Hi, all!
Since 0.2.3 just entered beta (and will be in release-candidate status soon if I have anything to say about it!) I wanted to put out a summary of the Tor proposals that got merged, to the best of my knowledge, in the Tor 0.2.3.x series.
My next email will summarize still-open proposals.
(Note on credits: I'm copying the listed credits from the proposals, their acknowledgments sections, and my incredibly lossy memory. But in every case, these designs were improved enormously through feedback from the entire Tor community, including some design stalwarts who take the time to give feedback on all nearly all the proposals they see. Thanks to everyone, and apologies to everybody whom I'm forgetting here.)
IMPLEMENTED IN 0.2.3.x
110 Avoiding infinite length circuits
We started this one a while ago back in 0.2.1.3-alpha. It provides a mechanism to try to limit the resource-multiplier that a DOS attacker can get against the Tor network by building very long circuits, by limiting the maximum circuit length. We had clients implement the new behavior in 0.2.1.3-alpha, and fixed some bugs related to it in the 0.2.2.x series. It's only now that all of the older versions that don't support it are obsolete that we can actually turn on the attack prevention.
(Proposal by Roger Dingledine based on ideas by Christian Grothoff.)
158 Clients download consensus + microdescriptors 162 Publish the consensus in multiple flavors
In the "Microdescriptors" design, clients download a summary of router descriptors rather than the entire set of signed router descriptors. This can save a large amount of directory bandwidth -- both because microdescriptors are smaller than router descriptors, and because they're designed to change much less frequently.
Rather than being signed by the routers themselves, microdescriptors are listed by their digests in a consensus document signed by a threshold of directory authorities. (This change doesn't change the threat model, since a successful attack against either system requires adversary who can subvert a majority of directory authorities.)
We anticipate that we might want to serve the consensus in more than one format in the future, so proposal 162 introduces a notion of "consensus flavors" such that any every consensus vote produces a signed consensus in all the formats, caches cache all the formats, and clients download only those they need.
(Proposal 158 by Roger Dingledine, revised a bunch by Nick Mathewson. Proposal 162 by Nick Mathewson, influenced by design discussions with Marian on IRC.)
180 Pluggable transports for circumvention
We introduce "Pluggable transports": a specified way for Tor bridges and Tor bridge users to configure external programs to obfuscate or re-route traffic to avoid censorship.
This is a pretty big deal: it's what lets Tor integrate will with Obfsproxy and similar tools. As we've hoped, having a specified way to integrate with Tor has encouraged others to work on obfuscation tools. Having it ready to go has helped us deal with unexpected censorship events over the past year, and we think that having a couple of other obfuscators up our sleeve will help more in the future.
(Proposal by Jacob Appelbaum and Nick Mathewson, with heavy revisions based on George Kadianakis's experience implementing it.)
171 Separate streams across circuits by connection metadata
Here's a big security improvement.
In earlier versions of Tor, there wasn't a good way to force streams onto separate circuits. This could make for trouble, since all streams sent over the same circuit are definitively linkable by the exit node, and probabilistically linkable by the destinations. (For example, if you make a connection to an SSH host and log into a website over the same circuit, the exit node can learn that the same person has accounts both at the SSH host and the website. If the SSH host and website are colluding, then over time, they can become certain which account on the SSH host corresponds with which activities on the website.)
Starting with Tor 0.2.3, we provide a number of ways for users and integrators to tell Tor not to put the two streams on the same circuit. By default, two streams won't go on the same circuit if they arrive at different Tor client ports (one goes to SOCKSPort 9050 and one goes to SOCKSPort 9051); or if they come from different client addresses (one came from 127.0.0.1, the other from 10.0.10.10); or if they provide different username/password information in their SOCKS handshakes. Additionally, you can configure Tor to isolate connections by destination address, destination port, and chosen client protocol. See the manual page for SOCKSPort for more information.
(Proposal by Robert Hogan, Jacob Appelbaum, Damon McCoy, and Nick Mathewson, based on ideas from a whole bunch of people.)
174 Optimistic Data for Tor: Server Side 181 Optimistic Data for Tor: Client Side
This one is a performance hack that hasn't seen its full impact yet. Starting with Tor 0.2.3.x, clients MAY send data to the exit node before finding out whether the exit has been able to successfully connect to the destination server. Previously, it took an extra round trip for clients to wait to see whether the exit said "Yes, I'm connected" before they were allowed to send data for the exit.
