Re: [tor-bugs] #20212 [Applications/Tor Browser]: Tor can be forced to open too many circuits by embedding .onion resources

[Tor Bug Tracker & Wiki]

#20212: Tor can be forced to open too many circuits by embedding .onion 
resources
-+-
 Reporter:  gacar|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:  Tor:
 |  unspecified
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  guard-discovery, |  Actual Points:
  TorBrowserTeam201803   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by asn):

 Replying to [comment:10 cypherpunks]:
 > Replying to [comment:9 cypherpunks]:
 > > Why limit the number of onion addresses that can be embedded instead
 of limiting the number of circuits that can be created for onions in a
 single origin?
 >
 > The former should be relatively easy to implement in Tor Browser, while
 the latter would presumably be much more difficult and error prone (if
 implemented by monitoring circuit events on the control port). The simple
 approach of limiting the number of onions seems like it would indirectly
 limit the number of circuits, but reading the above question I'm suddenly
 having doubts. (How quickly can Tor Browser cause more circuits to be made
 by continually retrying just one onion that is failing to rendezvous?)

 I opened #25609 to investigate the issue presented in the last parenthesis
 of this post. It's important because if an attacker can cause Tor to make
 many circuits by continuously retrying a broken onion, this can bypass any
 sort of origin rate-limiting defense.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20212 [Applications/Tor Browser]: Tor can be forced to open too many circuits by embedding .onion resources

[Tor Bug Tracker & Wiki]

#20212: Tor can be forced to open too many circuits by embedding .onion 
resources
-+-
 Reporter:  gacar|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:  Tor:
 |  unspecified
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  guard-discovery, |  Actual Points:
  TorBrowserTeam201803   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by asn):

 Here is another attack from IRC arma: An attacker could also setup an
 onion address that redirects you to another onion address which redirects
 you to another onion address ad infinitum. This allows the attacker to
 cause `n` onion loads in series, and if each page has `k` onions, this
 allows attacker to cause `n*k` onion loads. That's both an optimization
 but is also meant to work around any defences that try to restrict onion
 address loads per origin.

 Furthermore, depending on how stream isolation works, the above attack
 could also work with IPs/domain addresses and not just onions.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20212 [Applications/Tor Browser]: Tor can be forced to open too many circuits by embedding .onion resources

[Tor Bug Tracker & Wiki]

#20212: Tor can be forced to open too many circuits by embedding .onion 
resources
-+-
 Reporter:  gacar|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:  Tor:
 |  unspecified
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  guard-discovery, |  Actual Points:
  TorBrowserTeam201803   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by mcs):

 Replying to [comment:8 gk]:
 > After some more discussion happened, let's try to fix that on the
 browser side (first). mcs/brade: can you look into it?

 Yes, we can take a look. It would be helpful to develop a better
 understanding of what kind of attack(s) we are trying to prevent. That
 might lead to a better design. For example, do we want to limit the rate
 at which new circuits can be opened or do we just want to refuse to open
 more than N circuits per site? Unfortunately, Kathy and I don't really
 know enough about `tor` and the Tor Network to do that kind of analysis,
 so hints about what should be done would be greatly appreciated.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20212 [Applications/Tor Browser]: Tor can be forced to open too many circuits by embedding .onion resources

[Tor Bug Tracker & Wiki]

#20212: Tor can be forced to open too many circuits by embedding .onion 
resources
-+-
 Reporter:  gacar|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:  Tor:
 |  unspecified
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  guard-discovery, |  Actual Points:
  TorBrowserTeam201803   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Replying to [comment:10 cypherpunks]:
 > Replying to [comment:9 cypherpunks]:
 > > Why limit the number of onion addresses that can be embedded instead
 of limiting the number of circuits that can be created for onions in a
 single origin?
 >
 > The former should be relatively easy to implement in Tor Browser, while
 the latter would presumably be much more difficult and error prone (if
 implemented by monitoring circuit events on the control port). The simple
 approach of limiting the number of onions seems like it would indirectly
 limit the number of circuits, but reading the above question I'm suddenly
 having doubts. (How quickly can Tor Browser cause more circuits to be made
 by continually retrying just one onion that is failing to rendezvous?)

 Good question. I think we can spend some time figuring that out so we can
 come up with a good plan for fixing this bug.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20212 [Applications/Tor Browser]: Tor can be forced to open too many circuits by embedding .onion resources

[Tor Bug Tracker & Wiki]

#20212: Tor can be forced to open too many circuits by embedding .onion 
resources
-+-
 Reporter:  gacar|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:  Tor:
 |  unspecified
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  guard-discovery, |  Actual Points:
  TorBrowserTeam201803   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 Replying to [comment:9 cypherpunks]:
 > Why limit the number of onion addresses that can be embedded instead of
 limiting the number of circuits that can be created for onions in a single
 origin?

