Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#4115 closed defect (fixed)

Bridges should switch to using begindir

Reported by: arma Owned by: arma
Priority: High Milestone: Tor: 0.2.2.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-bridge
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Back when we fixed bug #827, the resolution was that relays, including bridges without an explicit Address set, would avoid using begindir cells when making their directory fetches. See directory_command_should_use_begindir():

    if (!fascist_firewall_allows_address_or(addr, or_port) ||
        directory_fetches_from_authorities(options) ||
        (server_mode(options) && !options->Address))
      return 0; /* We're firewalled or are acting like a relay -- also no. */

For the history, see in particular
https://trac.torproject.org/projects/tor/ticket/827#comment:29

Time has passed. Now all those new Tor 0.1.2.x relays are gone, and the 0.1.1.x clients that were providing cover for bridges are long gone.

That means you can find bridges by running a relay and seeing who talks to your DirPort directly.

I suggest we should simplify the logic to just

    if (!fascist_firewall_allows_address_or(addr, or_port))
      return 0;

then put out a new 0.2.3.x release to make sure it doesn't break things, then put it into 0.2.2 stable as a security fix.

Child Tickets

Change History (9)

comment:1 Changed 8 years ago by arma

It's worth noting that having relays do plaintext dir fetches to the authorities is more efficient, since they don't need to set up the TLS tunnel just to fetch their thing. If we make them switch to begindir, basically all relays will have TLS connections open to the authorities most of the time.

That doesn't bother me though. Should it?

comment:2 in reply to:  description ; Changed 8 years ago by cypherpunks

Replying to arma:

That means you can find bridges by running a relay and seeing who talks to your DirPort directly.

No chance to bypass bridge detecting completely, every bridge still distignuishable by create cell.

should_use_create_fast_for_circuit(origin_circuit_t *circ)
{
  or_options_t *options = get_options();
  tor_assert(circ->cpath);
  tor_assert(circ->cpath->extend_info);

  if (!circ->cpath->extend_info->onion_key)
    return 1; /* our hand is forced: only a create_fast will work. */
  if (!options->FastFirstHopPK)
    return 0; /* we prefer to avoid create_fast */
  if (server_mode(options)) {
    /* We're a server, and we know an onion key. We can choose.
     * Prefer to blend in. */
    return 0;
  }

  return 1;
}

Bridge-detector example:

if (or_circ && !or_circ->is_first_hop && rh.command == RELAY_COMMAND_BEGIN_DIR) { /* non-mirror relay detected or bridge, filter it by consensus. */

comment:3 Changed 8 years ago by arma

Status: newneeds_review

I've pushed a conservative patch to maint-0.2.2 as bug4115 in my arma repository.

This fixes the 'bug' side of it. The 'feature' side of whether relays should switch to begindir (improves their resistance to tampering on the wire, including tampering of unauthenticated stuff like x-your-address-is; but increases the load they place on the authorities) should imo have nothing to do with 0.2.2.

comment:4 Changed 8 years ago by arma

Owner: set to arma
Status: needs_reviewaccepted

Nick said it's ok. Merged.

comment:5 in reply to:  2 ; Changed 8 years ago by arma

Status: acceptedneeds_review

Replying to cypherpunks:

No chance to bypass bridge detecting completely, every bridge still distignuishable by create cell.

Good point! I just pushed a bug4115b branch to my arma repo, also targeted to maint-0.2.2

comment:6 in reply to:  5 Changed 8 years ago by arma

Status: needs_reviewaccepted

Replying to arma:

Replying to cypherpunks:

No chance to bypass bridge detecting completely, every bridge still distignuishable by create cell.

Good point! I just pushed a bug4115b branch to my arma repo, also targeted to maint-0.2.2

Actually, Nick suggested I make a separate bug. It is #4124 (and has been merged).

comment:7 Changed 8 years ago by arma

Component: Tor RelayTor Bridge
Resolution: fixed
Status: acceptedclosed
Summary: Relays and bridges should switch to using begindirBridges should switch to using begindir

This ticket is now only about the bridge aspect, which is fixed. I've opened #4130 for the relay side of the question.

comment:8 Changed 7 years ago by nickm

Keywords: tor-bridge added

comment:9 Changed 7 years ago by nickm

Component: Tor BridgeTor
Note: See TracTickets for help on using tickets.