Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#5343 closed defect (fixed)

Require a threshold of exit nodes before believing we can build circuits

Reported by: nickm Owned by:
Priority: High Milestone: Tor: 0.2.2.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-client
Cc: Actual Points:
Parent ID: #5456 Points:
Reviewer: Sponsor:

Description

We should not allow circuits to get built unless we know descriptors for a sufficiently large fraction of exit nodes.

This should mitigate an attack proposed by wanoskarnet, wherein your bridges collude to only tell you about compromised exits. See also #5342.

Child Tickets

Change History (10)

comment:1 Changed 7 years ago by nickm

Status: newneeds_review

Please review branch "bug5343" in my public repository. It's a patch on 0.2.2.x. I chose the "1/3" threshold more or less at random.

comment:2 Changed 7 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

merged, removing the final clause after review by wanoskarnet.

comment:3 Changed 7 years ago by mikeperry

Parent ID: #5456

I am going to make this a child of #5456 for reference purposes even though it was fixed independently. I think it is useful to see specific instances of path bias when thinking about general mitigation.

comment:4 Changed 7 years ago by mikeperry

FYI: My gut says that 1/3 is pretty low. Personally, I'd want the fraction to be based on measured bandwidth and be more like 80%. However, if we want to set "reliable" lenient thresholds for this and #5458, only to fine tune them later in another ticket, we can do that. But if so, we should create that other ticket now.

comment:5 Changed 7 years ago by arma

Resolution: fixed
Status: closedreopened

reopening since it seems mike wants a response

As for thresholds, see also #3196. (oh hey, there's a branch to review there!)

comment:6 Changed 7 years ago by mikeperry

Hrmm.. My bias is towards forward progress, though. So long as there's some tunable safeguard, we should roll it out and just make the change later if feel we can refine it (should maybe be a consensus param? Doesn't really matter though). Changing the value also shouldn't block 0.2.2.36, IMO, especially since it's already done.

Perhaps the other ticket can be "Choose circuit building threshholds based on faction of consensus weight" or something? Depends on how we want to consolidate these issues and how we want to track the changes...

comment:7 in reply to:  6 Changed 7 years ago by arma

Replying to mikeperry:

Changing the value also shouldn't block 0.2.2.36, IMO

That's good, because I just released it.

comment:8 Changed 7 years ago by nickm

Resolution: fixed
Status: reopenedclosed

Opened #5956 for followup issues here; closing this ticket.

comment:9 Changed 7 years ago by nickm

Keywords: tor-client added

comment:10 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.