Hello list,
we've recently been thinking about how to expose onion-service-related errors to Tor Browser so that we can give more useful error pages to users. We currently return "Unable to connect" error pages for any kind of onion service error, and I think we can do better.
This is a thread to think about the errors we want to expose, how that should look like, and what options we should give to the users when it happens. Relevant master tickets are #30022, #30025 and #30000.
We decided (in #14389) that Tor will export these errors through the SOCKS port, and the relevant spec is proposal 304 [0].
As part of #30090 antonela started making a table of potential errors. I'm gonna use that in this thread and also add a few more.
Let's go:
= Client-level errors =
These are errors on the user side of things:
=== 1) Typo error on address ===
This can be detected by Tor using the checksum or if the address is too big or too small.
TODO: We will need to add a new error code to prop304. Not sure if the error code should distinguish between checksum fail or length fail.
There is no recovery here since the address is busted. The user needs to find the right one.
=== 2) Missing Client Authorization ===
This is prop304's 'F4' error (see #30382), and it means that we can't decrypt the descriptor because it requires client auth, but we don't have it configured.
The recovery here is the whole point of #30237 where we make a dialog for the user to insert their client auth credentials.
=== 3) Wrong Client Authorization ===
This is prop304's 'F5' error, and it means that there client auth credentials configured for this onion are wrong.
The user recovery here is unclear but it might be that they need to change their client auth credentials. IMO, we should not try to make the perfect UX here, and we should just go with something super simple.
= Service-level errors =
These are errors on the onion service side:
=== 4) Service Descriptor Can Not be Found ===
This is prop304's 'F0' error, and it means that we could not find the descriptor of the service on the directory servers. This means that the service is not up right now (or, more unlikely, that some bug has happened somewhere).
The user recovery here is unclear. The user can try to reconnect in case the service got up in the meanwhile, but this is not so likely in a small period of time.
Perhaps we can give the user the option to reconnect every 10 seconds or so? Does this make sense from a UX PoV?
Again this equivalent to a "Remote host is down" error and we should use it as such.
= Network-level errors =
These are errors caused by the network (directory servers, intro points, rendezvous points) or even the service itself. It's kinda unclear given all the hops involved.
=== 5) Onion Service Descriptor Is Invalid ===
This is prop304's 'F1' error and it means that we got a descriptor back from the directory but it's corrupted.
This is very unlikely to happen since directory servers do not keep corrupted descriptors, so it usually means that some bug happened somewhere (or that the directory is bad or confused).
In terms of recovery and error page, this is kinda an "Oops. Internal error." situation where this is rare and weird and hence we don't know what's the best recovery option. We can give the option to reconnect but it's likely not gonna help much.
Again this should never really appear, so let's not stress too much over it.
=== 6) Onion Service Introduction Failed ===
This is prop304's 'F2' error and it means that for some reason the introduction did not complete. This could be because the onion service is not up anymore, or it could be because the network is screwed in some way (e.g. the service is DoSed).
The recovery here might be some 'reconnect' button which could be helpful in case of a DoS situation, but it would not help much if the service is not up anymore.
=== 7) Onion Service Rendezvous Failed ===
This is prop304's 'F3' error and it means that the rendezvous did not complete. This usually means that the service is having a bad time, and is either DoSed or it generally cannot cope.
The recovery again here is some 'reconnect' button, since if we did the introduction successfuly, the service is up, and reconnecting might work at some point.
This one and (6) are very related and perhaps they can be handlded identically, since exposing terms like "intro" and "rend" to users will not be nice. Still we might want to expose a technical error value somewhere for debugging purposes when users come to us.
=======================================================================
I think the above set of errors will satisfy all our needs. In particular: - #30022 (typos ticket) needs error (1) from above. - #30025 (client errors ticket) needs errors (4), (5), (6), (7) from above. - #30000 (client auth) needs errors (2) and (3) from above.
In terms of error page, I'm not sure how it should look like. Perhaps along with the error description and the recovery path, we should provide some education about onion services to the users?
In terms of unsafe paths, I don't see any of these errors being dangerous in terms of causing security issues if you attempt to reconnect or anything. The Tor protocol takes care of this in the layer below. The worst thing you can do is slightly damage the network from too many reconnects, but I think that's OK since people who use the TB are legitimate users and not DoS attackers.
===
Hope this was useful!
[0]: https://github.com/torproject/torspec/blob/master/proposals/304-socks5-exten...
