Re: [tor-dev] Proposal 320: Removing TAP usage from v2 onion services
On 19 May (13:55:37), Nick Mathewson wrote: > On Wed, May 13, 2020 at 10:09 AM David Goulet wrote: > > > > On 11 May (16:47:53), Nick Mathewson wrote: [snip] > > So thus, I personally will argue that moving v2 to ntor is really not the > > right thing to do. Onion service v2 are, at this point in time, _dangerous_ > > choice for the users. [snip] > > The main reason I wrote this proposal is this: Any deprecation will > probably cause a few users to stick with the old versions of the code > for as long as they still work on the network, even if those versions > become unsupported and insecure. (After all, people who listen to our > advice about what is secure and what isn't have already stopped using > v2 onion services.) . I don't believe at any point since v3 is stable we made public statement through our TPO channels that v2 should not be used anymore. > > Is it time to start this deprecation? If so we need to start working > on a timeline, and I agree with Teor that we'd need to figure out how > that timeline would work with any walking onions timeline. One easy timeline here would be "No v2 support in walking onions means deprecation for v2 by the time the entire network updates". But apart from that, yes we should work on a timeline and it should not be a complicated one nor eternally long to deploy. > > One possible role for this proposal is to be kept in reserve, in case > somebody feels so strongly that they want v2 services to work that > they want to maintain them themselves, or pay for somebody else to do > it. If so, we can indicate this proposal as "the right way to keep v2 > services working without TAP", make it clear that we don't plan to > implement it, and move along. Honestly, I really don't think we should even provide or mention a possible path with an option where v2 can stay alive... Regardless of threat modelling or v2 use cases or large community of users, the basic fact that the crypto is *dangerously* out of date with RSA1024 and truncated SHA-1 is just something we have to _stop_ using. I see this not only about TAP. I'll say it and say it again and again, today, in 2020, v2 is _dangerous_ and it is our responsibility at this point to make sure it goes away sooner than later for the safety of Tor's users. Cheers! David -- 2dLUG6IluthaObnf5+xfKeuu4WDC9xYQHzFNeGRqvzw= signature.asc Description: PGP signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 320: Removing TAP usage from v2 onion services
Hi there, > On 19. May 2020, at 19:55, Nick Mathewson wrote: > If we do decide to finally deprecate v2 onion services, that would be > a significant maintenance burden reduced for us, but we'd have to > handle the transition carefully. Unlike all the other migrations > we've done, there isn't a drop-in path to get the same functionality > or keep the same identities with v3 onion services. (And the problem > is that there _can't_ be: the identities are strongly tied to > 80-bit-truncated-SHA1 and RSA-1024, and the lack of key blinding makes > them enumerable.) I would be exstatic about not having V2 onions around anymore. This would reduce a huge attack vector that incentivizes people to set up malicious relays, which causes huge amounts of time lost, the relays shouldn't have this opportunity to harvest onions, etc. > The main reason I wrote this proposal is this: Any deprecation will > probably cause a few users to stick with the old versions of the code > for as long as they still work on the network, even if those versions > become unsupported and insecure. (After all, people who listen to our > advice about what is secure and what isn't have already stopped using > v2 onion services.) . I kind of don't buy the statement in the parentheses, we don't seem to discourage v2 strongly at all afaict. Or is there a warning when you use it or connect to it, for example? A question, is the HSDir flag for both v2 and v3 onions? If not we could just take that away to break v2 at some point. > Is it time to start this deprecation? If so we need to start working > on a timeline, and I agree with Teor that we'd need to figure out how > that timeline would work with any walking onions timeline. I think it should have been started a while ago :) > What do others think? Cheers Sebastian ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 320: Removing TAP usage from v2 onion services
On Wed, May 13, 2020 at 10:09 AM David Goulet wrote: > > On 11 May (16:47:53), Nick Mathewson wrote: > > Hello! > > > ``` > > Filename: 320-tap-out-again.md > > Title: Removing TAP usage from v2 onion services > > Author: Nick Mathewson > > Created: 11 May 2020 > > Status: Open > > ``` > > > > (This proposal is part of the Walking Onions spec project. It updates > > proposal 245.) > > > > # Removing TAP from v2 onion services > > > > As we implement walking onions, we're faced with a problem: what to do > > with TAP keys? They are bulky and insecure, and not used for anything > > besides v2 onion services. Keeping them in SNIPs would consume > > bandwidth, and keeping them indirectly would consume complexity. It > > would be nicer to remove TAP keys entirely. > > > > But although v2 onion services are obsolescent and their > > cryptographic parameters are disturbing, we do not want to drop > > support for them as part of the Walking Onions migration. If we did > > so, then we would force some users to choose between Walking Onions > > and v2 onion services, which we do not want to do. > > I haven't read the entire proposal so I won't comment on its technical aspect. > I was reading and got here and that made me very uncertain about the whole > proposal itself. > > I will propose that we revisit the overall idea of changing v2 here. > > I personally think this is the wrong approach. Onion services v2 should be > deprecated as in removed from the network instead of being offered as a choice > to the users. > > We haven't properly done a deprecation path yet for v2 primarly due to our > lack of time to do so. But at this point in time, where the network is 100% > composed of relays supporting v3 now (which took 3+ years to get there), it is > time for v2 to not be presented as a choice anymore. > > It is a codebase that is barely maintained, no new features are being added to > it and thus moving it to ntor means another at least 3 years of network > migration. This would mean a major new feature in that deprecated code base... > > So thus, I personally will argue that moving v2 to ntor is really not the > right thing to do. Onion service v2 are, at this point in time, _dangerous_ > choice for the users. Hi, David! I'm sympathetic to this point of view: I certainly don't like carrying around old code either. If we do decide to finally deprecate v2 onion services, that would be a significant maintenance burden reduced for us, but we'd have to handle the transition carefully. Unlike all the other migrations we've done, there isn't a drop-in path to get the same functionality or keep the same identities with v3 onion services. (And the problem is that there _can't_ be: the identities are strongly tied to 80-bit-truncated-SHA1 and RSA-1024, and the lack of key blinding makes them enumerable.) The main reason I wrote this proposal is this: Any deprecation will probably cause a few users to stick with the old versions of the code for as long as they still work on the network, even if those versions become unsupported and insecure. (After all, people who listen to our advice about what is secure and what isn't have already stopped using v2 onion services.) . Is it time to start this deprecation? If so we need to start working on a timeline, and I agree with Teor that we'd need to figure out how that timeline would work with any walking onions timeline. One possible role for this proposal is to be kept in reserve, in case somebody feels so strongly that they want v2 services to work that they want to maintain them themselves, or pay for somebody else to do it. If so, we can indicate this proposal as "the right way to keep v2 services working without TAP", make it clear that we don't plan to implement it, and move along. There are other ways to keep TAP working with walking onions, but they seem kludgey too, and would also require implementation changes for v2 onion services. What do others think? -- Nick ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 320: Removing TAP usage from v2 onion services
On Mon, May 11, 2020 at 8:52 PM teor wrote: > > Hi Nick, > > > On 12 May 2020, at 06:48, Nick Mathewson wrote: > > > > ## Migration steps > > > > First, we implement all of the above, but set it to be disabled by > > default. We use torrc fields to selectively enable them for testing > > purposes, to make sure they work. > > Can you expand on the testing plan here? > > One of the risks with multi-year migration projects is that unrelated > changes break the migration, and we don't notice. > > For example, you might need to create a chutney network for each > stage, and run them on every pull request and merge. In our current > CI, that's 30-60 seconds of extra time per network, or 2-4 extra > minutes of CI time. > > If you need to test different combinations of features for each stage, > let's try to do that in the same networks. Otherwise, the testing matrix > expands out very quickly. I agree here think that the right approach here is to test for the various ways that we expect the network to exist at a time. The trickiest stage of the migration will be the one where some services support ntor keys and some don't, some clients do and some don't. If we add a chutney network for that case specifically and make sure that all clients can reach all services, we should be fine here. ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 320: Removing TAP usage from v2 onion services
On Thu, May 14, 2020 at 12:46:42AM +1000, teor wrote: > Hi Nick, > > > On 14 May 2020, at 00:09, David Goulet wrote: > > > > On 11 May (16:47:53), Nick Mathewson wrote: > > > >> ``` > >> Filename: 320-tap-out-again.md > >> Title: Removing TAP usage from v2 onion services > >> Author: Nick Mathewson > >> Created: 11 May 2020 > >> Status: Open > >> ``` > >> > >> (This proposal is part of the Walking Onions spec project. It updates > >> proposal 245.) > >> > >> # Removing TAP from v2 onion services > >> > >> As we implement walking onions, we're faced with a problem: what to do > >> with TAP keys? They are bulky and insecure, and not used for anything > >> besides v2 onion services. Keeping them in SNIPs would consume > >> bandwidth, and keeping them indirectly would consume complexity. It > >> would be nicer to remove TAP keys entirely. > >> > >> But although v2 onion services are obsolescent and their > >> cryptographic parameters are disturbing, we do not want to drop > >> support for them as part of the Walking Onions migration. If we did > >> so, then we would force some users to choose between Walking Onions > >> and v2 onion services, which we do not want to do. > > > > I haven't read the entire proposal so I won't comment on its technical > > aspect. > > I was reading and got here and that made me very uncertain about the whole > > proposal itself. > > > > I will propose that we revisit the overall idea of changing v2 here. > > > > I personally think this is the wrong approach. Onion services v2 should be > > deprecated as in removed from the network instead of being offered as a > > choice > > to the users. > > > > We haven't properly done a deprecation path yet for v2 primarly due to our > > lack of time to do so. But at this point in time, where the network is 100% > > composed of relays supporting v3 now (which took 3+ years to get there), it > > is > > time for v2 to not be presented as a choice anymore. > > > > It is a codebase that is barely maintained, no new features are being added > > to > > it and thus moving it to ntor means another at least 3 years of network > > migration. This would mean a major new feature in that deprecated code > > base... > > > > So thus, I personally will argue that moving v2 to ntor is really not the > > right thing to do. Onion service v2 are, at this point in time, _dangerous_ > > choice for the users. > > I agree that we shouldn't support old features forever. And it seems unwise > to spend development effort just to migrate away from TAP, when we could > instead spend that time migrating away from TAP and v2 onion services. > (And reducing our dependency on SHA1 and RSA keys.) > > Strategically, it also seems unwise to carry v2 onion services, TAP > handshakes, RSA relay keys and signatures, and SHA1 into walking onions. > > But it's hard to make these kinds of decisions without approximate > timeframes. > > How long would it take to migrate away from v2 onion services? > > How long would it take to introduce walking onions? > > If we decide to modify v2 onion services, how long would that migration > take? And what's the final plan to end the modified v2 onion services? > I completely agree about not maintaining things forever and that there are security reasons for abandoning v2 (much) sooner than later, but as always I don't think we can just blanketly state what is a dangerous choice for users without specifying a usage and adversary context. I'm not trying to open a discussion of how dangerous this is or getting people to give that specification, only cautioning against such unqualified statements. Another element in this decision making is whether to take into account and engage with the userbase for v2 onion services. The most salient case is probably facebook, but there may be others with a significant amount vested in specific v2 addresses. We could just make decisions about a timeline and inform them, or we could engage with at least some of the more popular or larger v2 onion services to see if they have reasons e.g. why officially announcing EOL in e.g. 3 months is fine, but 2 months would make for craziness for them. Si Vales, Valeo, Paul ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 320: Removing TAP usage from v2 onion services
Nick Mathewson wrote: > ``` > Filename: 320-tap-out-again.md > Title: Removing TAP usage from v2 onion services > Author: Nick Mathewson > Created: 11 May 2020 > Status: Open > ``` > > (This proposal is part of the Walking Onions spec project. It updates > proposal 245.) > > # Removing TAP from v2 onion services > > As we implement walking onions, we're faced with a problem: what to do > with TAP keys? They are bulky and insecure, and not used for anything > besides v2 onion services. Keeping them in SNIPs would consume > bandwidth, and keeping them indirectly would consume complexity. It > would be nicer to remove TAP keys entirely. > > But although v2 onion services are obsolescent and their > cryptographic parameters are disturbing, we do not want to drop > support for them as part of the Walking Onions migration. If we did > so, then we would force some users to choose between Walking Onions > and v2 onion services, which we do not want to do. > I also think this might not be worth it. The engineering time-cost far exceeds the gains and it also decreases the security of users with yet another penalty on Tor network performance and code-base maintenance. It just extends the time of inevitable: dropping v2 onions entirely, so I agree with Teor, David and Paul. I won't also repeat the obvious about RSA1024 and SHA1, these two just don't mix up well with Tor and the attention it gets, the userbase it has and the amount of motivated, well funded attackers particularly targeting onion services. What I can say and could make a penny here