On 08 Apr (10:15:19), Tim Wilson-Brown - teor wrote: > Hi All, > > I'm working on proposal 260's Rendezvous Single Onion Services in #17178. > > They are faster, because they have one hop between the service and the > introduction and rendezvous points. > But this means that their location is easy to discover (non-anonymous). > So we want to come up with a design that makes it hard to configure a > non-anonymous service by accident. > > Here's a cut-down version of an email I sent to tor-onions for feedback, for > those who are on both lists: > > Nick's concern was that users could configure Single Onion Services without > realising that it provides no server location anonymity. > I initially thought we could change the torrc option name to make this clear. > ... > I now believe that trying to overload the name of a feature with warnings > about its downsides was a mistake. … > > This would mean that Single Onion Service operators would include in their > torrc: > > SingleOnionMode 1 > HiddenServiceDir … > ... > > As a separate issue, I think there are two alternative designs that can > prevent users from configuring the feature and then exposing their location > unintentionally: > > Tor2WebMode requires users to add a compilation option: --enable-tor2web-mode > We could do this with Single Onion Services as well: > --enable-single-onion-mode > If SingleOnionMode is configured without the compilation option, tor warns > the user and refuses to start. > When it is configured, tor warns the user they're non-anonymous, then starts. > However, using a compilation option makes the feature harder to test. > And Tor2Web operators already don't like having to compile separate binaries. > It's likely Single Onion operators would feel similarly. > > Alternately, we could add a torrc option: NonAnonymousMode > If SingleOnionMode is configured without NonAnonymousMode, tor warns the user > and refuses to start. > When it is configured, tor warns the user they're non-anonymous, then starts.
Just to be clear, the user would have to enable _both_ options to make the
single onion mode work? Like so:
SingleOnionMode 1
NonAnonymousMode 1
HiddenServiceDir ...
Basically asking the user to *explicitely" set an option that says "Ok you are
aware that you will loose anonymity".
It's a bit weird to have to enable two options for one feature (single onion)
BUT I like the double torrc option forcing the users to understand what's
going on (also adding semantic to the config file).
Bikesheding: the name though could be a bit misleading. What if that tor
process is also used as a client to "wget" stuff on the server for instance.
Won't I be confused if NonAnonymousMode is _set_ not knowing it applies to
what? Idea: "HiddenServiceNonAnonymousMode 1". Pretty explicit that it's for
the service.
Cheers!
David
>
> I spoke with Nick on IRC and he's happy with either of these options.
>
> I'd like to proceed with the NonAnonymousMode torrc option, unless there are
> compelling reasons against that design.
> I hope that this will allow us to get SingleOnionMode merged early in tor
> 0.2.9.
>
> Tim
>
> Tim Wilson-Brown (teor)
>
> teor2345 at gmail dot com
> PGP 968F094B
> ricochet:ekmygaiu4rzgsk6n
>
>
>
> _______________________________________________
> tor-dev mailing list
> [email protected]
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
signature.asc
Description: PGP signature
_______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