George Kadianakis:
Hello list,
we've recently been thinking about how to expose onion-service-related errors to Tor Browser so that we can give more useful error pages to users. We currently return "Unable to connect" error pages for any kind of onion service error, and I think we can do better.
This is a thread to think about the errors we want to expose, how that should look like, and what options we should give to the users when it happens. Relevant master tickets are #30022, #30025 and #30000.
We decided (in #14389) that Tor will export these errors through the SOCKS port, and the relevant spec is proposal 304 [0].
As part of #30090 antonela started making a table of potential errors. I'm gonna use that in this thread and also add a few more.
Hi George,
In the hypothetical scenario that Namecoin (or any other naming layer) gets introduced to Tor Browser, it is likely that some error values specific to the naming layer are going to be useful to convey to the user. My preference is to defer that issue until after Namecoin is introduced to Tor Browser (unless you think it's important to prepare for in advance?), but I figured it's worth at least getting it onto your radar.
Cheers,
On Sep 30, 2019, at 8:15am, George Kadianakis desnacked@riseup.net wrote:
Hello list,
we've recently been thinking about how to expose onion-service-related errors to Tor Browser so that we can give more useful error pages to users. We currently return "Unable to connect" error pages for any kind of onion service error, and I think we can do better.
Hello,
In doing a quick read of [1] X'F0' to X'F5’ it looks like most might describe potential day-to-day connections, but I’m not sure about the last two: X'F4' Onion Service Missing Client Authorization & X'F5' Onion Service Wrong Client Authorization.
Please forgive me if I misunderstand things, but I thought leaked v3.onion addresses with (properly set up) authorized onion services (authorized_clients/*.auth & corresponding client-side .auth_private) can’t be loaded. Thus providing instant, inexpensive DOS protection, and denying the malevolent (and anyone) the opportunity to even know a specific onion address is in use. And keeping them from trying again later, and again, etc.
I am definitely in favor of feedback and clear error reporting, but I am not clear about how these authorization-only onion services will be affected.
Is tor going to be changed such that unauthorized clients -- clients without a proper .auth_private file -- are going to be able to learn if a specific .onion domain is in use? Will the local tor inform the user that in effect that onion address is in use but perhaps X'F4' or X'F5' ?
[1] Extending SOCKS5 Onion Service Error Codes, https://gitweb.torproject.org/torspec.git/tree/proposals/304-socks5-extendin... Lines 62-93.
[2] Tor Rendezvous Specification - Version 3, https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt, First Appendix F & Appendix G. Using file system means, not control ports.
= Client-level errors = === 1) Typo error on address ===
This can be detected by Tor using the checksum or if the address is too big or too small.
TODO: We will need to add a new error code to prop304. Not sure if the error code should distinguish between checksum fail or length fail.
There is no recovery here since the address is busted. The user needs to find the right one.
There is an opportunity here for at least a tiny amount of education about onion addresses. Perhaps copy the address to the page in an edit box and use JavaScript to help the user to fix it up? Perhaps a non base32 character got in. Maybe they didn’t paste in the whole address but missed part of it.
I would suggest a few simple graphics and sentences explaining the vast address space of v3 onions, with a fun simple time calculation perhaps, to show how one would not want to try all the variations that might exist on a “misspelled” .onion address.
Thank you and have a nice day.
Drew@FoundingDocuments.org:
Please forgive me if I misunderstand things, but I thought leaked v3.onion addresses with (properly set up) authorized onion services (authorized_clients/*.auth & corresponding client-side .auth_private) can’t be loaded. Thus providing instant, inexpensive DOS protection, and denying the malevolent (and anyone) the opportunity to even know a specific onion address is in use. And keeping them from trying again later, and again, etc.
I am definitely in favor of feedback and clear error reporting, but I am not clear about how these authorization-only onion services will be affected.
Is tor going to be changed such that unauthorized clients -- clients without a proper .auth_private file -- are going to be able to learn if a specific .onion domain is in use? Will the local tor inform the user that in effect that onion address is in use but perhaps X'F4' or X'F5' ?
AFAIK this proposal has nothing to do with changing the Tor onion service protocol; it's solely related to conveying errors to the user that the Tor daemon used by Tor Browser already has access to. The security properties of onion services can't be changed by this -- if they could be, then this would be security by obscurity, which is a scam that the Tor devs (and any other legitimate software developers) don't engage in.
Cheers,
-
Drew@FoundingDocuments.org -
George Kadianakis -
Jeremy Rand