Tor stream isolation #731
Comments
|
Thanks for the input! |
|
good stuff. not sure of priority or how best to implement/separate. bitcoinj could be modified to use a separate proxy per peer connection, similar to bitcoin-core. I'm not yet familiar with bitsquare p2p stuff, so dunno what makes most sense there. will discuss with @ManfredKarrer when he has time. |
|
related: I was thinking about maybe adding a "tor only" mode to bitcoinj, so it would only connect to .onion bitcoin peers. It seems like that would help with one of the vectors, for users that choose it. |
|
Hi guys! |
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Bernd Prünster:
Hi guys! I have rewritten the Java-Tor-bindings to try and support
pluggable transports and I'm currently in the process of
integrating the new code into Bitsquare. I think stream isolation
can be handled fairly transparently. The Apache HTTPClient hack
might require some extra fiddling, but I'm sure it can be done as
well. My strategy would be to open new local proxy ports on-demand
and use authentication as discussed on IRC. Ideally, we'll just
have to keep track of all the ports and the proxies associated with
each port. I'll report back as soon as i have something for you to
test.
Just to make sure we're on the same page, there's no requirement to
have multiple SOCKS ports open if authentication is used. Tor accepts
any authentication info passed to it; the only effect it has is stream
isolation. (I.e. it's not used for authenticating to Tor.)
(If I misinterpreted your message and you already know this, apologies.)
…-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYi7t7AAoJELPy0WV4bWVwz3MP/RbVscihc8IEUkILqCR6Go+D
StbMoqABopcIF6/L1K6QyP/gpNyVzq815Tk10m4kdgwKXg1Fe0V6H+M3aYA/MNgn
lZviJrLhWll1wtRKIKSbAz5aPm+qjSwRBwUa+vi5MvRtRlOBufAlhhV2uR6RlLOo
QwfQZJftkhZfCidKytwsba/jkoVkzFKR45oOgTnfpOko1cbfaPVj06eVrqfvtaiE
NRfS9JtfROjbDofCPsXeKmUOM2CXe7jSuHI2zNEq4O0pnfYvdn2V5WMeRMMO8rhP
Xs7xANU1/c9OWAZBNpHGn3gl2FIq5/1Rxgu6gihyybHba5Wlo3tWfPa4FenjQd25
XRU7/L4nDmogwNgccKDZQGp9mGTXDUFnewWr5FpDel2c7jAiOyGd/NBbOvIyJ0Rj
Y1gVdTlDNHiCdyxbK9Hl/kQb3chr4kKdld+Ccku34wlhNTEWNTHB6DnrbImVMQcv
Gob8Ha8I8xq7fe7XCnhfWy/OveMynm5H6CzeUINXoBt5SYA0oFXbpgSIeG2PptCZ
rX5mGupA3uCw748Im6mg7Zg6O/BKGG51WeVJiYIzYvQgnnfiiM3Z/YHhPjq2tvWf
amUBjJkhi02kMzlcoMWAMeAtD3r2Efa6lvuSGa2eQxr69h5lcSZznNu2eJ/2tygC
izdINONBvRXX5Iovfnsu
=+GSe
-----END PGP SIGNATURE-----
|
|
Thanks for the clarification! I actually was not 100% sure. |
|
I think it might make sense for the direct messages (take offer, trade, dispute) but not for the broadcast messages (relaying messages in the floodfill network). |
|
I've pushed my changed into a bitsquare fork integrating the new network layer including stream isolation support. None of this is tested, though, as I simply don't have the time at the moment. EDIT: Just to clarify: This introduces support, but does not utilise the feature, since I don't know exactly when to enable stream isolation in bitsquare. |
|
@JesusMcCloud Great thanks! I will not have soon time to look at it but will do definitely after our next release! |
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Bernd Prünster:
I've pushed my changed into a bitsquare
[fork](https://github.com/JesusMcCloud/bitsquare) integrating the
new network layer including stream isolation support. None of this
is tested, though, as I simply don't have the time at the moment.
Hi, nice work!
Please don't take this comment as a substitute for proper review (I
haven't attempted to do a proper review), but I noticed a couple of
things while skimming your code.