is that I really keep an eye on onion services usage in external, unrelated projects, and keep contact with people in those communities. To be frank, I think that at present time most of v2 onion traffic is from bitcoin full nodes in Tor-land, facebook and people using onioncat for UDP in Tor or other tunneling related stuff. They do so not because they want or like, but simply because v3 onion addresses are much larger and need some code change. However, work is undergo. IIRC onioncat was already patched to support v3 at some level. Bitcoin is changing their p2p protocol to support larger address space. Other v2 onion traffic might be our own apt repositories channels and other tp.o services, as well as some Debian derivatives offering updates over Tor -- these all know about v3 onion services and want to move to v3 -- they were just waiting for OnionBalance v3 which I heavily tested and it was improved (asn's credit - I only did the testing and bug hunting): at this moment there is a tagged 0.2.0 release which is rock solid and can safely be used in PROD mode. Of course there is probably an unknown number of websites that still use v2, but I am pretty sure they will switch to v3 sooner rather than later. After all, it's trivial to switch for most users (those that don't have dependencies on tools that do not support such large addresses - I'm not aware of any others than what I've mentioned). All in all I can only see advantages in adding enhancements and improvements to v3 onion services and setting a reasonable and smooth deprecation plan for v2 services. The crypto used in v2 is already under recommendations - while of course it doesn't technically mean that if Tor supports them it also endorses them, some users might still not get it and don't upgrade to v3 unless they really need to (on the logic as long as it works, leave it on). Forcing the upgrade for users own protection + a lot of benefits on Tor network and code side mentioned by teor does not seam like a wrong approach at all to me. Thanks. signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 320: Removing TAP usage from v2 onion services
Hi Nick, > On 14 May 2020, at 00:09, David Goulet wrote: > > On 11 May (16:47:53), Nick Mathewson wrote: > >> ``` >> Filename: 320-tap-out-again.md >> Title: Removing TAP usage from v2 onion services >> Author: Nick Mathewson >> Created: 11 May 2020 >> Status: Open >> ``` >> >> (This proposal is part of the Walking Onions spec project. It updates >> proposal 245.) >> >> # Removing TAP from v2 onion services >> >> As we implement walking onions, we're faced with a problem: what to do >> with TAP keys? They are bulky and insecure, and not used for anything >> besides v2 onion services. Keeping them in SNIPs would consume >> bandwidth, and keeping them indirectly would consume complexity. It >> would be nicer to remove TAP keys entirely. >> >> But although v2 onion services are obsolescent and their >> cryptographic parameters are disturbing, we do not want to drop >> support for them as part of the Walking Onions migration. If we did >> so, then we would force some users to choose between Walking Onions >> and v2 onion services, which we do not want to do. > > I haven't read the entire proposal so I won't comment on its technical aspect. > I was reading and got here and that made me very uncertain about the whole > proposal itself. > > I will propose that we revisit the overall idea of changing v2 here. > > I personally think this is the wrong approach. Onion services v2 should be > deprecated as in removed from the network instead of being offered as a choice > to the users. > > We haven't properly done a deprecation path yet for v2 primarly due to our > lack of time to do so. But at this point in time, where the network is 100% > composed of relays supporting v3 now (which took 3+ years to get there), it is > time for v2 to not be presented as a choice anymore. > > It is a codebase that is barely maintained, no new features are being added to > it and thus moving it to ntor means another at least 3 years of network > migration. This would mean a major new feature in that deprecated code base... > > So thus, I personally will argue that moving v2 to ntor is really not the > right thing to do. Onion service v2 are, at this point in time, _dangerous_ > choice for the users. I agree that we shouldn't support old features forever. And it seems unwise to spend development effort just to migrate away from TAP, when we could instead spend that time migrating away from TAP and v2 onion services. (And reducing our dependency on SHA1 and RSA keys.) Strategically, it also seems unwise to carry v2 onion services, TAP handshakes, RSA relay keys and signatures, and SHA1 into walking onions. But it's hard to make these kinds of decisions without approximate timeframes. How long would it take to migrate away from v2 onion services? How long would it take to introduce walking onions? If we decide to modify v2 onion services, how long would that migration take? And what's the final plan to end the modified v2 onion services? T ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 320: Removing TAP usage from v2 onion services
