On 20/06/2023 19.19, richard wrote:
Hi Tails devs,
So the legacy tor daemon recently got two new features in alpha you
should be aware of, proof-of-work and conflux circuits:
Thanks for the heads-up! This is very valuable!
- proof-of-work: Onion service providers will be able to opt-in to a
proof-of-work requirement for connecting clients as a ddos
counter-measure. Legacy clients which do not support this feature will
not be able to connect to onion services making use of it. This feature
will be transparent to the user, though in Tor Browser we may surface
custom ui notifying the user if they failed to complete the pow in-time
(or other pow-specific errors). The details are still tbd, but any error
would be surfaced to applications via a custom SOCKS5 error code
(similar to how the tor daemon notifies applications that client auth is
required to access an onion service)
Am I correct to assume that as long as we have a tor and Tor Browser
that supports this, and our Tor Browser's SocksPort has ExtendedErrors
enabled, then we are good to go for this feature, or is something more
needed?
- conflux circuits: the network team has developed a multiple-circuit
selection routing system whereby clients will open multiple circuits to
an endpoint, and divide traffic between the circuits to increase network
performance. Any ux that shows a user's circuit will need to be updated
to account for this new conflux circuit reality. For the initial stable
release, conflux circuits will only work with clearnet endpoints so
onion services are unaffected. The browser team will be working with ux
on any required ui changes during the next release cycle, so if Tails
has an analogous thing outside of Tor Browser you can probably follow
our lead there.
Tails has a simple Vidalia-esque circuit viewer where each circuit is
listed along with its streams, so (if I understand correctly) with
conflux circuits it can be the case that the same stream can be listed
under multiple circuits. Since (IIRC) pre-conflux streams associate with
a single circuit id it indeed sounds like there will be some work needed
here. And this circuit viewer uses Stem, which is unmaintained, which
could complicate things a bit further. :)
Tails also has a control port filter (that sits between tor and the
applications using the control port) that I believe will be affected:
since Tails runs a single system-wide tor instance there are concerns
about applications that have access to the control port snooping on
other circuits/streams (among other things), so the filter enforces
restrictions so a control port user only can see its own streams and
associated circuits. If streams can associate to multiple circuits then
Tails' control port filter must take that into account.
Again, thanks for the heads-up!
Cheers!
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.