This should make connection startup faster in many protocols where the client speaks first (http, https), as more and more client programs gain support for it.
(Proposal by Ian Goldberg.)
176 Proposed version-3 link handshake for Tor 184 Miscellaneous changes for a v3 Tor link protocol 187 Reserve a cell type to allow client authorization
Here's the crypto-heavy one for 0.2.3. In earlier Tors, we used two different link protocol variants to get the TLS authentication we wanted without being too fingerprintable. In Tor before 0.2.0, we used a "v1" link protocol, where both sides swapped pretty stereotyped certificate chains in the initial handshake, and were as fingerprintable as all get-out. From 0.2.0 through 0.2.2, we've been using a "v2" link protocol, where the connection initiator launched a renegotiation immediately upon making a successful connection. But as anybody who's used TLS renegotiations knows, they are a pain to work with. Moreover, their presence on the wire is visible, and provides another fingerprint for Tor connections.
With the new "v3" link protocol, clients perform an initial TLS handshake, and then use that handshake to bootstrap the trust and authentication they wanted in a less fragile, less fingerprintable manner.
Proposal 184 made variable-length cells more pratical, and added a variable-length padding type.
Since proposal 176 introduced a requirement that no extraneous cells be sent during the handshake, proposal 187 reserves an extra cell type for future use in pre-handshake authentication.
(Proposal 176 by Nick Mathewson, based on an earlier idea by Steven Murdoch, with feedback from Gladys Shufflebottom. Proposal 184 by Nick Mathewson. Proposal 187 by Nick Mathewson based on/influenced by discussions with George Kadianakis and Robert Ransom.)
178 Require majority of authorities to vote for consensus parameters
This one makes us more robust against a rogue directory authority. Previously, a misbehaving authority could set an integer parameter unilaterally, so long as it was the first to hear of that parameter, or the only one to have an opinion. With this proposal implemented, a larger number of authorities must want to vote on a consensus parameter for any vote on that parameter to take place.
(Proposal by Sebastian Hahn.)
179 TLS certificate and parameter normalization
This proposal made a bunch of small but important tweaks to try to emit more normal-looking TLS certificates, to help prevent certificate-based fingerprinting. It didn't all get implemented and stable in time for 0.2.3.x; the remainder is now proposal 195.
(Proposal by Jacob Appelbaum and Gladys Shufflebottom.)
183 Refill Intervals
Tor uses a token-bucket implementation for its rate- limiting strategy. Previously, Tor refilled these token buckets once per second. But this approach seems to have led to choppy behavior, where we exhaust our bandwidth early in the second, and spend the rest of the second sitting around. The new default is 100 msec, but now it's configurable.
(Proposal by Florian Tschorsch and Bjorn Scheuermann.)
PARTIALLY IMPLEMENTED IN 0.2.3.x
186 Multiple addresses for one OR or bridge
We've implemented this to the extent of letting a bridge have a single IPv6 address. Supporting this for regular relays will need to wait for 0.2.4.x. We're still deciding on whether it's worthwhile to allow more than one IPv4 and one IPv6 address.
(Proposal by Nick Mathewson, revised based on extensive feeback by Roger Dingledine and Linus Nordberg.)
198 Restore semantics of TLS ClientHello
In an attempt to impersonate Firefox clients under the eyes of watchful censors, earlier versions of Tor would sometimes claim to support TLS ciphersuites that they didn't. This would cause trouble if we ever wanted to negotiate a cipher other than those which we happen to know that all Tor clients support, since we can't count on the TLS ClientHello actually telling which ciphers are supported.
This proposal provides us with a backward compatible way to migrate ciphersuite lists, emulate new browser fingerprints, and actually use ciphersuites that didn't exist in 2005.
The client side of this proposal is implemented in 0.2.3; the server side will have to wait for 0.2.4.
(Proposal by Nick Mathewson.)
Nick Mathewson nickm@freehaven.net wrote:
180 Pluggable transports for circumvention
Happy to say that the trunk/master branch of Orbot supports obfsproxy bridges in the version we will push out this week to all .pf our users.
171 Separate streams across circuits by connection metadata
Gibberbot v9, which is at rc4 now and will be final this week, supports this via random user/pwd values in the socks handshake. Thanks to Jake for the help on that one.
+n
Nick Mathewson nickm@freehaven.net wrote:
IMPLEMENTED IN 0.2.3.x
174 Optimistic Data for Tor: Server Side 181 Optimistic Data for Tor: Client Side
This one is a performance hack that hasn't seen its full impact yet. Starting with Tor 0.2.3.x, clients MAY send data to the exit node before finding out whether the exit has been able to successfully connect to the destination server. Previously, it took an extra round trip for clients to wait to see whether the exit said "Yes, I'm connected" before they were allowed to send data for the exit. This should make connection startup faster in many protocols where the client speaks first (http, https), as more and more client programs gain support for it.
Is optimistically sending data for non-testing purposes recommended?
The "Security implications" in 181 seem to imply that it isn't, but the man page doesn't mention any risks. Is that because they are considered obvious, or simply an oversight?
Fabian
On Sat, Jun 30, 2012 at 07:03:19PM +0200, Fabian Keil wrote:
Nick Mathewson nickm@freehaven.net wrote:
IMPLEMENTED IN 0.2.3.x
174 Optimistic Data for Tor: Server Side 181 Optimistic Data for Tor: Client Side
This one is a performance hack that hasn't seen its full impact yet. Starting with Tor 0.2.3.x, clients MAY send data to the exit node before finding out whether the exit has been able to successfully connect to the destination server. Previously, it took an extra round trip for clients to wait to see whether the exit said "Yes, I'm connected" before they were allowed to send data for the exit. This should make connection startup faster in many protocols where the client speaks first (http, https), as more and more client programs gain support for it.Is optimistically sending data for non-testing purposes recommended?
The "Security implications" in 181 seem to imply that it isn't, but the man page doesn't mention any risks. Is that because they are considered obvious, or simply an oversight?
The issue is that an exit node that supports optimistic data can tell when a client is using that feature. So if only a handful of clients have upgraded to a TBB that supports it (none does at this time), they'll stand out. That's why the default is "use the consensus value", which is currently off. The consensus value can be turned on later, when "enough" people can support it.
circuituse.c:
/** Return true iff client-side optimistic data is supported. */ static int optimistic_data_enabled(void) { const or_options_t *options = get_options(); if (options->OptimisticData < 0) { /* XXX023 consider having auto default to 1 rather than 0 before * the 0.2.3 branch goes stable. See bug 3617. -RD */ const int32_t enabled = networkstatus_get_param(NULL, "UseOptimisticData", 0, 0, 1); return (int)enabled; } return options->OptimisticData; }
- Ian
Ian Goldberg iang@cs.uwaterloo.ca wrote:
On Sat, Jun 30, 2012 at 07:03:19PM +0200, Fabian Keil wrote:
Nick Mathewson nickm@freehaven.net wrote:
IMPLEMENTED IN 0.2.3.x
174 Optimistic Data for Tor: Server Side 181 Optimistic Data for Tor: Client Side
This one is a performance hack that hasn't seen its full impact yet. Starting with Tor 0.2.3.x, clients MAY send data to the exit node before finding out whether the exit has been able to successfully connect to the destination server. Previously, it took an extra round trip for clients to wait to see whether the exit said "Yes, I'm connected" before they were allowed to send data for the exit. This should make connection startup faster in many protocols where the client speaks first (http, https), as more and more client programs gain support for it.Is optimistically sending data for non-testing purposes recommended?
The "Security implications" in 181 seem to imply that it isn't, but the man page doesn't mention any risks. Is that because they are considered obvious, or simply an oversight?
The issue is that an exit node that supports optimistic data can tell when a client is using that feature.
I'm aware of that, additionally I would expect that webservers can (with some probability) tell as well.
So if only a handful of clientshave upgraded to a TBB that supports it (none does at this time), they'll stand out. That's why the default is "use the consensus value", which is currently off. The consensus value can be turned on later, when "enough" people can support it.
The default can be changed, though, and while the man page contains recommendations and even strong recommendation for other parameter values, there's no recommendation for or against changing the OptimisticData settings and the risks aren't mentioned either.
The TorBrowser isn't the only client that could optimistically send data and other clients (like Privoxy) will need an option for this, that the user has to explicitly enable.
It's inappropriate for Privoxy's documentation to make recommendations for or against modifications of Tor's OptimisticData option, therefore it would be great if the Tor man page contained such a recommendation so the Privoxy documentation can link to it without putting the user at risk of changing the option after reading Tor's man page without understanding the consequences.