 The former should be relatively easy to implement in Tor Browser, while
 the latter would presumably be much more difficult and error prone (if
 implemented by monitoring circuit events on the control port). The simple
 approach of limiting the number of onions seems like it would indirectly
 limit the number of circuits, but reading the above question I'm suddenly
 having doubts. (How quickly can Tor Browser cause more circuits to be made
 by continually retrying just one onion that is failing to rendezvous?)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20212 [Applications/Tor Browser]: Tor can be forced to open too many circuits by embedding .onion resources

[Tor Bug Tracker & Wiki]

#20212: Tor can be forced to open too many circuits by embedding .onion 
resources
-+-
 Reporter:  gacar|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:  Tor:
 |  unspecified
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  guard-discovery, |  Actual Points:
  TorBrowserTeam201803   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks):

 Why limit the number of onion addresses that can be embedded instead of
 limiting the number of circuits that can be created for onions in a single
 origin?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20212 [Applications/Tor Browser]: Tor can be forced to open too many circuits by embedding .onion resources

[Tor Bug Tracker & Wiki]

#20212: Tor can be forced to open too many circuits by embedding .onion 
resources
-+-
 Reporter:  gacar|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:  Tor:
 |  unspecified
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  guard-discovery, |  Actual Points:
  TorBrowserTeam201803   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * cc: mcs, brade (added)
 * keywords:  guard-discovery => guard-discovery, TorBrowserTeam201803


Comment:

 Replying to [comment:7 gk]:
 > Replying to [comment:6 asn]:
 > > How should we proceed here? Leif suggested we introduce a
 `Max3rdPartyOnions` option ''to limit the number of onion addresses that
 an origin is allowed to cause the browser to make connections to''.
 > >
 > > Do we think this is a reasonable approach? And what should the default
 value be? Can we add this to our TB roadmap in some capacity?
 >
 > You mean this should be fixed on the browser side? It seems to me having
 a patch in tor makes more sense.

 After some more discussion happened, let's try to fix that on the browser
 side (first). mcs/brade: can you look into it?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20212 [Applications/Tor Browser]: Tor can be forced to open too many circuits by embedding .onion resources

[Tor Bug Tracker & Wiki]

#20212: Tor can be forced to open too many circuits by embedding .onion 
resources
--+--
 Reporter:  gacar |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:  Tor: unspecified
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  guard-discovery   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 Replying to [comment:6 asn]:
 > How should we proceed here? Leif suggested we introduce a
 `Max3rdPartyOnions` option ''to limit the number of onion addresses that
 an origin is allowed to cause the browser to make connections to''.
 >
 > Do we think this is a reasonable approach? And what should the default
 value be? Can we add this to our TB roadmap in some capacity?

 You mean this should be fixed on the browser side? It seems to me having a
 patch in tor makes more sense.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20212 [Applications/Tor Browser]: Tor can be forced to open too many circuits by embedding .onion resources

[Tor Bug Tracker & Wiki]

#20212: Tor can be forced to open too many circuits by embedding .onion 
resources
--+--
 Reporter:  gacar |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:  Tor: unspecified
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  guard-discovery   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by asn):

 How should we proceed here? Leif suggested we introduce a
 `Max3rdPartyOnions` option ''to limit the number of onion addresses that
 an origin is allowed to cause the browser to make connections to''.

 Do we think this is a reasonable approach? And what should the default
 value be? Can we add this to our roadmap in some capacity?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20212 [Applications/Tor Browser]: Tor can be forced to open too many circuits by embedding .onion resources

[Tor Bug Tracker & Wiki]

#20212: Tor can be forced to open too many circuits by embedding .onion 
resources
--+--
 Reporter:  gacar |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:  Tor: unspecified
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  guard-discovery   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by mikeperry):

 * milestone:   => Tor: unspecified


Comment:

 Unlike the generic or custom-built Tor client case (CDNs and status
 pingers will likely customize their Tor client for performance), Tor
 Browser specifies a SOCKS username and password for url bar domain
 isolation. When this u+p is set, we should be able to safely limit the
 number of onion hostnames for a single SOCKS username + password to some
 low number (5? 10?).

 Do we need a separate limit if third party hidden services are malicious
 and deliberately fail either HSDIR, IP, or RP attempts in a way that
 causes the client to retry them? Maybe there should be a total rend
 circuit limit per SOCKS u+p?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20212 [Applications/Tor Browser]: Tor can be forced to open too many circuits by embedding .onion resources

[Tor Bug Tracker & Wiki]

#20212: Tor can be forced to open too many circuits by embedding .onion 
resources
--+--
 Reporter:  gacar |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  guard-discovery   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gacar):

 * keywords:   => guard-discovery


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20212 [Applications/Tor Browser]: Tor can be forced to open too many circuits by embedding .onion resources

[Tor Bug Tracker & Wiki]

#20212: Tor can be forced to open too many circuits by embedding .onion 
resources
--+--
 Reporter:  gacar |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by teor):

 Replying to [ticket:20212 gacar]:
 > Maybe Tor (or Tor Browser) could cap the number of new circuits opened
 within a time window. I can't think of a realistic use case for loading
 resources from tens of different hidden services.

 Here are two:
 * Checking the status of many hidden services
 * CDNs or other load-balancing techniques

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20212 [Applications/Tor Browser]: Tor can be forced to open too many circuits by embedding .onion resources

[Tor Bug Tracker & Wiki]

#20212: Tor can be forced to open too many circuits by embedding .onion 
resources
--+--
 Reporter:  gacar |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by nickm):

 * owner:   => tbb-team
 * component:  Core Tor/Tor => Applications/Tor Browser


Comment:

 I can't think of a solution here that isn't imposing an upper limit on the
 total number of .onion hostnames referenced from one page?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs