Re: [tor-bugs] #25574 [Core Tor/Tor]: Eliminate "silent-drop" side channels in Tor protocol

[Tor Bug Tracker & Wiki]

#25574: Eliminate "silent-drop" side channels in Tor protocol
---+--
 Reporter:  mikeperry  |  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:  Tor: unspecified
Component:  Core Tor/Tor   |Version:
 Severity:  Normal | Resolution:
 Keywords:  guard-discovery-stats  |  Actual Points:
Parent ID: | Points:  10-30
 Reviewer: |Sponsor:
---+--

Comment (by cypherpunks):

 Could someone please update Tor's threat model to clarify that Tor cannot
 (and has no plans to ever be able to) protect against adversaries who
 control both the first and last hops of a circuit?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25574 [Core Tor/Tor]: Eliminate "silent-drop" side channels in Tor protocol

[Tor Bug Tracker & Wiki]

#25574: Eliminate "silent-drop" side channels in Tor protocol
---+--
 Reporter:  mikeperry  |  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:  Tor: unspecified
Component:  Core Tor/Tor   |Version:
 Severity:  Normal | Resolution:
 Keywords:  guard-discovery-stats  |  Actual Points:
Parent ID: | Points:  10-30
 Reviewer: |Sponsor:  SponsorV-can
---+--

Comment (by cypherpunks):

 there are lots of ways to do it, but the dropmark paper says:

 > We used relay drop cells because they do not raise any log message.


 why is that?

 i found some history:

 Once-upon-a-time DROP cells **were** getting logged. Roger `//`'ed it out
 in '06 cause it was "loud":
 
https://gitweb.torproject.org/tor.git/commit/?id=9bc8d69dfc4ddda5a9c8478b1f1e04490845ded0

 (:thinkingface: how was that "loud"? was anything besides attackers
 sending DROP cells in 2006?)

 mikeperry replaced the `//`'ed log line with `return 0` in 2018:
 
https://gitweb.torproject.org/tor.git/commit/?id=7be71903daff042e606e7a8445a6359100c9f8f5

 But even if tor had no silent drops relays could still embed timing
 signals like Jann Horn demonstrates here:
 https://var.thejh.net/git/?p=detour.git;a=blob;f=README (what ticket
 number is that?)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25574 [Core Tor/Tor]: Eliminate "silent-drop" side channels in Tor protocol

[Tor Bug Tracker & Wiki]

#25574: Eliminate "silent-drop" side channels in Tor protocol
---+--
 Reporter:  mikeperry  |  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:  Tor: unspecified
Component:  Core Tor/Tor   |Version:
 Severity:  Normal | Resolution:
 Keywords:  guard-discovery-stats  |  Actual Points:
Parent ID: | Points:  10-30
 Reviewer: |Sponsor:  SponsorV-can
---+--
Changes (by mikeperry):

 * points:  30 => 10-30


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25574 [Core Tor/Tor]: Eliminate "silent-drop" side channels in Tor protocol

[Tor Bug Tracker & Wiki]

#25574: Eliminate "silent-drop" side channels in Tor protocol
---+--
 Reporter:  mikeperry  |  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:  Tor: unspecified
Component:  Core Tor/Tor   |Version:
 Severity:  Normal | Resolution:
 Keywords:  guard-discovery-stats  |  Actual Points:
Parent ID: | Points:  30
 Reviewer: |Sponsor:  SponsorV-can
---+--
Changes (by mikeperry):

 * points:   => 30


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25574 [Core Tor/Tor]: Eliminate "silent-drop" side channels in Tor protocol

[Tor Bug Tracker & Wiki]

#25574: Eliminate "silent-drop" side channels in Tor protocol
---+--
 Reporter:  mikeperry  |  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:  Tor: unspecified
Component:  Core Tor/Tor   |Version:
 Severity:  Normal | Resolution:
 Keywords:  guard-discovery-stats  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:  SponsorV-can
---+--

Old description:

> https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00
>
> There are lots of ways to inject data into Tor streams, and this is a
> vector of attack for guard discovery and confirmation:
> https://petsymposium.org/2018/files/papers/issue2/popets-2018-0011.pdf
>
> I have a branch that tries to eliminate a pile of these from a while ago,
> but it has lots of false positives due to the common occurrence of
> invalid stream IDs in practice (see #25573).
> https://gitweb.torproject.org/mikeperry/tor.git/log/?h
> =timing_sidechannel_fix-squashed1
>
> I think we may want to do #25573 before trying to merge that branch.

