Hi all,
We would like to make Tor relays report their bandwidth statistics every 24 hours, rather than every 4 hours. We believe that this is a safer interval for clients. It makes it harder to discover the guards of clients that use a lot of bandwidth, particularly onion services.
Here's how this kind of guard discovery can happen: * a client repeatedly downloads a large file, or an onion service becomes very popular, or is repeatedly asked for a large file * the traffic statistics for the client's guard increase dramatically in the next 4 hours * an adversary watches the traffic statistics across the whole network, and finds the ones with dramatic increases
Increasing the bandwidth statistics interval slows down this attack: * it requires more bandwidth to produce a 24 hour spike * each statistics interval is longer, so it takes more time to be sure of the guard
One of the impacts of this change is that relay bandwidth graphs are less detailed. We will encourage relay operators to view detailed graphs using local tools like Nyx or Munin or similar, because this is safer for clients.
We are tracking this work in this trac ticket:
https://trac.torproject.org/projects/tor/ticket/23856
Tim
-- Tim / teor
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n ------------------------------------------------------------------------
teor:
We would like to make Tor relays report their bandwidth statistics every 24 hours, rather than every 4 hours.
How has the new time period been decided on? Is one day the upper bound for some use-case? If longer periods (2, 3 or 7 days...) are safer: why not increase it even more?
On 26 Oct 2017, at 06:36, nusenu nusenu-lists@riseup.net wrote:
teor:
We would like to make Tor relays report their bandwidth statistics every 24 hours, rather than every 4 hours.
How has the new time period been decided on? Is one day the upper bound for some use-case? If longer periods (2, 3 or 7 days...) are safer: why not increase it even more?
We decided to make the bandwidth statistics interval 24 hours because relays already report observed bandwidth every 24 hours in their descriptors. (More precisely, they re-post their descriptors approximately every 24 hours, or when the bandwidth changes by more than 2x, or when any of the rest of the config changes.)
To increase both these intervals beyond 24 hours, we would have to make major changes to the bandwidth authority subsystem as well.
So this is the simplest change that yields a significant improvement in client anonymity.
T
Here's an update on this change:
On 26 Oct 2017, at 08:46, teor teor2345@gmail.com wrote:
On 26 Oct 2017, at 06:36, nusenu nusenu-lists@riseup.net wrote:
teor:
We would like to make Tor relays report their bandwidth statistics every 24 hours, rather than every 4 hours.
How has the new time period been decided on? Is one day the upper bound for some use-case? If longer periods (2, 3 or 7 days...) are safer: why not increase it even more?
We decided to make the bandwidth statistics interval 24 hours
We will change the bandwidth statistics interval to 24 hours, and remember and report 5 periods in each extra-info.
(It used to be 4 hours and report 6 periods in each extra-info.)
because relays already report observed bandwidth every 24 hours in their descriptors. (More precisely, they re-post their descriptors approximately every 24 hours
We will leave the regular bandwidth reporting in descriptors as it is.
or when the bandwidth changes by more than 2x
Bandwidth changes could trigger a descriptor re-post every 20 minutes, we will change this to 3 hours.
We chose 3 hours because it takes about that much time for updated relay bandwidths to get to most clients: * 10 minutes to 70 minutes for descriptor upload to be included in a consensus * 0 minutes to 30 minutes for a mirror to have the new consensus * 0 minutes[1] to 110 minutes for a client to fetch the new consensus
[1] when bootstrapping, clients sometimes fetch directly from authorities. Otherwise, this would be 45 minutes.
https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n3412
To increase both these intervals beyond 24 hours, we would have to make major changes to the bandwidth authority subsystem as well.
So this is the simplest change that yields a significant improvement in client anonymity.
We have deferred any major changes to at least 0.3.3, and opened a new ticket:
https://trac.torproject.org/projects/tor/ticket/24104
-- Tim / teor
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n ------------------------------------------------------------------------
-
nusenu -
teor