information disclosure: operating system and platform
By running a relay you are disclosing your operating system and platform.
examples:
platform Tor 0.2.1.30 on Linux x86_64
platform Tor 0.2.1.29 (!r8e9b25e6c7a2e70c) on Very recent version of Windows [major=6,minor=1] [workstation] {terminal services, single user}
platform Tor 0.2.1.30 on Linux i686
platform Tor 0.2.1.30 on Very recent version of Windows [major=6,minor=1] [workstation] {personal} {terminal services, single user}
To minimize info. discl. the version string should not include the operating system and platform by default.
Activity
changed milestone to %Tor: 0.2.3.x-final
Yeah, this one is more controversial. (I suspect this trac entry is a duplicate of several others.)
The trouble is that we actually use this general info for statistics, to get a sense of network growth, to understand if a certain bug is troubling certain subsets of our relays only, etc.
We used to provide much more detail, and we pared it down to just OS and arch. (I believe Tor 0.2.2.7-alpha and later provide less info about Windows than your example.)
Making it optional reduces the value to us a lot. Might as well just take it out if we are to do that.
I'm not convinced that the information we're revealing is increasing the harm greatly, compared to what you could learn anyway by remote fingerprinting.
The flip side is a) if you can know exactly what the platform and arch is, you can do your exploits with less risk of getting noticed, and remote fingerprinting really isn't perfect, and b) come on, how much value is there really in knowing this stuff.
Yes I understand your reason for collecting this information and I acknowledge that most people probably do not mind publishing OS and arch in the version string.
What about including it by default and offer a possibility to opt-out without the need to patch and recompile?
PublishOsVersion 0|1 This setting specifies if your relay descriptor contains your OS version string or not. The Tor Project (and others) use this published information to create statics about network growth and to understand if certain bugs are toubling certain Tor versions only. This information is of little use for an attacker. (Default: 1)Trac:
Cc: N/A to tagnaq@gmail.comI do not ignore the fact that this is useful information, but my opinion is that a relay operator should be free to decide whether he wants to disclose this information or not.
I think also if there will be something like 'PublishOsVersion' option, most relays will continue to publish this information.
Replying to tagnaq:
I do not ignore the fact that this is useful information, but my opinion is that a relay operator should be free to decide whether he wants to disclose this information or not.
I think also if there will be something like 'PublishOsVersion' option, most relays will continue to publish this information.
They are free to make that decision. They have the source code for Tor, they are free to modify their copy of Tor to either not report its version and/or platform or report a false version and/or platform, and they are free to run their modified copy of Tor as a relay on the public Tor network.
But if many relays do not report their version and platform, and a significant number of them later become incompatible with the rest of the Tor network, we will have to drop all relays that do not provide that information from the consensus. That could be bad.
I'm leaving this ticket open for now, because ioerror has also suggested this option, but I think it's a bad idea.
Replying to rransom:
they are free to modify their copy of Tor to either not report its version and/or platform or report a false version and/or platform, and they are free to run their modified copy of Tor as a relay on the public Tor network.
Sebastian wrote:
Not reporting version is actively harmful, because Tor clients use that to decide what to use a given relay for. (from #2980 (moved))
What is correct?
Replying to tagnaq:
Replying to rransom:
they are free to modify their copy of Tor to either not report its version and/or platform or report a false version and/or platform, and they are free to run their modified copy of Tor as a relay on the public Tor network.
Sebastian wrote:
Not reporting version is actively harmful, because Tor clients use that to decide what to use a given relay for. (from #2980 (moved))
What is correct?
Both statements are correct.
Replying to Sebastian:
For example, see https://gitweb.torproject.org/tor.git/blob/6a726d34e175e40cbf86617f9f9c761b52929f96:/src/or/circuitbuild.c#l3692
That's not a valid example -- there, a Tor client is checking the version stored in a
statefile.https://gitweb.torproject.org/tor.git/blob/6a726d34e175e40cbf86617f9f9c761b52929f96:/src/or/dirserv.c#l391 is one case where we check relays' published versions.
-
Replying to Sebastian:
Any kind of option will lead to a nontrivial amount of relays setting it, which makes the entire idea broken. We should either remove it or (my preference) keep it as it is.
If we make it opt-out and a nontrivial number of relays actually opt out, that would convince me that we should turn it off by default. Relay operators are volunteers after all, and we shouldn't make their Tor do something they dislike too much unless we have an excellent reason.
So I could be talked into adding this as an opt-out feature, sure.
(Disabling the reporting of your Tor version should not be easy, though -- we use that as part of the protocol. That said, we might be able to tolerate not publishing the git hash. Though we already run into problems with people running maint-0.2.2 (which reports they're running Tor 0.2.2.19-alpha when actually they're running something much closer to release-0.2.2).)
Also, if we stop putting in the version, we will need to add more flags showing the compatibility with certain protocol features. I think we should do that, because putting in the version is a prohibitor for alternative relay implementations of Tor. Not that there are any currently, but hey. But as soon as we have that info in, relays' versions are again detectable (at least in a certain range of versions) because they will advertise different capabilities. I don't really see a way to solve this.
-
Replying to Sebastian:
But as soon as we have that info in, relays' versions are again detectable (at least in a certain range of versions) because they will advertise different capabilities
The applied security people I talk to make a big deal out of whether the identification is exact or almost exact. The distinction is whether your exploit has zero chance of being noticed (because you target only and exactly the vulnerable versions) or close-to-zero chance of being noticed. So I think they would regard "in a certain range of versions" as a huge improvement.
Replying to arma:
If we make it opt-out and a nontrivial number of relays actually opt out, that would convince me that we should turn it off by default. Relay operators are volunteers after all, and we shouldn't make their Tor do something they dislike too much unless we have an excellent reason.
Thank you for these words.