New description:

 https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00

 There are lots of ways to inject data into Tor streams, and this is a
 vector of attack for guard discovery and confirmation ("DropMark" attack):
 https://petsymposium.org/2018/files/papers/issue2/popets-2018-0011.pdf

 I have a branch that tries to eliminate a pile of these from a while ago,
 but it has lots of false positives due to the common occurrence of invalid
 stream IDs in practice (see #25573).
 https://gitweb.torproject.org/mikeperry/tor.git/log/?h
 =timing_sidechannel_fix-squashed1

 I think we may want to do #25573 before trying to merge that branch.

--

Comment (by dmr):

 Adding parenthetical to tie that term 'DropMark' to the paper (it might
 not otherwise be obvious by context).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25574 [Core Tor/Tor]: Eliminate "silent-drop" side channels in Tor protocol

[Tor Bug Tracker & Wiki]

#25574: Eliminate "silent-drop" side channels in Tor protocol
---+--
 Reporter:  mikeperry  |  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:  Tor: unspecified
Component:  Core Tor/Tor   |Version:
 Severity:  Normal | Resolution:
 Keywords:  guard-discovery-stats  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:  SponsorV-can
---+--

Comment (by cypherpunks):

 11:23 AM Ticket #26665 (Allow searching for relays with no known
 AS/country) updated by irl
 I also now have a git.tpo repository, so the changes for Onionoo are …
 11:22 AM Ticket #26734 (Please add irl as git maintainer) created by hiro
 Irl has volunteered to help out with git issues. Can you please add …
 11:17 AM Ticket #26665 (Allow searching for relays with no known
 AS/country) updated by irl
 Status changed
 Small patch for spec: …
 6:53 AM Ticket #26367 (Consider removing tor2web mode) updated by teor
 Status changed
 ENABLE_TOR2WEB_MODE sets NON_ANONYMOUS_MODE_ENABLED. I don't think …
 6:48 AM Ticket #26712 (EVP_PKEY_HKDF not defined in libressl,
 src/lib/crypt_ops/crypto_hkdf.c ...) updated by teor
 Keywords changed
 6:47 AM Ticket #26715 (Tor 85d6b41 on FreeBSD 12-CURRENT: error: use of
 undeclared identifier ...) updated by teor
 Keywords changed
 4:52 AM Ticket #26712 (EVP_PKEY_HKDF not defined in libressl,
 src/lib/crypt_ops/

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25574 [Core Tor/Tor]: Eliminate "silent-drop" side channels in Tor protocol

[Tor Bug Tracker & Wiki]

#25574: Eliminate "silent-drop" side channels in Tor protocol
---+--
 Reporter:  mikeperry  |  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:  Tor: unspecified
Component:  Core Tor/Tor   |Version:
 Severity:  Normal | Resolution:
 Keywords:  guard-discovery-stats  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:  SponsorV-can
---+--
Changes (by asn):

 * milestone:   => Tor: unspecified


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25574 [Core Tor/Tor]: Eliminate "silent-drop" side channels in Tor protocol

[Tor Bug Tracker & Wiki]

#25574: Eliminate "silent-drop" side channels in Tor protocol
---+--
 Reporter:  mikeperry  |  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Core Tor/Tor   |Version:
 Severity:  Normal | Resolution:
 Keywords:  guard-discovery-stats  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:  SponsorV-can
---+--
Changes (by dmr):

 * cc: dmr (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #25574 [Core Tor/Tor]: Eliminate "silent-drop" side channels in Tor protocol

[Tor Bug Tracker & Wiki]

#25574: Eliminate "silent-drop" side channels in Tor protocol
---+--
 Reporter:  mikeperry  |  Owner:  (none)
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Core Tor/Tor   |Version:
 Severity:  Normal | Resolution:
 Keywords:  guard-discovery-stats  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:  SponsorV-can
---+--

Comment (by nickm):

 I really want to ask for a proposal on this -- if only a formal list of
 the stuff you want to change here.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #25574 [Core Tor/Tor]: Eliminate "silent-drop" side channels in Tor protocol

[Tor Bug Tracker & Wiki]

#25574: Eliminate "silent-drop" side channels in Tor protocol
--+---
 Reporter:  mikeperry |  Owner:  (none)
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Core Tor/Tor  |Version:
 Severity:  Normal|   Keywords:  guard-discovery-stats
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:  SponsorV-can  |
--+---
 https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00

 There are lots of ways to inject data into Tor streams, and this is a
 vector of attack for guard discovery and confirmation:
 https://petsymposium.org/2018/files/papers/issue2/popets-2018-0011.pdf

 I have a branch that tries to eliminate a pile of these from a while ago,
 but it has lots of false positives due to the common occurrence of invalid
 stream IDs in practice (see #25573).
 https://gitweb.torproject.org/mikeperry/tor.git/log/?h
 =timing_sidechannel_fix-squashed1

 I think we may want to do #25573 before trying to merge that branch.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs