On Mon, Jan 03, 2011 at 04:06:44PM +0100, anonym wrote: > One issue for anonymity-oriented LiveCDs (such as T(A)ILS[1] and Liberté > Linux[2]) is the system time. Tor requires a reasonably correct system > time, otherwise no circuits will be opened. This is a major problem for > these LiveCDs since they generally route all traffic through Tor > transparently (using netfilter/iptables and the like) so no Tor circuits > implies no network access for the user. > > Liberté Linux has a novel solution to this problem[4] -- it sets the > system time according to the Tor consensus' valid-after/until values, > which essentially removes Tor's time skew check. We T(A)ILS developers > are tempted to implement the same solution, but first we'd like to ask > here if this is safe, or if it opens up for any unexpected type of > attacks or problems.
Whether this is a good idea depends on where you got the consensus. If you connect to a Tor directory mirror and it hands you a consensus from last month, and you set your clock based on it, then you've opened yourself up to exactly the attack that Tor is trying to defend against. If your Tor fetches its consensus from a directory authority, you're in better shape, insofar as the directory authorities are probably not your adversaries. Relays do these directory fetches in the clear, though, due to an earlier bug: https://trac.torproject.org/projects/tor/ticket/827 so we're back to the authentication and integrity question there. Clients set up a TLS connection first and tunnel their directory fetches over it, so they're in slightly better shape. Do your LiveCD users always have both ORPort set to 0? The better answer is for Tor clients to read the time out of the NETINFO cells that are part of the v2 connection handshake we added in Tor 0.2.0.x. See section 4.2 of tor-spec.txt: https://git.torproject.org/tor/doc/spec/tor-spec.txt Using the data in NETINFO cells has been sitting on the todo list for a while: https://git.torproject.org/tor/doc/spec/proposals/149-using-netinfo-data.txt but nobody's moved it forward. Perhaps somebody wants to pick this up and do it? :) Also, ideally you want to get an opinion from more than one directory authority. One design that I could imagine would be to, if we find a directory mirror or entry guard whose time disagrees with us, connect to a directory authority to get a stronger opinion. If the directory authority also disagrees, connect to a threshold of directory authorities and then memorize our relative clock skew based on the majority vote. Potential complications include "what threshold should you require" and "what if you can't reach the directory authorities directly because you're in a censored area". Maybe in the latter case you should just believe your bridge's clock, because it's the one giving you the directory information anyway -- depends if the user wants her Tor to fail open (reachability) or fail closed (safety). --Roger *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
