Opened 9 years ago

Closed 2 years ago

#1796 closed defect (wontfix)

write-history and read-history in extra-infos leaks the relay's used bandwith if the bandwidth limit is changed

Reported by: lancelot666 Owned by:
Priority: Low Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: unspecified
Severity: Normal Keywords: write-history read-history tor-relay
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

If a user changes the bandwidth limit to a different value, the next update of the write/read-history (after a reload of the config) contains different values. By the difference of the values an attacker could infer how much bandwidth the user used by himself.

Lets assume the extra info reports 18432000 (B) for a 15 min period. After increasing the bandwidth limit and reloading the server, the next update reports 23404544 (B) for the same 15 min period. Thus, an attacker can infer how much bandwidth the user/relay used by its own in this period.

Child Tickets

Attachments (2)

before_increase.txt (2.0 KB) - added by lancelot666 9 years ago.
Extra-Info - values are limited to 18432000
after_increase.txt (2.0 KB) - added by lancelot666 9 years ago.
Extra-Info - values are limited now limited to 32256000

Download all attachments as: .zip

Change History (9)

Changed 9 years ago by lancelot666

Attachment: before_increase.txt added

Extra-Info - values are limited to 18432000

Changed 9 years ago by lancelot666

Attachment: after_increase.txt added

Extra-Info - values are limited now limited to 32256000

comment:1 Changed 9 years ago by Sebastian

I don't see how this is an issue with specifying RelayBandwidthRate instead of BandwidthRate. Please explain more?

comment:2 Changed 9 years ago by lancelot666

The maximum reported bandwidth depends on the RelayBandwithRate:

From rephist.c (List 1574)

if (options->RelayBandwidthRate ){

cutoff = options->RelayBandwidthRate * NUM_SECS_BW_SUM_INTERVAL;

} else{

cutoff = UINT64_MAX;

}
...
if (total > cutoff) total = cutoff;

I don't know how to describe it in a different way :/. By cutting only with the current value and not the old value previously stated in the config file, one leaks some information one might want to hide. I'm not sure, but the Bug #516 (fixed) mentioned a similar problem.

comment:3 Changed 9 years ago by nickm

Milestone: Tor: 0.2.3.x-final

Needs more diagnosis, but we should do the diagnosis on a reasonable timeframe. Putting this in 0.2.3.x for now. If it does prove to be serious, it should get backported.

comment:4 Changed 7 years ago by nickm

Milestone: Tor: 0.2.3.x-finalTor: unspecified

comment:5 Changed 7 years ago by nickm

Keywords: tor-relay added

comment:6 Changed 7 years ago by nickm

Component: Tor RelayTor

comment:7 Changed 2 years ago by nickm

Resolution: wontfix
Severity: Normal
Status: newclosed
Note: See TracTickets for help on using tickets.