Fabian
On Sun, Jul 01, 2012 at 05:29:04PM +0200, Fabian Keil wrote:
So if only a handful of clientshave upgraded to a TBB that supports it (none does at this time), they'll stand out. That's why the default is "use the consensus value", which is currently off. The consensus value can be turned on later, when "enough" people can support it.
The default can be changed, though, and while the man page contains recommendations and even strong recommendation for other parameter values, there's no recommendation for or against changing the OptimisticData settings and the risks aren't mentioned either.
The TorBrowser isn't the only client that could optimistically send data and other clients (like Privoxy) will need an option for this, that the user has to explicitly enable.
It's inappropriate for Privoxy's documentation to make recommendations for or against modifications of Tor's OptimisticData option, therefore it would be great if the Tor man page contained such a recommendation so the Privoxy documentation can link to it without putting the user at risk of changing the option after reading Tor's man page without understanding the consequences.
Does Privoxy support optimistic data? SOCKS clients (TBB, Privoxy, IM clients, etc.) need to be modified in order to use this feature of Tor, as it entails the client sending the data to the SOCKS proxy (the Tor OP) *before* receiving the SOCKS connection response from it.
- Ian
Ian Goldberg iang@cs.uwaterloo.ca wrote:
On Sun, Jul 01, 2012 at 05:29:04PM +0200, Fabian Keil wrote:
So if only a handful of clientshave upgraded to a TBB that supports it (none does at this time), they'll stand out. That's why the default is "use the consensus value", which is currently off. The consensus value can be turned on later, when "enough" people can support it.
The default can be changed, though, and while the man page contains recommendations and even strong recommendation for other parameter values, there's no recommendation for or against changing the OptimisticData settings and the risks aren't mentioned either.
The TorBrowser isn't the only client that could optimistically send data and other clients (like Privoxy) will need an option for this, that the user has to explicitly enable.
It's inappropriate for Privoxy's documentation to make recommendations for or against modifications of Tor's OptimisticData option, therefore it would be great if the Tor man page contained such a recommendation so the Privoxy documentation can link to it without putting the user at risk of changing the option after reading Tor's man page without understanding the consequences.
Does Privoxy support optimistic data? SOCKS clients (TBB, Privoxy, IM clients, etc.) need to be modified in order to use this feature of Tor, as it entails the client sending the data to the SOCKS proxy (the Tor OP) *before* receiving the SOCKS connection response from it.
I implemented (partial) optimistic data support for Privoxy about a year ago. The code hasn't been committed to the official repository due to the documentation challenge outlined above.
Fabian
On Sun, Jul 01, 2012 at 07:06:29PM +0200, Fabian Keil wrote:
I implemented (partial) optimistic data support for Privoxy about a year ago. The code hasn't been committed to the official repository due to the documentation challenge outlined above.
Fair enough. It turns out it never hurts to have the SOCKS client optimistically write the data to the OP. As for the OP sending the data optimistically along the circuit, I'd say "don't mess with the OptimisticData default setting", but perhaps some Tor devs might chime in.
[Though many will be travelling to Italy today for the dev meeting.]
- Ian
On 6/18/12 11:24 PM, Nick Mathewson wrote:
PARTIALLY IMPLEMENTED IN 0.2.3.x
186 Multiple addresses for one OR or bridge
We've implemented this to the extent of letting a bridge have a single IPv6 address. Supporting this for regular relays will need to wait for 0.2.4.x. We're still deciding on whether it's worthwhile to allow more than one IPv4 and one IPv6 address. (Proposal by Nick Mathewson, revised based on extensive feeback by Roger Dingledine and Linus Nordberg.)
This maybe very important in order to be able to "separate" the local-address from the IP address published / announced.
It maybe valuable, very valuable, if for a specific single node i would be able to add-up even 100 IP:Port pair, then using "third party system" to redirect inbound sockets to that 100 IP:Port to the main one.
I mean, an IP:Port can also not be listening on the specific node but also represent a remote tcp-port-forwarder that is forwarding incoming TCP socket to the node OR's port.
It would be very interesting if this kind of setup could be done.
-naif
-
Fabian Keil -
Fabio Pietrosanti (naif) -
Ian Goldberg -
Nathan Freitas -
Nick Mathewson