[tor-dev] Named pipes with tor
Hiya. Been around the tor dev community a bit, but today is my first day on the legendary tor-dev mailing list. I am asking if it makes sense to apply a minor patch to Tor source, but first, the use case: tor is very adamant at scrubbing the addresses that are being connected to in the logs, but I have the opposite wish case were I would like to have a terminal show me the addresses my tor is connecting to in real-time. Could be that the arm app would be able to do that without taking up the screen space that vidalia takes, but for some irrelevant reasons I am not using that. What I do is Log [app]debug file /dev/shm/tor-log.txt, then run tail -f /dev/shm/tor-log.txt | grep asked to extract the Client asked for hostname:port lines, so I even get to see DNS requests independently from actual virtual circuits. I also have SafeLogging set appropriately. Needless to say, the RAM disk fills up quickly, so the usefulness is limited. This is a case screaming for unix named pipes as follows: mkfifo /dev/tor-log grep asked /dev/tor-log But tor refuses to write to such a FIFO pipe because it can't seek to the end of it. Couldn't open file for 'Log /dev/tor-log': Illegal seek ./or/config.c calls ./common/log.c's add_file_log which calls ./common/compat.c's tor_fd_seekend to make sure the stuff is appended at the end of a log. In the case of a FIFO pipe this returns an ESPIPE code which currently makes tor throw up. In my understanding it should be safe to ignore it, instead. We should expect the user to know what she is doing if she puts a pipe where the log should be. Or am I missing something? There is also a similar case of calling tor_fd_seekend in ./common/util.c which suggests there may be other use cases of mkfifo which are currently impeded by this. So the question is, would it be okay to catch ESPIPE in all cases, thus having it ignored in tor_fd_seekend, or just catch it in add_file_log? Or is there a reason to impede the use of unix named pipes under all circumstances? Best sockets from Berlin, CvL. -- http://youbroketheinternet.org ircs://psyced.org/youbroketheinternet ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] [RFC] Proposal draft: The move to a single guard node
Nicholas Hopper hop...@cs.umn.edu writes: On Fri, Apr 11, 2014 at 7:45 AM, George Kadianakis desnac...@riseup.net wrote: I see. That makes sense, I think. Good. I will ponder on this a bit more, and then edit the proposal. When/if you become convinced, let me know if you want me to draft a patch. I think it makes sense :) A patch for the proposal would be useful. If you don't have time to do it, just tell me and I will do it myself. (Also feel free to correct or add anything else to the proposal in your patch :) ) Thanks! ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] Improving the structure of indirect-connection PTs (meek/flashproxy)
## Background Pluggable Transports are proxy programs that help users bypass censorship. [App client] - XXX EVIL CENSOR HAS YOU XXX ACCESS DENIED XXX [App client] - [PT client] - (the cloud!) - [PT server] - [App server] The structural design, on the client side, is roughly: 1. App client specifies an endpoint to reach 2. PT client receives an instruction, via SOCKS, to connect to this endpoint 3. PT client does its thing, magic happens (intentionally vague) ## In Tor Each endpoint is specified by a Bridge line, in the form of an IP address and an optional fingerprint (for authentication). This point is not made more important in existing docs, but is important for the topic of this email: both the IP address and the fingerprint are potential *identifiers* of the endpoint. The former is an impure name, the latter a pure name. Currently, we have two main types of PT: - direct PTs - connect to the endpoint directly via a TCP connection - these PTs don't try to hide the fact that you're contacting X on addrX. - instead, they usually transform the traffic so it's not identifiable - e.g. obfs3, fte, scramblesuit - indirect PTs - connect to the endpoint indirectly, via special means - flashproxy - connects via an ephemeral browser proxy - meek - connects via an online web service I will now argue that indirect PTs should do things in a specific way, which is *not* the way meek and flashproxy currently does things. ## Meek and flashproxy Meek and flashproxy provide an indirect way of accessing Tor. Instead of connecting directly to a Bridge (which might be blocked), the client connects via a midpoint that is harder to block. Very very roughly, (meek/fp controller) [meek/fp client] - [meek/fp midpoint] - [freedom!] The Bridge line in the user's torrc is completely ignored, we use a dummy value, like: Bridge flashproxy 0.0.1.0:1 Instead, it is the controller that decides which endpoint (which Bridge) the midpoint should connect to. (In meek, the controller is the same entity as the midpoint, but it helps our analysis to consider the two functions separately.) ## The problem The problem with the above structure, is that it is incompatible with the metaphor of connecting to a specific endpoint. This is what the PT spec is about, even though it does not explicitly mention this viewpoint. Instead, meek and flashproxy provide the metaphor of connecting to a global homogeneous service. This has positive consequences, such as the user no longer having to bother to find Bridges, but also has several negative consequences: 1. The Tor client can no longer authenticate the endpoint. Although currently Tor makes this optional, it is strongly recommended, to prevent a MitM between the client and the server. Even if the midpoint does this, this is not end-to-end authentication that we would require for strong security. 2. Since the endpoints are not chosen by the user, this may have consequences for anonymity. IANAAR, but this has not yet been looked into. 3. The Tor client (and other applications that use the PT spec) internally use the endpoints metaphor. They may make performance assumptions based on endpoints being configured with different addresses. (Perhaps also security assumptions, although perhaps not due to having to defend against the sybil attack anyway.) Breaking this metaphor is not a good design principle. 4. An application like i2p, where each peer cares much more about *exactly which* endpoint it connects to (e.g. because e2e fingerprint authentication is mandatory), means the metaphor of endpoints even more important. They will not be able to take advantage of these indirect-connection PTs. 5. Chaining a PT that *requires* strong identification (e.g. scramblesuit, for c2s auth) is impossible under this scheme, since the end client cannot select the right server to authenticate against. ## The solution The solution is simple: the indirect PT client simply has to actually *make use* of the Bridge line, instead of totally dropping this information. The meek/flashproxy controllers offer service to a finite set of Bridges. [A] The client should be able to select one of these, specify its fingerprint and any other shared secrets, on their torrc Bridge line, and the indirect-PT will tell the controller to connect *to specifically this Bridge*. The controller should honour this request. If it doesn't and the fingerprint is specified, it will be caught out by the Tor client. So instead of having, as currently: (old, hacky) Bridge flashproxy (dummy addr) We would have the following cases: (1) Bridge flashproxy (real addr) (2) Bridge flashproxy (real addr) (fingerprint) (3, not-ideal) Bridge flashproxy (dummy addr) (fingerprint) Option (3) is quite nice, since in indirect PTs the actual address is irrelevant - the Tor client never tries to connect to it. I suggest that we have a special syntax for it though, to explicitly discourage hacks that {use dummy
Re: [tor-dev] Improving the structure of indirect-connection PTs (meek/flashproxy)
On 15/04/14 14:03, Ximin Luo wrote: (3, not-ideal) Bridge flashproxy (dummy addr) (fingerprint) Option (3) is quite nice, since in indirect PTs the actual address is irrelevant - the Tor client never tries to connect to it. I suggest that we have a special syntax for it though, to explicitly discourage hacks that {use dummy addresses but which are treated as real addresses by the underlying application}, since this breaks assumptions of the PT spec. For example, (3, better) Bridge flashproxy - (fingerprint) We would add to the PT spec, something like: - is a special hostname syntax in Bridge lines. It means that the address of this Bridge does not concern the underlying application (e.g. Tor), since it will be indirectly reached by the PT client. (If a fingerprint is given, it will still be checked by Tor.) Hmm, for this to work (select the endpoint by fingerprint only), tor will need to pass the fingerprint to the PT client during the SOCKS connection as well. It seems this is not the case from pt-spec.txt: Example: if the bridge line is bridge trebuchet www.example.com: 09F911029D74E35BD84156C5635688C009F909F9 rocks=20 height=5.6m AND if the Tor client knows that the 'trebuchet' method is supported, the client should connect to the proxy that provides the 'trebuchet' method, ask it to connect to www.example.com, and provide the string rocks=20;height=5.6m as the username, the password, or split across the username and password. Perhaps we can add the fingerprint to this, as part of Yawning's SOCKS5 extensions. X -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Named pipes with tor
