Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
All that would do would be to say to all clients, Don't include this node in the same circuit as any of the blutmagie nodes. How would that be an attack? I can list all the nodes I don't control... *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
On Thu, 20 May 2010 08:23:34 +0200 (CEST) Sebastian Hahn m...@sebastianhahn.net wrote: All that would do would be to say to all clients, Don't include this node in the same circuit as any of the blutmagie nodes. How would that be an attack? I can list all the nodes I don't control... What is the limit on line length for such a MyFamily statement? What is the limit on descriptor length? Listing ~1500 nodes sounds like the sort of thing that wouldn't work very well. Also, my other question remains: what would stop me from listing nodes that I don't control in a MyFamily statement now? Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
Roger Dingledine wrote: On Mon, May 17, 2010 at 09:44:21PM +0200, Moritz Bartl wrote: Original Message Subject: Re: - Medium - Tor servers, Tor community wants to disable your nodes - General Date: Mon, 17 May 2010 13:46:04 +0200 From: Perfect Privacy Administration ad...@perfect-privacy.com Organization: PP Internet Services [snip] A proposal to the TOR developers: I don't know if it's technically possible, but maybe one could introduce a BelongingToFamily entry or a similarly named command in future versions of TOR which could work as such, as that every server which contains the same BelongingToFamily entry (e.g. BelongingToFamily xyz) belongs to the family xyz. That way one wouldn't have to enumerate all server names in the MyFamily section of each and every individual torrc file what causes an enormous effort if one adds a lot of servers (and donates a lot of traffic) to the Tor network. As mentioned, we currently would have to edit 45+ torrc files on 45+ TOR servers whenever a server is added or removed, and the number of our servers is constantly increasing. The trouble here is that if we make family declarations one-sided, then I can tell everybody that I'm in blutmagie's family (and X's family and Y's family and Z's family and ...), and suddenly I'm influencing the path selection of other clients in a way I shouldn't be able to. We need to have each set of relays in a family declare the others, or it's open to attacks like this. In situations like Perfect Privacy's where there are a significant number of nodes that are dynamically changing. which all need to be in one family, the basic proposal seems useful enough that I wonder if it can be rehabilitated to take care of the concerns Roger just expressed. So let me just float an idea here that maybe others can flesh-out/simplify/correct ... What if families could be declared by giving them a name (say XYZ123) and publishing a public key for them. Then to add a node to the family, the server operator would issue a BelongToFamily XYZ123 declaration that is somehow signed by the corresponding private key. If the details can be worked out correctly, then only the person/organization with access to the private key can add servers to that family. I think that would take care of Roger' concern about relay operators adding their server to others' families. If this is too much information to reasonably contain in a torrc file, then perhaps it could be included in a separate file. Either one the Tor client automatically looks for or one referenced in torrc. Does anything like that seem viable? Maybe the developers can comment about the doability and whether it addresses all of the security concerns?And maybe Perfect Privacy can somehow be pulled into the conversation to see if such a thing would be useful for people in their situation. Jim P.S. The above was written while off-line. After seeing the newer posts, I realize my proposal might essentially be the same as The23rdRaccoon's. I am not sure. But I don't remember seeing anything about using a signature to limit who could add themselves to a family in Bruce's original proposal. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
On 20.05.2010 06:25, Roger Dingledine wrote: The trouble here is that if we make family declarations one-sided, then I can tell everybody that I'm in blutmagie's family (and X's family and Y's family and Z's family and ...), and suddenly I'm influencing the path selection of other clients in a way I shouldn't be able to. Maybe it is a misunderstanding on my side, but I agree with Scott. How could this influence the network in a way that one can speak of an attack? My idea was that by stating a family, I say that *my node* musn't be used in a circuit together with other members of that family, no more, no less. So, by misconfiguring the family on my side, I cannot hurt the network more than (in the extreme) by running no node at all. -- Moritz Bartl GPG 0xED2E9B44 http://moblog.wiredwings.com/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
On 5/20/10, Moritz Bartl t...@wiredwings.com wrote: On 20.05.2010 06:25, Roger Dingledine wrote: The trouble here is that if we make family declarations one-sided, then I can tell everybody that I'm in blutmagie's family (and X's family and Y's family and Z's family and ...), and suddenly I'm influencing the path selection of other clients in a way I shouldn't be able to. Maybe it is a misunderstanding on my side, but I agree with Scott. How could this influence the network in a way that one can speak of an attack? My idea was that by stating a family, I say that *my node* musn't be used in a circuit together with other members of that family, no more, no less. So, by misconfiguring the family on my side, I cannot hurt the network more than (in the extreme) by running no node at all. I too do not understand this. Already an evil entry node can list all nodes that it does _not_ control in its family option to try to force circuit through the nodes it controls, though it would obviously be a dead give away listing many unrelated nodes as within the family. Is there a check when a node declares itself to be in a family the descriptor of the other family members are checked to confirm? Regards Oguz *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
Though I appreciate Jim's signature proposal, that could become difficult and convoluted to implement quite quickly. I think that perfectprivacy's initial suggestion was actually quite compelling: allow ``#include'' type statements to be used in a torrc. Currently, an operator of multiple relays has to edit the actual torrc of all the relays, which is probably quite fiddly, because they are all slightly different. With includes, the operator would only have to edit the ``master family'' file, and upload that to the relevant directory on all their nodes, a much simpler process. Moreover, includes are much easier to code than any sort of key verification system. It seems like includes are a relatively simple solution to a relatively simple problem.
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
The trick is that both parties need to list each other as family for this to work. As per the man page.. When two servers both declare that they are in the same 'family'... The attacker would need to be listed in every other relay's torrc for the attack you described to work. I'm pretty sure listing relays you don't control has no effect. -Damian On Wed, May 19, 2010 at 11:29 PM, Scott Bennett benn...@cs.niu.edu wrote: On Thu, 20 May 2010 08:23:34 +0200 (CEST) Sebastian Hahn m...@sebastianhahn.net wrote: All that would do would be to say to all clients, Don't include this node in the same circuit as any of the blutmagie nodes. How would that be an attack? I can list all the nodes I don't control... What is the limit on line length for such a MyFamily statement? What is the limit on descriptor length? Listing ~1500 nodes sounds like the sort of thing that wouldn't work very well. Also, my other question remains: what would stop me from listing nodes that I don't control in a MyFamily statement now? Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
Oops, apologies - didn't realize this had already been answered. (a pox upon thread forking...) On Thu, May 20, 2010 at 7:03 AM, Damian Johnson atag...@gmail.com wrote: The trick is that both parties need to list each other as family for this to work. As per the man page.. When two servers both declare that they are in the same 'family'... The attacker would need to be listed in every other relay's torrc for the attack you described to work. I'm pretty sure listing relays you don't control has no effect. -Damian On Wed, May 19, 2010 at 11:29 PM, Scott Bennett benn...@cs.niu.eduwrote: On Thu, 20 May 2010 08:23:34 +0200 (CEST) Sebastian Hahn m...@sebastianhahn.net wrote: All that would do would be to say to all clients, Don't include this node in the same circuit as any of the blutmagie nodes. How would that be an attack? I can list all the nodes I don't control... What is the limit on line length for such a MyFamily statement? What is the limit on descriptor length? Listing ~1500 nodes sounds like the sort of thing that wouldn't work very well. Also, my other question remains: what would stop me from listing nodes that I don't control in a MyFamily statement now? Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
[snip] The trouble here is that if we make family declarations one-sided, then I can tell everybody that I'm in blutmagie's family (and X's family and Y's family and Z's family and ...), and suddenly I'm influencing the path selection of other clients in a way I shouldn't be able to. We need to have each set of relays in a family declare the others, or it's open to attacks like this. Could there perhaps be some way of making a private key of some sort for a family? i.e instead of listing all the members of a family on all nodes and having to update them all the time, one could.. make a private family key and copy it and put it in the config of all nodes in the family? signature.asc Description: This is a digitally signed message part.
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
On Thu, 20 May 2010 12:31:17 +0200 Moritz Bartl t...@wiredwings.com wrote: On 20.05.2010 06:25, Roger Dingledine wrote: The trouble here is that if we make family declarations one-sided, then I can tell everybody that I'm in blutmagie's family (and X's family and Y's family and Z's family and ...), and suddenly I'm influencing the path selection of other clients in a way I shouldn't be able to. Maybe it is a misunderstanding on my side, but I agree with Scott. How could this influence the network in a way that one can speak of an attack? My idea was that by stating a family, I say that *my node* musn't be used in a circuit together with other members of that family, no more, no less. So, by misconfiguring the family on my side, I cannot hurt the network more than (in the extreme) by running no node at all. Exactly. Thank you, Moritz. Roger just didn't read what Bruce wrote. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
In the meantime, perfect-privacy.com should advise this list as soon as its torrc files are in compliance, while the rest of us should feel free to use the NodeFamily information I posted earlier with, apparently, the addition of 17 more node fingerprints that I missed when I grepped the directory for the email address from the contact info. The entries should be fine now. Robert On May 18, 2010, at 6:22 AM, Scott Bennett wrote: On Mon, 17 May 2010 21:44:21 +0200 Moritz Bartl t...@wiredwings.com wrote: What I did was just file a report at the company's website. It took them only minutes to get back to me. Scott, I don't know why, but you probably didn't get their response in the first place. No, I certainly didn't. Also, they should have received a bounce message. Bruce neglected to mention whether he had gotten one. I've long thought that every node Family should have a Family name, but his suggestion for the actual form of the MyFamily statement is better than what I had been thinking of. I heartily recommend that it be adopted and implemented ASAP. In the meantime, perfect-privacy.com should advise this list as soon as its torrc files are in compliance, while the rest of us should feel free to use the NodeFamily information I posted earlier with, apparently, the addition of 17 more node fingerprints that I missed when I grepped the directory for the email address from the contact info. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
On Mon, May 17, 2010 at 09:44:21PM +0200, Moritz Bartl wrote: Original Message Subject: Re: - Medium - Tor servers, Tor community wants to disable your nodes - General Date: Mon, 17 May 2010 13:46:04 +0200 From: Perfect Privacy Administration ad...@perfect-privacy.com Organization: PP Internet Services [snip] A proposal to the TOR developers: I don't know if it's technically possible, but maybe one could introduce a BelongingToFamily entry or a similarly named command in future versions of TOR which could work as such, as that every server which contains the same BelongingToFamily entry (e.g. BelongingToFamily xyz) belongs to the family xyz. That way one wouldn't have to enumerate all server names in the MyFamily section of each and every individual torrc file what causes an enormous effort if one adds a lot of servers (and donates a lot of traffic) to the Tor network. As mentioned, we currently would have to edit 45+ torrc files on 45+ TOR servers whenever a server is added or removed, and the number of our servers is constantly increasing. The trouble here is that if we make family declarations one-sided, then I can tell everybody that I'm in blutmagie's family (and X's family and Y's family and Z's family and ...), and suddenly I'm influencing the path selection of other clients in a way I shouldn't be able to. We need to have each set of relays in a family declare the others, or it's open to attacks like this. --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
On Thu, 20 May 2010 00:25:33 -0400 Roger Dingledine a...@mit.edu wrote: On Mon, May 17, 2010 at 09:44:21PM +0200, Moritz Bartl wrote: Original Message Subject: Re: - Medium - Tor servers, Tor community wants to disable your nodes - General Date: Mon, 17 May 2010 13:46:04 +0200 From: Perfect Privacy Administration ad...@perfect-privacy.com Organization: PP Internet Services [snip] A proposal to the TOR developers: I don't know if it's technically possible, but maybe one could introduce a BelongingToFamily entry or a similarly named command in future versions of TOR which could work as such, as that every server which contains the same BelongingToFamily entry (e.g. BelongingToFamily xyz) belongs to the family xyz. That way one wouldn't have to enumerate all server names in the MyFamily section of each and every individual torrc file what causes an enormous effort if one adds a lot of servers (and donates a lot of traffic) to the Tor network. As mentioned, we currently would have to edit 45+ torrc files on 45+ TOR servers whenever a server is added or removed, and the number of our servers is constantly increasing. The trouble here is that if we make family declarations one-sided, then I can tell everybody that I'm in blutmagie's family (and X's family and Y's family and Z's family and ...), and suddenly I'm influencing the path selection of other clients in a way I shouldn't be able to. How would that be any different from me adding a MyFamily statement of the current form to my node's torrc that included all four blutmagie nodes? We need to have each set of relays in a family declare the others, or it's open to attacks like this. All that would do would be to say to all clients, Don't include this node in the same circuit as any of the blutmagie nodes. How would that be an attack? Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/