for us) and use the command-line "codesign" tool that comes with MacOSX or XCode (can't remember which). The invocation is basically like: codesign -f -s 'Developer ID Application: Mike Tigas (68QUP6KP2C)' /path/to/Foo.app Where the `-s` argument is the ID of the certificate you end up with from Apple -- see my comment here about "For production builds...": https://github.com/tabulapdf/tabula/blob/fe6b105ca4f84ea64975d8ddc876dce8d1… Once you have your Apple Developer account, link 3 in that comment is where you'll get your cert. There's a little wizard for it that walks you through it. (You want to be in Mac Apps -> Certificates -> All, click + to add a certificate, and you want a Production -> Developer ID, for an Application.) In our case we had to manually sign another OSX framework (Java) that we bundled with the app, so there's two invocations of the `codesign` command. We previously didn't do that (in https://github.com/tabulapdf/tabula/blob/c21b27c867ecdb578f97667310ea8b21e0… ), instead invoking `codesign` with the `--deep` flag, which tries to recursively sign all executable binaries inside the target (but there's some peculiarity with the Java OSX framework that prevented us from doing it). So just throwing that out there as another option to try. If this is for TBB or something else with a bunch of binaries inside, you'll have to keep this in mind. I've also discovered that this is a bitch to test, since once you've bypassed codesigning to open an app (doing right-click and open instead of double-clicking shows a prompt that allows a user to bypass the warning https://support.apple.com/en-us/HT202491 ), the app's whitelisted on your system. So I've historically messed up quite a few releases by signing with the wrong key, missing some bundled framework, etc, since my own work opens up fine on my own computer. I remember us vaguely talking about reproducible builds and verification, too. Guessing this ties in to the "removing signatures" part of what you said? Of course anything that happens during and after a codesign isn't reproducible for other users, but here are some notes about what `codesign` and the App Store do to built apps, particularly on iOS (but probably applicable to OSX too). https://github.com/OnionBrowser/iOS-OnionBrowser/issues/58 https://github.com/WhisperSystems/Signal-iOS/issues/641#issuecomment-782027… Essentially, codesign only touches executable binaries in the .app (see that second link for info on how the binary's segments get moved around) and also adds an SC_Info directory for codesign/DRM metadata. For App Store apps, only the SC_Info gets modified for different users for DRM. That makes it possible to actually verify an App Store app's integrity by removing that directory to check hashes -- https://github.com/OnionBrowser/iOS-OnionBrowser/releases/tag/v1.5.11 -- but you won't have this problem since you're not gonna go that route. The design (per that comment) doesn't seem to allow reversing the signing process easily due to DRM encryption of parts of the binary -- though I'm not clear on which parts are due to `codesign` locally versus magic that Apple performs on App Store-submitted applications. If the `codesign` by itself doesn't encrypt the binary (i.e. if it just rearranges the binary's segments & adds metadata & creates the metadata/DRM directory), it might be possible to reverse it. Could be worth someone exploring segment sizes/positions with `size` and `otool` http://www.objc.io/issues/6-build-tools/mach-o-executables/ to determine this for real. Ah holy shit, that is a LOT of words. But hope that helps and isn't too overwhelming. That's just about everything I know about this off the top of my head. Let me know if something isn't clear or if you run into any issues with the Apple account or something like that. Cheers, Mike Tigas Reporter/News Applications Developer, ProPublica https://www.propublica.org/ @mtigas | https://mike.tig.as/ | 0x6E0E9923 ----- End forwarded message ----- -- Mike Perry

8 14

Proposal 257: Refactoring authorities and taking parts offline
by Nick Mathewson 27 Oct '15

27 Oct '15

Filename: 257-hiding-authorities.txt Title: Refactoring authorities and taking parts offline Authors: Nick Mathewson, Andrea Shepard Created: 2015-10-27 Status: Draft 1. Introduction Directory authorities are critical to the Tor network, and represent a DoS target to anybody trying to disable the network. This document describes a strategy for making directory authorities in general less vulnerable to DoS by separating the different parts of their functionality. 2. Design 2.1. The status quo This proposal is about splitting up the roles of directory authorities. But, what are these roles? Currently, directory authorities perform the following functions. Some of these functions require large amounts of bandwidth; I've noted that with a (BW). Some of these functions require a publicly known address; I've marked those with a (PUB). Some of these functions inevitably leak the location from which they are performed. I've marked those with a (LOC). Not everything in this list is something that needs to be done by an authority permanently! This list is, again, just what authorities do now. * Authorities receive uploaded server descriptors and extrainfo descriptors from regular Tor servers and from each other. (BW, PUB?) * Authorities periodically probe the routers they know about in order to determine whether they are running or not. By remembering the past behavior of nodes, they also build a view of each node's fractional uptime and mean time between failures. (LOC, unless we're clever) * Authorities perform the consensus protocol by: * Generating 'vote' documents describing their view of the network, along with a set of microdescriptors for later client use. * Uploading these votes to one another. * Computing a 'consensus' of these votes. * Authorities serve as a location for distributing consensus documents, descriptors, extrainfo documents, and microdescriptors... * To directory mirrors. (BW?, PUB?, LOC?) * To clients that do not yet know a directory mirror. (BW!!, PUB) These functions are tied to directory authorities, but done out-of-process: * Bandwidth measurement (BW) * Sybil detection * 'Guardiness' measurement, possibly. 2.2. Design goals Principally, we attempt to isolate the security-critical, high-resource, and availability-critical pieces of our directory infrastructure from one another. We would like to make the security-critical pieces of our infrastructure easy to relocate, and the communications between them easy to secure. We require that the Tor network remain able to bootstrap itself in the event of catastrophic failure. So, while we can _use_ a running Tor network to communicate, we should not _require_ that a running Tor network exist in order to perform the voting process. 2.3. Division of responsibility We propose dividing directory authority operations into these modules: ---------- ---------- -------------- ---------------- | Upload |======>| Voting |===>| Publishing |===>| Distribution | ---------- ---------- -------------- ---------------- I ^ I ----------- I ====>| Metrics |=== ----------- A number of 'upload' servers are responsible for receiving router descriptors. These are publicly known, and responsible for collecting descriptors. Information from these servers is used by 'metrics' modules (which check Tor servers for reliability and measure their history), and fed into the voting process. The voting process involves only communication (indirectly) from authorities to authorities, to produce a consensus and a set of microdescriptors. When voting is complete, consensuses, descriptors, and microdescriptors must be made available to the rest of the world. This is done by the 'publishing' module. The consensuses, descriptors, and mds are then taken up by the directory caches, and distributed. The rest of this proposal will describe means of communication between these modules. 3. The modules in more detail This section will outline possibilities for communication between the various parts of the system to isolate them. There will be plenty of "may"s and "could"s and "might"s here: these are possibilities, in need of further consideration. 3.1. Sending descriptors to the Upload module We retain the current mechanism: a set of well-known IP addresses with well-known OR keys to which each relay should upload a copy of its descriptors. The worst that a hostile upload server can do is to drop descriptors. (It could also generate large numbers of spurious descriptors in order to increase the load on the metrics system. But an attacker could do that without running an upload server) With respect to dropping, upload servers can use an anytrust model: so long as a single server receives and honestly reports descriptors to the rest of the system, those descriptors will arrive correctly. To avoid DoS attacks, we can require that any relay not previously known to an upload module perform some kind of a proof of work as it first registers itself. (Details TBD) If we're using TLS here, we should also consider a check-then-start TLS design as described in A.1 below. The location of Upload servers can change over time; they can be published in the consensus. (Note also that as an alternative, we could distribute this functionality across the whole network.) 3.2. Transferring descriptors to the metrics server and the voters The simplest option here would be for the authorities and metrics servers to mirror them using Tor. rsync-over-ssh-over-Tor is a possibility, if we don't feel like building more machinery. (We could use hidden services here, but it is probably okay for upload servers and to be known by the the voters and metrics.) A fallback to a non-Tor connection could be done manually, or could require explicit buy-in from the voter/metrics operator. 3.3. Transferring information from metrics server to voters The same approaches as 3.2 should work fine. 3.4. Communication between voters Voters can, we hope, communicate to each other over authenticated hidden services. But we'll need a fallback mechanism here. Another option is to have public ledgers available for voters to talk to anonymously. This is probably a better idea. We could re-use the upload servers for this purpose, perhaps. Giving voters each others' addresses seems like a bad idea. 3.5. Communication from voters to directory nodes We should design a flood-distribution mechanism for microdescriptors, listed descriptors, and consensuses so that authorities can each upload to a few targets anonymously, and have them propagate through the rest of the network. 4. Migration To support old clients and old servers, the current authority IP addresses should remain as Upload and Distribution points. The current authority identity keys keys should remain as the keys for voters. A.1. Check-then-start TLS Current TLS protocols are quite susceptible to denial-of-service attacks, with large asymmetries in resource consumption. (Client sends junk, forcing server to perform private-key operation on junk.) We could hope for a good TLS replacement to someday emerge, or for TLS to improve its properties. But as a replacement, I suggest that we wrap TLS in a preliminary challenge-response protocol to establish that the use is authorized before we allow the TLS handshake to begin. (We shouldn't do this for all the TLS in Tor: only for the cases where we want to restrict the users of a given TLS server.)

2 1

Proposal 256: Key revocation for relays and authorities
by Nick Mathewson 27 Oct '15

27 Oct '15

Filename: 256-key-revocation.txt Title: Key revocation for relays and authorities Authors: Nick Mathewson Created: 27 October 2015 Status: Open 1. Introduction This document examines the different kinds of long-lived public keys in Tor, and discusses a way to revoke each. The kind of keys at issue are: * Authority identity keys * Authority signing keys * OR identity keys (ed25519) * OR signing keys (ed25519) * OR identity keys (RSA) Additionally, we need to make sure that all other key types, if they are compromised, can be replaced or rendered unusable. 2. When to revoke keys Revoking keys should happen when the operator of an authority or relay believes that the key has been compromised, or has a significant risk of having been compromised. In this proposal we deliberately leave this decision up to the authority/relay operators. (If a third party believes that a key has been compromised, they should attempt to get the key-issuing party to revoke their key. If that can't be done, the uncompromised authorities should block the relay or de-list the authority in question.) Our key-generation code (for authorities and relays) should generate preemptive revocation documents at the same time it generates the original keys, so that operators can retain those documents in the event that access to the original keys is lost. The operators should keep these revocation documents private and available enough so that they can issue the revocation if necessary, but nobody else can. Additionally, the key generation code should be able to generate retrospective revocation documents for existing keys and certificates. (This approach can be more useful when a subkey is revoked, but the operator still has ready access to the issuing key.) 3. Authority keys Authority identity keys are the most important keys in Tor. They are kept offline and encrypted. They are used to sign authority signing keys, and for no other purpose. Authority signing keys are kept online. They are authenticated by authority identity keys, and used to sign votes and consensus documents. (For the rest of section 2, all keys mentioned will be authority keys.) 3.1. Revocation certificates for authorities We add the following extensions to authority key certificates (see dir-spec.txt section 3.1), for use in key revocation. "dir-key-revocation-type" SP "master" | "signing" NL Specifies which kind of revocation document this is. If dir-key-revocation is absent, this is not a revocation. [At most once] "dir-key-revocation-notes" SP (any non-NL text) NL An explanation of why the key was revoked. Must be absent unless dir-key-revocation-type is set. [Any number of times] "dir-key-revocation-signing-key-unusable" NL Present if the signing key in this document will not actually be used to sign votes and consensuses. [At most once] "dir-key-revoked-signing-key" SP DIGEST NL Fingerprints of signing keys being explicitly revoked by this certificate. (All keys published before this one are _implicitly_ revoked.) [Any number of times] "dir-key-revocation-published" SP YYYY-MM-DD SP HH:MM:SS NL The actual time when the revocation was generated. (Used since the 'published' field in the certificate will lie; see below.) [at most once.] 3.2. Generating revocations Revocations for signing keys should be generated with: * A 'published' time immediately following the published date on the key that they are revoking. * An 'expires' time at least 48 hours after the expires date on the key that they are revoking, and at least one week in the future. (Note that this ensures as-correct-as-possible behavior for existing Tor clients and servers. For Tor versions before 0.2.6, having a more recent published date than the older key will cause the revoked key certificate to be removed by trusted_dirs_remove_old_certs() if it is published at least 7 days in the past. For Tor versions 0.2.6 or later, the interval is reduced to 2 days.) If generating a signing key revocation ahead of time, the revocation document should include a dummy signing key, to be thrown away immediately after it is generated and used to make the revocation document. The "dir-key-revocation-signing-key-unusable" element should be present. If generating a signing key revocation in response to an event, the revocation document should include the new signing key to be used. The "dir-key-revocation-signing-key-unusable" element must be be absent. All replacement certificates generated for the lifetime of the original revoked certificate should be generated as revocations. Revocations for master keys should be generated with: * A 'published' time immediately following the published date on the most recently generated certificate, if possible. * An 'expires' time equal to 18 Jan 2038. (The next-to-last day encodeable in time_t, to avoid Y2038 problems.) * A dummy signing key, as above. 3.3. Submitting revocations In the event of a key revocation, authority operators should upload the revocation document to every other authority. If there is a replacement signing key, it should be included in the authority's votes (as any new key certificate would be). 3.4. Handling revocations We add these additional rules for caching and storing revocations on Tor servers and clients. * Master key revocations should be stored indefinitely. * If we have a master key revocation, no other certificates for that key should be fetched, stored, or served. * If we have a master key revocation, we should replace any DirAuthority entry for that master key with a 'null' entry -- an authority with no address and no keys, from which nothing can be downloaded and nothing can be trusted, but which still counts against the total number of authorities. * Signing key revocations should be retained until their 'expires' date. * If we have a signing key revocation document, we should not trust any signature generated with any key in an older signing key certificates for the same master key. We should not serve such key certificates. * We should not attempt to fetch any certificate document matching an <identity, signing> pair for which a revocation document exists. We add these additional rule for directory authorities: * When generating or serving a consensus document, an authority should include a dir-source entry based on the most recent revocation cert it has from an authority, unless that authority has a more recent valid key cert. (This will require a new consensus method.) * When generating or serving a consensus document, if no valid signature exists from a given authority, and that authority has a currently valid key revocation document with a signing key in it, it should include a bogus signature purporting to be made with that signing key. (All-zeros is suggested.) (Doing this will make old Tor clients download the revocation certificates.) 4. Router identity key revocations 4.1. RSA identity keys If the RSA key is compromised but the ed25519 identity and signing keys are not, simply disable the router. Key pinning should take care of the rest. (This isn't ideal when key pinning isn't deployed yet, but I'm betting that key pinning comes online before this proposal does.) 4.2. Ed25519 master identity keys (We use the data format from proposal 220, section 2.3 here.) To revoke a master identity key, create a revocation for the master key and upload it to every authority. Authorities should accept these documents as meaning that the signing key should never be allowed to appear on the Tor network. This can be enforced with the key pinning mechanism. 4.3. Ed25519 signing keys (We use the data format from proposal 220, section 2.3 here.) To revoke a signing key, include the revocation for every not-yet-expired signing key in your routerinfo document, as in: "revoked-signing-key" SP Base64-Ed25519-Key NL Note that this doesn't need to be authenticated, since the newer signing key certificate creates a trust path from the master identity key to the the revocation. [Up to 32 times.] Upon receiving these entries, authorities store up to 32 such entries per router per year. (If you have more than 32 keys compromised, give up and take your router down. Start it with a new master key.) When voting, authorities include a "rev" line in the microdescriptor for every revoked-signing-key in the routerinfo: "rev" SP "ed25519" SP Base64-Ed25519-Key NL (This will require a new microdescriptor version.) Upon receiving such a line in the microdescriptor, Tor instances MUST NOT trust any signing key certificate with a matching key.

1 0

Tor browser for other Projects
by salutarydiacritical23＠ruggedinbox.com 27 Oct '15

27 Oct '15

Hello good people of Tor. As you know, your client side applications like Tor browser are unmatched by anything out there. They are the natural choice for other anonymous networks. Freenet is considering ways to interface with Tor browser for better privacy. Disclaimer: I am not an official spokesperson for them. I am testing the waters first before filing tickets on trac. My idea is for Tor browser to include the FoxyProxy for redirecting browser requests to proxies based on URL patterns. Optionally there's color indicators for every proxy so users know what network they are visiting. You can add rules to block LAN accesses to keep users safe from misbehaving JavaScript. Rules can be added for I2P URLs too. You'll need to disable the ads in the original addon but the code is DFSG compliant. Like the transports, your client side applications are a new area for collaboration beyond your project. What do you say?

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-dev October 2015