It looks like you're using an MD5 hash as the SOCKS authentication
value:
https://github.com/JesusMcCloud/netlayer/blob/2331270bccb8ee75383000c936
195176aa7a3b08/jtor/core/src/main/java/org/berndpruenster/jtor/mgmt/TorM
anager.java#L226
Since MD5 isn't collision-resistant, I can imagine scenarios where an
attacker who influences the "streamID" field might be able to cause 2
streams to share a Tor circuit when this isn't the behavior that the
application intended. It's probably safer to use SHA256 (or a
similarly collision-resistant hash function) for this. (It's arguably
also possible to just tell application developers to not allow
untrusted input to be used for the streamID, but my experience is that
such advice will be ignored too often to be safe.)
Also, it looks like you're allowing a null streamID to be used to
disable SOCKS auth. This is okay, but I think it would be beneficial
to allow an optional mode to be set (perhaps upon constructing the
TorManager) that causes an exception to be thrown if a null streamID
is passed. This mode would be useful for applications that intend to
always use stream isolation and are trying to prevent unsafe behavior
from being accidentally invoked.
Thanks again for the awesome work!
…-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYmCiTAAoJELPy0WV4bWVwRhEP/AscEgCGwqY410sCVMqkSjSe
6hW7YejCiKlhp8N+UqMs0EG+HFhqotyYYjlbvfCgIUhsxxw8V9Li2LwO04KgLJ5y
B9DJs0AK3Z1gQhERsu+Wta+Tn85TeyO8IrOcCFkcmWSwLEcgft0RRNsSFD/KMPuq
JDe86JopyApcIxV1Z++jqERB92D8gy27rwIi4LSLvcVHQ5URwY9wJb2gcvt4EKHa
j7zyUQJnYQ2LCciLdkb/jltCiTF0M76RgneVGbzIo7WLq2QGRkdDFYo/zYo2udsV
HASzGYP4e0hiWO3Myls96k/bCo5kB/4KAXUBsOwEVpSEen31CcVstYIqduBKE2ly
i1GgoA0668kp7incDtx8QEtgwGalLaxVlNN+R7qFHb5FNUHAa0HMFZ6M8RGZ70Xa
/rIzReZhEnFe7wGxD+660vpdOr8m9Jtq8o/K7EokQsuMuQVgtDsRL7THBDHzQoW0
0TvgkZL68nA4UCbT2Z4ghhUk6+8OYPyWqjogmPpozBg3N6nuwMgt/KSqjZJywnt8
fx+z1u5br9umJ4s3j2S9Xr8XURSQUR8omWT7bgK1UfNqv6j9rUXX3bYmr37YJN7P
XP6Tl/rY9kf/qLwyzb9NU0A2Y+vsmoFLY3A30TdCveqTP8iLPwwpKZ0O3tV5JnTk
orADzfkdvPRxhh5O+6Hd
=VJf6
-----END PGP SIGNATURE-----
|
|
Hi Jeremy, thanks for skimming through the code! |
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Bernd Prünster:
Hi Jeremy,
thanks for skimming through the code! I don't see how the usage of
MD5 could be an issue here, but maybe I made some wrong
assumptions. The only reason for using a hash was the fact that it
produces a fixed-length output. Proxy auth only allows for a fixed
number of characters, and since I have no Idea how Tor behaves, if
more than 255 characters are used, I went with a hash. 2¹²⁸
possible streams seemed enough for me, even though this is many
orders of magnitude less than all possible valid SOCKS5 auth
strings. I never gave collision resistance a thought, since I am
having a hard time imagining a scenario where this could be a
problem. I didn't even care to have a one-way function in there. My
only concern was to have a function in there which takes inputs of
arbitrary lengths and produced a (sufficiently long) fixed-length
output—I would probable even be fine with some one-way
function which is reversible up to 255 characters. On the other
hand, MD5 always looks bad at first sight, so it should probably be
avoided in any case.
Let's say that Mallory controls 2 peers on the network, and wants to
make Alice connect to both peers on the same Tor circuit. And let's
say that some input controlled by the peer is used as a component of
the streamID, and that the rest of the data used for the streamID is
known by the peer. Mallory could change the inputs she gives from
each of her 2 peers to produce an MD5 collision, which would result in
both connections going over the same Tor circuit.
