Bug #11285: Check if we need to disable UseDefaultFallbackDirs in Tor 0.2.8+

Bug #11285

Check if we need to disable UseDefaultFallbackDirs in Tor 0.2.8+

Added by intrigeri 2016-03-26 10:32:47 . Updated 2016-05-08 03:39:27 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Tor configuration

Target version:

Tails_2.4

Start date:

2016-03-26

Due date:

% Done:

100%

Feature Branch:

Type of work:

Research

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

https://lists.torproject.org/pipermail/tor-dev/2016-March/010594.html impacts https://tails.boum.org/contribute/design/Time_syncing/. Do we need to disable it?

At first glance, using fallback directory mirrors brings the security for non-bridges users down to the level that bridges users have had forever with tordate, except that bridge (very-power-)users get to choose which bridge(s) they trust for that, while non-bridges users won’t be in a position to choose which fallback directory mirror they trust.

Subtasks

Related issues

Related to Tails - Feature #5774: Robust time syncing

In Progress

2015-05-17

History

#1 Updated by intrigeri 2016-03-26 10:33:16

related to Feature #5774: Robust time syncing added

#2 Updated by intrigeri 2016-03-26 10:35:29

Assignee set to anonym
QA Check set to Ready for QA

anonym: given what I wrote in the description, I think we don’t need to disable that new feature, but we’ll need to update the design doc accordingly. What do you think?

#3 Updated by anonym 2016-04-13 07:06:44

Assignee changed from anonym to intrigeri
QA Check changed from Ready for QA to Info Needed

intrigeri wrote:
> anonym: given what I wrote in the description, I think we don’t need to disable that new feature, but we’ll need to update the design doc accordingly. What do you think?

I agree.

However, I wonder if we have to rethink how we decide which nodes are ok to contact, e.g. the TOR_AUTHORITIES constant defined in features/support/config.rb. If any of these fallback directories do not appear in the consensus, we’ll not consider them as ok to contact => test failure for all @check_tor_leaks-tagged scenarios. Apparently they will be hardcoded in Tor’s source, but hopefully we can query this via the control port, otherwise I suppose we’ll have to grep them from the system under testing’s Tor binary (yay!) or something similarly hideous. Or am I missing something?

#4 Updated by intrigeri 2016-04-15 04:39:39

Status changed from Confirmed to In Progress
Parent task set to ~~Feature #11351~~

#5 Updated by intrigeri 2016-04-15 04:51:07

Assignee changed from intrigeri to anonym

>> anonym: given what I wrote in the description, I think we don’t need to disable that new feature, but we’ll need to update the design doc accordingly. What do you think?

> I agree.

OK, filed ~~Feature #11352~~ about it.

> However, I wonder if we have to rethink how we decide which nodes are ok to contact, e.g. the TOR_AUTHORITIES constant defined in features/support/config.rb. If any of these fallback directories do not appear in the consensus, we’ll not consider them as ok to contact => test failure for all @check_tor_leaks-tagged scenarios. Apparently they will be hardcoded in Tor’s source, but hopefully we can query this via the control port, otherwise I suppose we’ll have to grep them from the system under testing’s Tor binary (yay!) or something similarly hideous. Or am I missing something?

My understanding is that indeed, this is a realistic failure mode for our test suite. I seems that this problem will rarely happen, since fallback directory mirrors are picked from the set of relays, so in general they should be in the consensus. But still, let’s avoid adding one more cause for test suite fragility.

I doubt the control port will give us access to that info, so it might be that we need to include src/or/fallback_dirs.inc in the SquashFS, and to read+parse it while running the test suite.

If you think that’s doable, please file a subtask of ~~Feature #11351~~ that would be dedicated to updating these test suite aspects, and then close this very ticket.

If you think it’s not OK, then let’s discuss it further here.

#6 Updated by anonym 2016-04-25 03:56:03

Assignee changed from anonym to intrigeri

OTOH, since the plan seems to be to run our own Tor network via Chutney in our test suite (~~Feature #9521~~) we won’t run any fallback directories unless we explicitly want to, and will therefore be able to just ignore this. Right? (At least if we go the path where we have no tests for using the real Tor network, which I am getting more and more convinced is the right idea for similar reasons to this issue.)

#7 Updated by intrigeri 2016-04-25 04:27:13

Target version changed from Tails_2.3 to Tails_2.4

#8 Updated by intrigeri 2016-04-29 02:54:18

Assignee changed from intrigeri to anonym

> OTOH, since the plan seems to be to run our own Tor network via Chutney in our test suite (~~Feature #9521~~) we won’t run any fallback directories unless we explicitly want to, and will therefore be able to just ignore this. Right? (At least if we go the path where we have no tests for using the real Tor network, which I am getting more and more convinced is the right idea for similar reasons to this issue.)

This sounds correct :)

Then I think we can close this ticket.

But then ~~Feature #11351~~ needs to be blocked by ~~Feature #9521~~, to make sure we don’t “temporarily” introduce more robustness issues, no? Or, given Tor tests are disabled on Jenkins anyway, we don’t bother too much, and we’ll deal with such rare false positives ourselves when running the test suite locally. Your call.

#9 Updated by anonym 2016-05-08 03:39:27

Status changed from In Progress to Resolved
Assignee deleted (~~anonym~~)
% Done changed from 0 to 100
QA Check changed from Info Needed to Pass