On 11 May (16:47:53), Nick Mathewson wrote: Hello! > ``` > Filename: 320-tap-out-again.md > Title: Removing TAP usage from v2 onion services > Author: Nick Mathewson > Created: 11 May 2020 > Status: Open > ``` > > (This proposal is part of the Walking Onions spec project. It updates > proposal 245.) > > # Removing TAP from v2 onion services > > As we implement walking onions, we're faced with a problem: what to do > with TAP keys? They are bulky and insecure, and not used for anything > besides v2 onion services. Keeping them in SNIPs would consume > bandwidth, and keeping them indirectly would consume complexity. It > would be nicer to remove TAP keys entirely. > > But although v2 onion services are obsolescent and their > cryptographic parameters are disturbing, we do not want to drop > support for them as part of the Walking Onions migration. If we did > so, then we would force some users to choose between Walking Onions > and v2 onion services, which we do not want to do. I haven't read the entire proposal so I won't comment on its technical aspect. I was reading and got here and that made me very uncertain about the whole proposal itself. I will propose that we revisit the overall idea of changing v2 here. I personally think this is the wrong approach. Onion services v2 should be deprecated as in removed from the network instead of being offered as a choice to the users. We haven't properly done a deprecation path yet for v2 primarly due to our lack of time to do so. But at this point in time, where the network is 100% composed of relays supporting v3 now (which took 3+ years to get there), it is time for v2 to not be presented as a choice anymore. It is a codebase that is barely maintained, no new features are being added to it and thus moving it to ntor means another at least 3 years of network migration. This would mean a major new feature in that deprecated code base... So thus, I personally will argue that moving v2 to ntor is really not the right thing to do. Onion service v2 are, at this point in time, _dangerous_ choice for the users. Cheers! David -- A6ufpccBUu9sxu+cw0b1qX9hKnkXjLXyU5P1hxeBhsk= signature.asc Description: PGP signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 320: Removing TAP usage from v2 onion services
Hi Nick, > On 12 May 2020, at 06:48, Nick Mathewson wrote: > > ## Migration steps > > First, we implement all of the above, but set it to be disabled by > default. We use torrc fields to selectively enable them for testing > purposes, to make sure they work. Can you expand on the testing plan here? One of the risks with multi-year migration projects is that unrelated changes break the migration, and we don't notice. For example, you might need to create a chutney network for each stage, and run them on every pull request and merge. In our current CI, that's 30-60 seconds of extra time per network, or 2-4 extra minutes of CI time. If you need to test different combinations of features for each stage, let's try to do that in the same networks. Otherwise, the testing matrix expands out very quickly. T ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 320: Removing TAP usage from v2 onion services
On Mon, May 11, 2020 at 5:58 PM Ian Goldberg wrote: > > On Mon, May 11, 2020 at 04:47:53PM -0400, Nick Mathewson wrote: > > ## INTRODUCE cells, RENDEZVOUS cells, and ntor. > > > > We allow clients to specify the rendezvous point's ntor key in the > > INTRODUCE2 cell instead of the TAP key. To do this, the client > > simply sets KLEN to 32, and includes the ntor key for the relay. > > > > Clients should only use ntor keys in this way if the network parameter > > "hsv2-client-rend-ntor" is set to 1, and if the entry "allow-rend-ntor" > > is present in the onion service descriptor. > > > > Services should only advertise "allow-rend-ntor" in this way if the > > network parameter "hsv2-service-rend-ntor" is set to 1. > > It should be stronger, right? A service that does not advertise > allow-rend-ntor (because hsv2-service-rend-tor is unset) MUST reject an > ntor key, even if the service actually does support it? Otherwise a > client could simply try it even if support is not advertised? Ah yes, you're right. -- Nick ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Proposal 320: Removing TAP usage from v2 onion services
On Mon, May 11, 2020 at 04:47:53PM -0400, Nick Mathewson wrote: > ## INTRODUCE cells, RENDEZVOUS cells, and ntor. > > We allow clients to specify the rendezvous point's ntor key in the > INTRODUCE2 cell instead of the TAP key. To do this, the client > simply sets KLEN to 32, and includes the ntor key for the relay. > > Clients should only use ntor keys in this way if the network parameter > "hsv2-client-rend-ntor" is set to 1, and if the entry "allow-rend-ntor" > is present in the onion service descriptor. > > Services should only advertise "allow-rend-ntor" in this way if the > network parameter "hsv2-service-rend-ntor" is set to 1. It should be stronger, right? A service that does not advertise allow-rend-ntor (because hsv2-service-rend-tor is unset) MUST reject an ntor key, even if the service actually does support it? Otherwise a client could simply try it even if support is not advertised? ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
