Hi Holmes, On Fri, Jul 23, 2021 at 05:46:47PM -0400, Holmes Wilson wrote: > Hi everyone, > > A few disjointed questions that have come up recently in our work with Tor: > > 1. PERFORMANCE ON M1 / ARM64 > > We just got a report from a user that the tor binary for Mac was using much > more CPU on Apple Silicon / M1 than it used on Intel. Has anyone scene > anything like this? Is there an arm64 build of tor binary for Mac, existing > or in the works?
Can you provide more detail about where this tor binary came from? Was it compiled from source or did it come from Tor Browser? > > (Related: do Tor developers have a few M1 Macs to test on? We could probably > donate one if not!) > We do not, but we'd be happy to discuss this with you! (I'll leave your other two questions to another tor person) > 2. FORWARD SECRECY > > Is there a good source for documentation on how forward secrecy works in Tor, > and on what security guarantees it provides? Googling finds things like this > reddit post (https://www.reddit.com/r/TOR/comments/cryrjx/does_tor_use_pfs/) > but I can’t find any detailed information about it, what threat models it > fits, etc. > > One specific question is, if two users are communicating by sending messages > over a connection to an onion service (like ricochet) and an attacker > surveils their internet traffic and compromises their devices at a later > date, will the attacker be able to recover the clear text of their > conversation? When are keys for a given connection destroyed? Does it happen > continuously throughout the course of a Tor connection? Or on the creation of > a new circuit? Or what? > > 3. V3 AUTH AND DOS ATTACKS > > Does v3 onion authentication protect against DOS attacks? That is, can > someone who is not authorized to connect to an onion address with > authentication enabled still cause problems for that onion address? Can they > connect to it at all, in the sense of being able to send data to the tor > client at that onion address? Or does the Tor network itself prevent this > connection from even happening? > > A related question is, if we’re looking to deny connections to an onion > address to any unauthorized users, and we’re considering turning off onion > authentication and implementing some standard authentication scheme that > seems fairly well-supported at the web server layer, is there any > security-related reason why we would be better off using Tor’s own > authentication instead? Using our own authentication scheme will be a bit > easier to control, rather than having to send commands to Tor (and possibly > restart it for removing users?) but I’m wondering if there are security > properties we lose by doing that. > > Thanks! > > Also, apologies if any of these questions aren’t clear or well-formed! > > Holmes > > _______________________________________________ > tor-dev mailing list > tor-dev@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