On Tue, Apr 15, 2014 at 2:27 PM, Nick Mathewson ni...@alum.mit.edu wrote: On Mon, Apr 14, 2014 at 5:32 AM, carlo von lynX l...@time.to.get.psyced.org wrote: [...] So the question is, would it be okay to catch ESPIPE in all cases, thus having it ignored in tor_fd_seekend, or just catch it in add_file_log? Or is there a reason to impede the use of unix named pipes under all circumstances? I think it's fine to ignore that failure from tor_fd_seekend in this case. Actually, I'm not clear, looking at the code, why it's there at all: it seems to me that O_APPEND should already put us at the end of the file, right? It's not clear to me why we mask out O_APPEND in start_writing_to_file(). Maybe looking at the git logs will shine some light on it... Ah. Apparently, O_APPEND has additional semantics beyond when we're opening the file. See commit 37bd9181f07b198ce43489adb5fdb457eef8cfff ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Improving the structure of indirect-connection PTs (meek/flashproxy)
On 15/04/14 19:36, David Fifield wrote: On Tue, Apr 15, 2014 at 02:03:43PM +0100, Ximin Luo wrote: ## The problem The problem with the above structure, is that it is incompatible with the metaphor of connecting to a specific endpoint. This is what the PT spec is about, even though it does not explicitly mention this viewpoint. Instead, meek and flashproxy provide the metaphor of connecting to a global homogeneous service. This has positive consequences, such as the user no longer having to bother to find Bridges, but also has several negative consequences: 1. The Tor client can no longer authenticate the endpoint. Although currently Tor makes this optional, it is strongly recommended, to prevent a MitM between the client and the server. Even if the midpoint does this, this is not end-to-end authentication that we would require for strong security. I see this somewhat differently. You still choose and authenticate the second and third hops. I heard from Roger that it is a sort of accident that bridge-using circuits use three hops, anyway. It should be that there are four: the first hop is your untrusted bridge address you got from wherever, and the second is your guard. Would a design like that make most of these issues go away? I think this would be OK conceptually, but it would extend the circuit by one hop, to 5 total hops. Currently, we have (with meek/fp): PT client - midpoint - untrusted bridge - tor relay - tor exit My proposed fix would turn it into: PT client - midpoint - trusted bridge - tor relay - tor exit Your suggestion would be analogous to: PT client - midpoint - untrusted bridge - trusted guard - tor relay - tor exit It also confuses the model a little, since the untrusted bridge does not help toward anonymity (since it can be MitMd), but is still running Tor, solely to bypass censorship. There's an old ticket here, Let bridge users specify that they don't care if their bridge changes fingerprint. https://trac.torproject.org/projects/tor/ticket/3292 which also ties with this blog post Different Ways to Use a Bridge. https://blog.torproject.org/blog/different-ways-use-bridge Completion of #3292 would be a beautiful thing, I think, for flash proxy, as it would allow us easily to round-robin multiple websocket bridges. (Currently you can't do that because the tor client freaks out; see https://trac.torproject.org/projects/tor/ticket/7153#comment:5.) If by bridge you mean authenticated relay, that is 2 hops before the exit, then I'm not sure how useful round-robin between multiple untrusted bridges really is, since this opens you up to MitM at that point. What exactly are we protecting against by refusing to use the network when A's fingerprint changes? - MitM on A, and relevation of my first-hop OR traffic to the attacker? Am I wrong here? Or is this not a big deal for anonymity? One can tweak #3292 to prevent MitM - instead of allowing *any* fingerprint, one would be able to specify multiple fingerprints for the same IP address, and the Tor client would treat these as separate Bridges (since they are separate). I believe this model is clearer and closer to reality, namely the endpoints metaphor. It's also similar to my (3) suggestion from before. Some other relevant tickets about non-authentication of bridges: analyze security tradeoffs from using a socks proxy vs a bridge to reach the Tor network https://trac.torproject.org/projects/tor/ticket/2764 For socks proxy, substitute indirect proxy, and it works the same. I think of indirect proxies like flash proxy as untrusted unauthenticated things that just get you to the Tor network, which you then authenticate, the same as a socks proxy. The quotes there that I agree with are from a *security* perspective (for a broad definition of security), is there really any difference between a socks proxy and a bridge relay? and I don't see any huge roadblocks to having bridges that are just vanilla proxies. We should deploy them if we can make them usable, and maybe someday somebody will show us it was a bad idea. Tor build variant to support lightweight socks bridge https://trac.torproject.org/projects/tor/ticket/3466 I largely agree with these quotes, but this would be assuming the socks proxy is authenticated (or, can be authenticated) *and* the end-client can completely control the second hop after it. Neither of these properties are true for the indirect proxying of meek/flashproxy. X -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev