Opened 6 years ago

Closed 4 years ago

Last modified 3 years ago

#10451 closed defect (wontfix)

Allow me to have a short HeartBeatPeriod

Reported by: cypherpunks Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version: Tor:
Severity: Normal Keywords: tor-relay, easy, heartbeat, needs-research
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Dec 20 20:07:47.000 [warn] HeartbeatPeriod option is too short; raising to 1800 seconds.
HeartbeatPeriod 5 minutes
Tor version (git-9a83ee5e4d3cece4).

Please let me have a short HeartbeatPeriod! It'd be appreciated. Sometimes, I can't run tor-arm but I want frequent status updates.

Child Tickets

Change History (11)

comment:1 Changed 6 years ago by asn

Component: - Select a componentTor
Keywords: tor-relay easy heartbeat added

comment:2 Changed 6 years ago by arma

We should check how much computation is involved in computing the items the heartbeat tells us about. For example, I assume it walks the connection table.

But even then, doing it once every ten seconds or something shouldn't be so bad.

comment:3 Changed 6 years ago by nickm

My main concern is that logging this at too high a frequency might log unsafe-to-log fine-grained information somehow. We should analyze that question too.

comment:4 Changed 6 years ago by nickm

Milestone: Tor: 0.2.5.x-final

comment:5 Changed 6 years ago by nickm

Keywords: needs-research added; removed
Milestone: Tor: 0.2.5.x-finalTor: 0.2.???

So, in particular, logging the fine-grained numbers of bytes sent and received at very high frequency is probably not too safe. How fine-grained is too fine-grained? Do we have any way to answer that?

comment:6 Changed 5 years ago by badon

To correlate vague statistics in a de-anonymizing way requires time. In short, the more time the logged statistics cover, the more time is required to use them to de-anonymize someone. Off the top of my head, this appears to be mostly limited to bulk traffic analysis, because that's what the heartbeat statistics contain. The traffic analysis scenario is fairly well studied, so I think we have a basis for insight into the risk involved here.

Firstly, an attacker must have access to the heartbeat statistics over a long period of time. I don't know how long, but let's make a wild guess that to successfully de-anonymize someone, you would need to observe at least 10'000 heartbeats. I suspect the true minimum number could be far higher, and it might be a non-linear relationship where the number of heartbeats required increases faster for longer heartbeat periods.

Here's a very simple totally made-up hypothetical example, without a non-linear increase in observation time:

If heartbeats occur every 1 second, then the attacker would need to observe for 10'000 seconds, or 2.78 hours. If heartbeats occur every 300 seconds (5 minutes), then I will make a wild guess that the attacker would need to observe for 10'000 * 300 seconds, which is 833.33 hours, or 34.72 days. All of this assumes the attacker has access to the Tor logs, which probably means log correlation via traffic analysis is less of a problem than other things the attacker might be able to do. Oh, and another thing, it probably also assumes that the logs are being written to disk, which isn't normally done.

I hope this thought experiment gives you further ideas for judging the risks that might come from implementing this idea. I think it would be very helpful and enlightening to have more status information available. The end result might be increased security, due to insights people have while observing the status information. Either way, I think it should be at least possible to configure rapid heartbeats, even if it is insecure, if only for research purposes.

comment:7 Changed 4 years ago by nickm

Severity: Normal

I am inclined to close this as wontfix; I believe it is a higher risk than described above, and would limit what we can add to the heartbeats in the future.

comment:8 Changed 4 years ago by arma

wontfix is fine with me. Anybody who wants it to be frequent is doing something kind of like being a developer, so they should either use arm/stem/the-controller, or just go remove that check in the code.

(I also don't think it's a big deal to let the heartbeat be frequent. The cat is out of the bag in terms of local logs always being fine to give to the adversary. But hey, I'm easy here.)

comment:9 Changed 4 years ago by nickm

Resolution: wontfix
Status: newclosed

comment:10 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:11 Changed 3 years ago by nickm

Milestone: Tor: 0.3.???

Milestone deleted

Note: See TracTickets for help on using tickets.