Opened 7 years ago

Closed 4 years ago

#8188 closed enhancement (wontfix)

Introduce MaxCircuitDirtiness per listener

Reported by: bastik Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-client
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Now that you have such nice isolation features per listener, how about supporting different MaxCircuitDirtiness values for each?

SocksPort Max(Circuit)Dirtiness 480
SocksPort IsolateDestAddr Max(Circuit)Dirtiness 1200

I don't want to deprecate MaxCircuitDirtiness as it is right now. The option could be named MTTA (MaxTimeToAttach) or similar. Unset uses the default value of MaxCircuitDirtiness. Maybe the value -1 disables it for that listener.

Setting a lowest possible value should be considered to avoid clients overloading the network.

Child Tickets

Change History (4)

comment:1 Changed 7 years ago by nickm

Keywords: tor-client added
Milestone: Tor: unspecifiedTor: 0.2.5.x-final

I like this idea.

comment:2 Changed 7 years ago by bastik

My initial thought on anonymity was that since everything goes over different circuits (not exits, which may happen coincidently) it would be safe to assume that exits can see how long sessions tend to be, but that it would not be a fingerprinting/profiling vector.

More recently I thought it could be problematic, because clients may stick out.

Previously I thought the stream isolation would make it safe.

However if exit operators see that some sessions last (e.g.) 20 minutes and this wouldn't be the case very often, while different protocol sessions last about 7 minutes, what might be not so common either, they can indeed fingerprint/profile on that.

Given an adversary that was able to correlate traffic once and if he/she realized that the sessions was about 20 minutes long, which doesn't happen normally, all it takes is looking for a 20 minute session to identify a user.

I couldn't come up with a "fix" for this, other than using fixed values for this feature. So that clients can pick 5, 10, 15 or 20 minutes rather than custom values for this feature.

I thought about thinking about this [nice construction] issue not expecting to come up with a reasonable approach.

Since you, nickm, set a soon to come milestone, which obviously can be changed around as you like, I add my concern(s). I'm quite surprised (and glad) that you actually like this idea, not that you should dislike it, as it might jeopardize users anonymity. You've more insight into this topic, for sure.

comment:3 Changed 6 years ago by nickm

Milestone: Tor: 0.2.5.x-finalTor: unspecified

Indeed, bastik is right; this is a less obviously good idea than I'd thought.

comment:4 Changed 4 years ago by bastik

Resolution: wontfix
Severity: Normal
Status: newclosed

This appeared to be a bad idea after thinking about it for longer and since two years after said thoughts no one seems to have thought or think otherwise.

Therefore I am closing this ticket.

Note: See TracTickets for help on using tickets.