Opened 13 days ago

Last modified 11 days ago

#32637 assigned defect

SocksPort IPv6 flags differs in default config and in Torlauncher prefs, and exits can distinguish them

Reported by: cypherpunks Owned by: teor
Priority: Medium Milestone: Tor: 0.4.3.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 043-should, ipv6, security-low, no-backport, teor-backlog
Cc: teor, gk Actual Points:
Parent ID: Points: 1
Reviewer: Sponsor:

Description

By default tor daemon set only IPv6Traffic flag in client sockets, but not PreferIPv6
https://gitweb.torproject.org/tor.git/tree/src/app/config/config.c#n6094

But Torlauncher sets them both when launch tor daemon with Tor Browser
https://gitweb.torproject.org/tor-launcher.git/tree/src/defaults/preferences/torlauncher-prefs.js#n41

As i can see in spec, this flags sets bits in "FLAGS" value in RELAY_BEGIN cell, and exit relays can recognize which flags sets in client port settings. So, exits can distinguish circuits from Tor Browser Bundle clients and, as example, from daemons in linux distro repositories, with high level of probability.
https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt#n1595

Is there any reasons why PreferIPv6 flag is not turned on by default? This issue raises up in past (#21269), but solution is not efficient - anyway flags sent to exit by default differs from vast majority of real usecases - surfing web with TBB.

Child Tickets

Change History (3)

comment:1 Changed 11 days ago by nickm

Cc: teor gk added
Milestone: Tor: 0.4.3.x-final

Adding teor for ipv6 expertise, gk for TB expertise.

comment:2 Changed 11 days ago by teor

Keywords: 043-should ipv6 security-low no-backport added
Points: 1

This is a low-severity security issue, because it involves one bit of information leakage from clients to exits, and the anonymity sets are still quite large. (Particularly because every client creates preemptive circuits, and many send traffic over those circuits.)

We should set PreferIPv6 by default in our first 0.4.3 alpha, and expect a small amount of breakage:

  • A few tools may use dual-stack DNS, but expect IPv4-only connections. Or the IPv6 might be broken at the remote end.
  • IPv6 exits are still rarer than IPv4 exits
  • Tor's retry logic may be able to do better with IPv6-only sites, but that risks leaking information about previous exits' responses to the client

We should not backport:

  • Some long-standing IPv6 bugs are only fixed in 0.4.3

comment:3 Changed 11 days ago by teor

Keywords: teor-backlog added
Owner: set to teor
Status: newassigned

I'm probably the best person to do this, and the next 2 months are a good time to do it,

Note: See TracTickets for help on using tickets.