Opened 8 years ago

Closed 8 years ago

#2659 closed enhancement (implemented)

Vidalia should let Torbutton NEWNYM

Reported by: mikeperry Owned by: chiiph
Priority: High Milestone:
Component: Archived/Vidalia Version:
Severity: Keywords:
Cc: mikeperry Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I think we're getting closer to a working vision for implementing NEWNYM support in the browser in ticket #523. We basically have two options:

  1. Have vidalia pass Firefox the Control Port password in an ENV variable, so Torbutton could speak to the Tor Control Port to NEWNYM.
  1. Create a 'Least Privilege' Control Port that does not require authentication, that implements a safe subset of the Tor control port, including SIGNAL NEWNYM.

Option 2 can be done either in Tor (hard), or as a proxy filter in Vidalia (easier).

Either of these options requires just about the same amount of work in Torbutton, and if done correctly, Torbutton should conceivably be able to use either Control Port, because they should both have the same exact syntax for the relevant commands and events.

Child Tickets

Change History (9)

comment:1 Changed 8 years ago by mikeperry

FYI: If we can commit to doing either of these two options, I can begin work on #523 right away, since the code should be equivalent, and since I should be able to test with the current control port.

comment:2 Changed 8 years ago by mikeperry

Cc: mikeperry added; chiiph removed

comment:3 in reply to:  description ; Changed 8 years ago by chiiph

Status: newaccepted

Replying to mikeperry:

  1. Create a 'Least Privilege' Control Port that does not require authentication, that implements a safe subset of the Tor control port, including SIGNAL NEWNYM.

Option 2 can be done either in Tor (hard), or as a proxy filter in Vidalia (easier).

Either of these options requires just about the same amount of work in Torbutton, and if done correctly, Torbutton should conceivably be able to use either Control Port, because they should both have the same exact syntax for the relevant commands and events.

I'd go for option (2). It gives TorButton controller functionality without implementing an actual controller there, and it gives the possibility of TorButton<->Vidalia communication for (may be) specific commands regarding TBB usability that don't concern Tor directly.

comment:4 Changed 8 years ago by atagar

When there's a solid plan I'll add the same support to arm too. A long while back Jake mentioned the idea of having a parallel 'safe control port' which just had read-only access (in this case with an option to allow NEWNYM as well). I kinda favor that option but if there's no one willing to make the modification in Tor then the second option certainly sounds easier.

Cheers! -Damian

comment:5 in reply to:  3 Changed 8 years ago by rransom

Replying to chiiph:

Replying to mikeperry:

  1. Create a 'Least Privilege' Control Port that does not require authentication, that implements a safe subset of the Tor control port, including SIGNAL NEWNYM.

Option 2 can be done either in Tor (hard), or as a proxy filter in Vidalia (easier).

Why would it be easier to write a new parser/unparser for the control port protocol (and hope that it parses and unparses exactly the same syntax that Tor does) than to add access-control checks to Tor's existing ControlPort code?

Either of these options requires just about the same amount of work in Torbutton, and if done correctly, Torbutton should conceivably be able to use either Control Port, because they should both have the same exact syntax for the relevant commands and events.

I'd go for option (2). It gives TorButton controller functionality without implementing an actual controller there, and it gives the possibility of TorButton<->Vidalia communication for (may be) specific commands regarding TBB usability that don't concern Tor directly.

Torbutton will need to support part of Tor's control-port protocol in either case.

comment:6 in reply to:  description ; Changed 8 years ago by Sebastian

Replying to mikeperry:

  1. Create a 'Least Privilege' Control Port that does not require authentication, that implements a safe subset of the Tor control port, including SIGNAL NEWNYM.

Executing newnym commands without authentication doesn't sound very safe.

comment:7 in reply to:  6 Changed 8 years ago by rransom

Replying to Sebastian:

Replying to mikeperry:

  1. Create a 'Least Privilege' Control Port that does not require authentication, that implements a safe subset of the Tor control port, including SIGNAL NEWNYM.

Executing newnym commands without authentication doesn't sound very safe.

More concretely: An attacker who can connect to Tor's SOCKS port and this ‘safe’ control port can send SIGNAL NEWNYM repeatedly until Tor starts sending traffic to an exit node that the attacker controls. Or, an attacker can mark the client's traffic with a distinctive pattern of exit-node changes, and buy an ad server's logs later to identify the user's pseudonym.

comment:8 Changed 8 years ago by chiiph

Mike: Can we consider this closed now that TorButton has access to the controlport/passwd?

comment:9 in reply to:  8 Changed 8 years ago by rransom

Resolution: implemented
Status: acceptedclosed

Replying to chiiph:

Mike: Can we consider this closed now that TorButton has access to the controlport/passwd?

Yes.

Note: See TracTickets for help on using tickets.