Feature #9114
Investigate Tor Browser 4.5's new circuit lifetime behaviour
100%
Description
For various reasons, Tor Browser 4.5 raises MaxCircuitDirtiness to 2 hours:
- https://trac.torproject.org/projects/tor/ticket/13766
- https://gitweb.torproject.org/builders/tor-browser-bundle.git/commit/?id=824116042a03683ae20fa6e7d0768d8fd6fd6f95
It makes sense since that version has per-tab / per-top-level-domain / something circuit isolation. They can easily do it since their tor is only meant to be used by the browser.
Does our current circuit isolation setup allow us to safely do the same globally? If not, then this issue might raise a few non-trivial ones, so better answer this question ASAP => hence the >normal priority.
Subtasks
History
#1 Updated by anonym 2015-03-31 14:49:24
> Does our current circuit isolation setup allow us to safely do the same globally?
Let’s look at our current configuration:
## Defaulut SocksPort
SocksPort 127.0.0.1:9050 IsolateDestAddr IsolateDestPort
## SocksPort for the MUA
SocksPort 127.0.0.1:9061 IsolateDestAddr
## SocksPort for Tails-specific applications
SocksPort 127.0.0.1:9062 IsolateDestAddr IsolateDestPort
## SocksPort for the default web browser
SocksPort 127.0.0.1:9150
So, let’s assume that the Tor Browser people have correctly analysed the implications of raising MaxCircuitDirtiness
like that for Tor Browser 4.5, and then try to argue that our stream isolation configuration is at least as strong, or something like that. So, Tor Browser 4.5 “isolate[s] all requests from the same url domain”, which is strikingly similar to IsolateDestAddr
. The key thing is to determine how they relate to each other (also versus their respective contexts, i.e. only in the browser vs. for all applications), but for now, let’s assume they are the same. Then we’re fine, except for 9150
, but only users that explicitly configure some application to use this SocksPort
would be affected. We could document that it shouldn’t be done, but I doubt it would be read. I think we’ll have to live with that risk until we run the browser as a separate user, and then we can solve it with iptables/netfilter rules.
Next I’d like to make the point that any attempt at identity separation for accounts on the same service based on the lifetime of Tor’s circuits is very weak. The default of ten minutes is already plenty for users to screw up if they don’t take precautions and e.g. force a new identity through Torbutton or Vidalia (or restart Tails, as I believe we recommend). I doubt bumping the MaxCircuitDirtiness
above ten minutes has much implications for this — a user that has ignored our docs is impatient and should be expected to switch identity without delay (or even use them concurrently). Actually, I don’t think any technical solution will be effective for this problem; perhaps I’m going too theoretical, but the pattern of logging in for a while to some account A, and then logging in to an account B (same service) with a new Tor circuit gets pretty obvious over time.
Am I missing something here? Why do we want short circuit lifetimes? On the face of it, longer circuit lifetime => fewer circuits are used in total => lower chance to use a compromised circuit, which is a good thing.
Any way, I still think there’s value in comparing the “isolate all requests from the same url domain” in the Tor Browser context with IsolateDestAddr
in all applications’ context. To me they look the same. Any other opinions? Otherwise I’d say we might go for it.
#2 Updated by intrigeri 2015-04-01 12:34:58
As said to anonym already, there’s been more discussion upstream:
- https://trac.torproject.org/projects/tor/ticket/13766
- https://trac.torproject.org/projects/tor/ticket/15482
- the https://lists.torproject.org/pipermail/tor-dev/2015-March/008548.html thread
… and as anonym noted then, apparently they’re going with patching little-t-tor :(
#3 Updated by intrigeri 2015-04-25 05:52:32
Tor Browser 4.5 is almost out of the door, and AIUI it indeed patches little-t-tor. I think this should be treated with high priority now.
#4 Updated by anonym 2015-04-28 00:29:10
- Subject changed from Investigate raising MaxCircuitDirtiness to Investigate Tor Browser 4.5's new circuit lifetime behaviour
- Feature Branch set to feature/9114-tor-with-bug15482.patch
We have two options only, I think:
The first one is to ignore the situation. In that case Tails’ browser can be distinguished from the Tor Browser for long sessions, and we don’t get the usability benefits (for sites that break when the circuit switches) from Tor bug Feature #15482.
The second option is to apply bug15482.patch (Tor Browser 4.5-build5 version) to our Tor. This won’t add much of a maintenance burden since we build Tor any way, and the Tor Browser people will keep the patch synced with the Tor versions we’re gonna use (until there’s an upstream solution). The biggest issue is that it applies this new behaviour whenever a SOCKS username and/or password is set to all SocksPort
s, not just the browser’s SocksPort
. OTOH, we do not use stream isolation based on SOCKS username/password ourselves, so we’d only have to worry about users that actually know about this rather arcane Tor stream isolation feature and configures it for some application. The only effect this would have then is that those circuits would become longer-lived than these users might expect, and I fail to see why that would be a problem (see my reasoning in Feature #9114#note-1).
I’ve built such a patched Tor and uploaded it to the feature branch, and I’m gonna run the relevant parts of the automated test suite. To be continued…
(Spoiler: I think we should apply bug15482.patch to our Tor.)