This scenario may not always occur, but it's sufficiently plausible
that I think MD5 is unsafe for this purpose, and that SHA256 would be
a better choice.
Cheers!
…-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYmW8WAAoJELPy0WV4bWVwP0sQAIdHpdzDaO+0x+ZY1PuHQ38w
Qc2f3lSBomg2lWTcnoX/OaFEsNeJspOuDd5+um7h8JF+SJ15TDdWJl1mJT3sWmnC
Iy++MlS1TQ+8bWOEUUhVg9qs2Rg1optTqSK0gEIOOcdWGSwhsogk+6RMjhQLijEg
8EOIc4+zcDc/Ml7K8G0rNbz8d9xnFHHEnJCVlfpQGvtPSIrsZxysjSkaSTTvf6t+
SuP3nb3l1lI+kbqviWAEWG7KvBDpScSK9zEWbWFJOtJMUzAIrLFf8LoM4Tso4LZg
i84hz8uYX1I1KVU+qtOfY3a6/bcBeTvXwV43ahTUvoGLyf1TkfsnERmT8FCvjLW2
7pgusD8xweAvSUiDQcI4QjPNaF6D0SeuOl+6AYqmH0HBO2ZOilDMSkQljc48yqYt
NXYev0wbs+1YT6oh+JvNYd5IZoNog4oxdncrXRHOPF1JWgpQ0wuhEXun6B88oBoJ
nu5Fjkk+AqQcERKbiPcftvBZ70X4bNlHmw9/+UK8SHArbloWSumckPbKi5vlbHQn
C5IgtPgD9f7Cj97UZJ6THN6Xh0gpx7SYTq4vAGuGmGsIqzYROebP9F+bTdPMxK8p
YcqegBWIjm8TVjg0cs2h+ojfMVSLN51za4wu351bBqrI8kMIXqleeHLo7LHEHVZn
RO8czBRn569CnTKPZ13U
=FWl6
-----END PGP SIGNATURE-----
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi, is there any news on this front? Cheers!
…-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJY4ZMYAAoJELPy0WV4bWVw8PwQAMlrzzNzxy20XBVueApEDbPQ
QifdyH12NnWXX17CVjo+r6imabDGjI3AqxUP73yQZIq5W96i7zWrCDtrHz5hjT7i
jkG+OM7kdoqbbkVzBCnk4VhjC9Me0U6icD10C5Eq+MJNTvIjgmqz1otNu7B5PMiB
SL/W7UOo6cYXg6Ai8818KnojdibCEnub6QW0PAz0a7FpE+pWQLdQ8/awp/lsIoW9
/zLLcg1s1ciZDF5pzqsJ9mU15su2WgzKQE98TNeuBQrGOHbARzksLdowEERGz7eT
zuNWOOXFu4BkdqgmkQkBJNLvaRv6fToE0GrKhYLYqGX6gQUSV4nGwMVd9mN+VKeA
ySJeZTP2dWGEiy/J4wu4GUsL/Xm2K4R6VcibPKXBIamjp2yVYj8PDL8x4siieLkp
ROTp2CsvvK5hqPP5zwtVe4gf/gL+JJLHN41iLdOzAgYegGNOe22tvji3shpIxV1q
DHwenPAC1Q2GwzJBJOZRCga36Vlq90kf3M9cojBY6aFFpGwrsCptOK8fhL/cPseX
JVMvjON6PM9Kwc1KQ0ftDehaZwot3CyFUZNt6ybo8lvXfv+LOJU43x0Cz6WoohVD
WDrgBKoTh0P06oA2Ei92dI+s1tfhv5i9KnJbjgazVWTReOobMIlmCGSDpYUCV3XB
/jwDU7kOs3M6UJJUyIsr
=geEb
-----END PGP SIGNATURE-----
|
|
Not from my side. Tor improvements are postponed for a later release as atm the DAO has highest priority for me. |
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
@JesusMcCloud by the way, while I was looking for Java SOCKS client
libraries, I found 2 others besides the one you're using. I've added
all 3 of them to the Tor wiki:
https://trac.torproject.org/projects/tor/wiki/doc/SupportPrograms#SOCKSL
ibraries
Curious whether you've encountered either of the others (SocksLib and
Smack Proxy), and if so, what the reason was for using the library
that you're using?
(I asked about this on the Bitsquare Matrix channel and was suggested
to ask you here.)
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJY5U6xAAoJELPy0WV4bWVwuBAP/0cPYsTe3wn1xb+UQHzSG72h
9EYmhGY/9kMd1b43I7Gby+rcM1o0Ula7DJ5GqVcJG86UpohjOnkryY29RPzhQNsW
Sbl5hfUPwZQfct2TgeW2kFylvEfK5lpFc7BTAdXdUZ6FNpKgquHM4y3poe/8zgr/
5Cg1xQTIw0chhH2HPFlp+bg9O6nbj67twNbBsH1zkzyTQSyRNWQLFt/vysYOVWvG
2N0XKPCYuxvN0cQuVWQuAATSUwU0ejilUnCgIbgVk5hASHcfMZ7y/I3IFYorxmmh
opwagUFDCxH1muVA/3PezPcZ6K15AcJ/niYFCSszY4XDeGbv9RfsCGQONC+FJn+x
0HpQaU4cCoihU2LqD/J2tboCAwqjjdovB4HnCihqjPEF1CpyGf4OEfzxu4ulBw6h
ikuuXReWfoa7jqSjBOd4LUYf4ZaB0iHRA3nhmYZkCABaP1wssfF9kWcKnb+3d46h
P3FVpgzj+xK4FkmUKzhMU6ZLr97DFlTJHpzGAw6JsP/LlZo+a/jCTrdf8va62Kov
tm2jCImQv1XT0tpN8hUgPNvNRIEMbbHJd+35D93AsEPKXXIqWfmvHQwVv5BuShe0
ayJ6v29FFQO5nuERWvfQZUZp42+N7qoxIaZezGClSCtohqRXWtbeG6K5YwWR5h50
MI1aKudhfYkxJ9WoMVza
=JxkX
-----END PGP SIGNATURE-----
|
|
The main reason for going with jsocks was the simple fact that it flawlessly supported remote DNS lookups. |
|
#971 takes care of the tor-related aspects of this issue. |
|
At the moment, on every startup a new random UUID is generated as streamId and passed to the new netlayer library (see #971). |
|
Looking over the IRC logs linked in this issue, the way to go would be to use unique Stream IDs as follows:
Using a shared stream ID for all |
|
That would require another API where we can pass the stream ID at each new connection attempt. Better even would be that the library just takes a boolean flag indicating that random stream ID should be used for that connection and the library creates the random id. |
|
@JeremyRand: We have @JesusMcCloud 's netlayer library integrated in our develoment branch. In the settings/network there a new "tor network settings" button which opens a popup similar to Tor browsers settings. We use the same default bridges as those are shipped in Tor browser, but of course people can use their custom. If you have time to have a look and help testing would be great. There are still advanced features missing but that's for another release. The most important that pluggable transports are working is achieved. |
|
There's an unfinished draft on the Tor wiki (which is mostly written by Patrick from Whonix) of best practices for Tor-friendly applications. Grep it for "Set a socks user name for stream isolation" to see some useful notes. In particular, that wiki page recommends using SOCKS authentication info that includes both an identity-specific string (e.g. different for 2 different Bisq buy orders) and a string that is randomly generated when the application starts (which isolates multiple instances of the same application, and makes sure that restarting the application will result in new Tor circuits). Usually it's not recommended to use a unique SOCKS authentication string per TCP connection (unless they genuinely correspond to different identities), because doing so puts too much load on the Tor network. |
As far as I can tell, Bitsquare is not using the stream isolation feature of Tor. Stream isolation separates different identities' TCP connections into separate Tor circuits, which makes it more difficult for wiretappers to correlate identities. It would be great to see Bitsquare implement support for stream isolation to improve privacy.
For some context, please see the IRC conversation from today. The brief upshot is that to implement stream isolation, Bitsquare would need to supply a SOCKS5 username/password that uniquely corresponds to each identity that should stay separated to maintain privacy. For example, maybe the SOCKS5 username/password could correspond to a given trade order. (But please do read the IRC conversation for the full context.)
Cheers.
The text was updated successfully, but these errors were encountered: