Require a threshold of exit nodes before believing we can build circuits

We should not allow circuits to get built unless we know descriptors for a sufficiently large fraction of exit nodes.

This should mitigate an attack proposed by wanoskarnet, wherein your bridges collude to only tell you about compromised exits. See also #5342 (moved).

changed milestone to %Tor: 0.2.2.x-final

added component::core tor/tor milestone::Tor: 0.2.2.x-final parent::5456 priority::high resolution::fixed status::closed tor-client type::defect labels

Please review branch "bug5343" in my public repository. It's a patch on 0.2.2.x. I chose the "1/3" threshold more or less at random.

Trac:
Status: new to needs_review

merged, removing the final clause after review by wanoskarnet.

Trac:
Status: needs_review to closed
Resolution: N/A to fixed

I am going to make this a child of #5456 (moved) for reference purposes even though it was fixed independently. I think it is useful to see specific instances of path bias when thinking about general mitigation.

Trac:
Parent: N/A to #5456 (moved)

FYI: My gut says that 1/3 is pretty low. Personally, I'd want the fraction to be based on measured bandwidth and be more like 80%. However, if we want to set "reliable" lenient thresholds for this and #5458 (moved), only to fine tune them later in another ticket, we can do that. But if so, we should create that other ticket now.

reopening since it seems mike wants a response

As for thresholds, see also #3196 (moved). (oh hey, there's a branch to review there!)

Trac:
Status: closed to reopened
Resolution: fixed to N/A

Hrmm.. My bias is towards forward progress, though. So long as there's some tunable safeguard, we should roll it out and just make the change later if feel we can refine it (should maybe be a consensus param? Doesn't really matter though). Changing the value also shouldn't block 0.2.2.36, IMO, especially since it's already done.

Perhaps the other ticket can be "Choose circuit building threshholds based on faction of consensus weight" or something? Depends on how we want to consolidate these issues and how we want to track the changes...

Replying to mikeperry:

Changing the value also shouldn't block 0.2.2.36, IMO

That's good, because I just released it.

Opened #5956 (moved) for followup issues here; closing this ticket.

Trac:
Status: reopened to closed
Resolution: N/A to fixed

Trac:
Keywords: N/A deleted, tor-client added

Trac:
Component: Tor Client to Tor

closed

mentioned in issue #5956 (moved)

moved to tpo/core/tor#5343 (closed)

mentioned in issue tpo/core/tor#5956 (closed)