#5 Updated by anonym 2015-04-28 11:31:46
anonym wrote:
> I’ve built such a patched Tor and uploaded it to the feature branch, and I’m gonna run the relevant parts of the automated test suite. To be continued…
For my manual tests of the expected new behaviour of Tor with this patch applied, I ran this silly code:
while true; do
curl --socks4 127.0.0.1:9150 --proxy-user $USER:$PASSWORD https://check.torproject.org 2>/dev/null | \
sed -n 's,^.*Your IP address appears to be: <strong>\([0-9\.]*\)</strong>.*,\1,p' || \
echo "fail"
sleep 60
done
I ran two instances, one with --proxy-user
and one without, and the results were as expected; the one with it reported the same exit node (and hence very likely the same circuit — I only verified that the exact same circuit was used at the start and end of my test) for the full hour I was running the test, and the one without switched every 10 minutes.
As for automated tests, I ran tor*.feature
successfully except that the bridge and gobby tests fail, as expected.
#6 Updated by intrigeri 2015-04-29 07:19:02
> The biggest issue is that it applies this new behaviour whenever a SOCKS username and/or password is set to all SocksPort
s, not just the browser’s SocksPort
. OTOH, we do not use stream isolation based on SOCKS username/password ourselves,
I hope we don’t have to use SOCKS user+password ourselves in the future. If we do, then we should lobby for the upcoming Tor option to be available as an isolation flag (that we could enable for our dedicated Tor Browser SOCKS port only), rather than as a global torrc
option.
> so we’d only have to worry about users that actually know about this rather arcane Tor stream isolation feature and configures it for some application.
Users… and applications! Note that things like parcimonie may soon start using SOCKS user+password, so they’ll be affected too. However, they’ll be using it to force new circuits, so there should be no problem in practice.
> and I fail to see why that would be a problem (see my reasoning in Feature #9114#note-1).
I wasn’t convinced when reading it initially (if a longer default circuit lifetime was that innocuous, why isn’t tor setting the default to a higher value?), but it seems to be a detail given where we’re heading to, so I won’t spend more time on it now. We’ll come back to it if we really have to.
> (Spoiler: I think we should apply bug15482.patch to our Tor.)
After reading https://trac.torproject.org/projects/tor/ticket/15482 and corresponding discussion on tor-talk, I fully agree… especially given an upstream solution is being worked on, and has good chances (I guess) to land some day.
#7 Updated by anonym 2015-04-29 11:38:47
- Status changed from Confirmed to In Progress
- Assignee deleted (
anonym) - % Done changed from 0 to 50
- QA Check set to Ready for QA
- Type of work changed from Research to Code
intrigeri wrote:
> > The biggest issue is that it applies this new behaviour whenever a SOCKS username and/or password is set to all SocksPort
s, not just the browser’s SocksPort
. OTOH, we do not use stream isolation based on SOCKS username/password ourselves,
>
> I hope we don’t have to use SOCKS user+password ourselves in the future. If we do, then we should lobby for the upcoming Tor option to be available as an isolation flag (that we could enable for our dedicated Tor Browser SOCKS port only), rather than as a global torrc
option.
>
> > so we’d only have to worry about users that actually know about this rather arcane Tor stream isolation feature and configures it for some application.
>
> Users… and applications! Note that things like parcimonie may soon start using SOCKS user+password, so they’ll be affected too. However, they’ll be using it to force new circuits, so there should be no problem in practice.
>
> > and I fail to see why that would be a problem (see my reasoning in Feature #9114#note-1).
>
> I wasn’t convinced when reading it initially (if a longer default circuit lifetime was that innocuous, why isn’t tor setting the default to a higher value?), but it seems to be a detail given where we’re heading to, so I won’t spend more time on it now. We’ll come back to it if we really have to.
Interesting post about this made by Roger: https://lists.torproject.org/pipermail/tor-talk/2014-October/035219.html
> > (Spoiler: I think we should apply bug15482.patch to our Tor.)
>
> After reading https://trac.torproject.org/projects/tor/ticket/15482 and corresponding discussion on tor-talk, I fully agree… especially given an upstream solution is being worked on, and has good chances (I guess) to land some day.
Indeed. I’ve merged this branch into feature/8925-tor-0.2.6
branch, so once it’s merged to close Feature #7934 (yeah the branch name isn’t ideal any more…) we can close this ticket too.
#8 Updated by anonym 2015-04-29 11:39:04
- blocked by
Feature #7934: Upgrade to Tor 0.2.6.x added
#9 Updated by anonym 2015-04-29 11:40:37
- Feature Branch changed from feature/9114-tor-with-bug15482.patch to feature/8925-tor-0.2.6
#10 Updated by intrigeri 2015-04-30 08:09:14
> Interesting post about this made by Roger: https://lists.torproject.org/pipermail/tor-talk/2014-October/035219.html
Indeed, that’s interesting. The “ten minutes is probably way too long” point probably doesn’t affect us much, given our circuit isolation configuration.
#11 Updated by anonym 2015-04-30 10:02:02
- % Done changed from 50 to 100
#12 Updated by intrigeri 2015-05-01 10:00:11
- Status changed from In Progress to Fix committed
Applied in changeset commit:e88f3b27b295e745eb31af186fc48879bc4a1ca0.
#13 Updated by BitingBird 2015-05-01 10:13:59
- QA Check changed from Ready for QA to Pass
#14 Updated by BitingBird 2015-05-12 18:42:43
- Status changed from Fix committed to Resolved