01/21/2012 06:16 PM, intrigeri: > intrigeri wrote (21 Jan 2012 15:24:19 GMT) : > >> anonym will update our design doc accordingly. > > ... next week.
Committed to the stable branch (cfeb7be). But I realized that this results in an issue for I2P. From the commit: Second, the same type of attacker as above could also try to forge a completely new consensus, which would be unverifiable since the attacker doesn't have access to the authorities' keys. We would still set Tails' system time according to the unverifiable consensus, but Tor would refuse to use the forged consensus, resulting in complete denial-of-service. An attacker in that position could do denial-of-service attacks in many other ways, so this doesn't make the situation any worse. ... which is true for Tor-only users, yes, but it definitely makes the situation worse for I2P users: since the attacker can set the time arbitrarily, it could potentially use system time to uniquely identify a Tails user using an application that leaks the system time over I2P. Of course, I2P doesn't work if the time is too much off, but that just reduces it to an extreme partition attack (i.e. the users anonymity set is reduced to all other I2P users with approximately the same clock skew). I think we need to make the i2p start script depend on that Tor works. (BTW, while I were at it I also updated the the time sync design docs w.r.t. recent htpdate improvements in the feature/more_resilient_htpdate branch (commit f716c2f)) Cheers!
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev
