Opened 9 months ago

Last modified 3 months ago

#24872 accepted defect

remove outdated tor relay security recommendations and update these wiki pages

Reported by: cypherpunks Owned by: Jaruga
Priority: Medium Milestone:
Component: Community/Relays Version:
Severity: Normal Keywords:
Cc: phoul Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

While working on #24497 I wanted to link to existing security related recommendations and found:

https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity
https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity

IMHO these are severely outdated and give bad advises.

I'm proposing to remove some outdated content and if no one disagrees I'll proceed soon.
I'll send email to tor-dev about this.

Child Tickets

Change History (14)

comment:1 Changed 9 months ago by dgoulet

Component: - Select a componentCommunity/Tor Support
Owner: set to phoul

Tentatively setting a component.

comment:2 Changed 7 months ago by Jaruga

Owner: changed from phoul to Jaruga
Status: newassigned

I'll get to this on the weekend.

comment:3 Changed 7 months ago by Jaruga

Status: assignedaccepted

Accepting.

comment:4 Changed 4 months ago by alison

Maybe check those old pages for any salvageable info, then add it to the relays ops wiki, then remove the old pages? Here's the relay ops wiki: https://trac.torproject.org/projects/tor/wiki/TorRelayGuide

comment:5 Changed 4 months ago by phoul

Cc: phoul added

comment:6 in reply to:  4 Changed 4 months ago by Jaruga

Replying to alison:

Can do, and thanks for the reminder on this ticket! I'll add this to my todo list.

comment:7 in reply to:  4 Changed 4 months ago by nusenu

Replying to alison:

Maybe check those old pages for any salvageable info, then add it to the relays ops wiki, then remove the old pages? Here's the relay ops wiki: https://trac.torproject.org/projects/tor/wiki/TorRelayGuide

I'd prefer if a security section would be on a separate page since the relay guide is already a long and ugly single-pager.

And I'm happy to review security recommendations.

comment:8 Changed 3 months ago by Jaruga

Update: Looked over the pages and pulled out what I thought were relevant points, then rewrote the sections. Published it on https://trac.torproject.org/projects/tor/wiki/TorRelayGuide/Security , a review would be greatly appreciated. :)

comment:9 Changed 3 months ago by nusenu

Let me start with an important question:

  • What is the scope of the security recommendations? (What do you aim to cover?)

comment:10 Changed 3 months ago by nusenu

Component: Community/Tor SupportCommunity/Relays

comment:11 Changed 3 months ago by Jaruga

The idea is that the page can be used as a general overview of topics relating to relay security. As it stands it only features the valuable information that was extracted from the pages that this ticket notes, though I imagine there are likely things located in the wiki / the main doc which might find a suitable home there.

I understand it can quickly become a mess if it goes into OS specifics for every suggestion added, and things like the iptables config are already located elsewhere on the wiki. If there's another way you'd like to see it done I'm open to suggestions.

comment:12 Changed 3 months ago by nusenu

I'd propose:

  • lets limit the scope to tor in relay mode only (tor clients or tor onion services are not covered) - this is somewhat obvious since the page lifes under /TorRelayGuide
  • title "Tor Relay Security Best Practices"
  • have a (small) generic/high level section that applies to all platforms (because we can not cover every possible OS)
    • this section will not include step-by-step instructions since it is OS independent
    • the physical security section
    • OS (hardware vs. virtual, OS level access authentication, pointer to auto-updates)
  • have a (bigger) section for tor
    • primarily focuses on the tor daemon itself and its security relevant settings and recommendations
  • convey the order in which different options are preferred (example: bare metal installations are considered better than VPS installation)
  • consider the current installation steps as a baseline and tell people what they could do on top of that if they want to do better than that
  • include no-go's
  • avoid conflicting statements regarding disk encryption
  • maybe have something like levels
    • basic (default install as described per the guide + auto updates)
    • intermediate
    • high (runs on hardware, 2FA, offline master keys with signing key lifetime < 30day)
  • lets remove the following sections:
    • "Tor-only firewalling with iptables" (because we cover it generically for all platforms in the generic section)
    • Coldboot attacks (due to new offline master key section that mitigates this attack vector)
  • Replace section "Restricting SSH access" with a recommendation to use strong authentication (part of the generic section)

comment:13 Changed 3 months ago by Jaruga

Noted! Thank you lots for taking the time to give such a thorough review. I will work on these revisions first thing when I'm at my desk tomorrow, will let you know when it is ready for another look

comment:14 Changed 3 months ago by nusenu

I didn't intent to tell you what has to be written,
if you like the proposed things I can write a draft.

Note: See TracTickets for help on using tickets.