Changes between Initial Version and Version 1 of doc/TorFragileHardening


Ignore:
Timestamp:
Feb 1, 2017, 3:26:16 PM (2 years ago)
Author:
nickm
Comment:

new page about whether or not to enable fragile hardening

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorFragileHardening

    v1 v1  
     1== Should I use --enable-expensive-hardening? ==
     2
     3Does "expensive-hardening" makes your Tor
     4more secure or less secure?  The answer isn't obvious!
     5
     6The 'expensive-hardening' option replaces a number of underlying bugs
     7with aborts.  If any of these underlying bugs was remotely
     8triggerable, it becomes a remotely triggerable abort.
     9
     10Some possible underlying bugs here are actually harmless -- like the
     11integer underflow bug here in TROVE-2017-001, or the
     12read-one-extra-byte bug of TROVE-2016-12-002[*]. So long as any bugs
     13like these bugs exist, "expensive-hardening" will make your Tor more
     14vulnerable to remote denial of service.
     15
     16But some possible underlying bugs are potential trouble -- like if we
     17had an actual stack overflow bug or a heap overflow bug.
     18"expensive-hardening" can replace some of these with aborts too.  So
     19long as any bugs like these bugs exist, "expensive-hardening" makes it
     20a little more difficult to do RCE or heartbleed-style leaks against
     21your Tor.
     22
     23The first kind of bug seems much more common in practice over Tor's
     24history.   But the impact of the second kind would be significantly worse.
     25
     26So using "expensive-hardening" in production means "Make me much more
     27vulnerable to remote DoS, but (probably) less vulnerable to RCE or
     28heartbleed."
     29
     30I don't think that's an obvious "yes", but I'm also not totally sure
     31it's an obvious "no".