[tor-bugs] #13154 [- Select a component]: Debian's "popularity contest" package as threat vector?

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Sep 14 20:30:16 UTC 2014


#13154: Debian's "popularity contest" package as threat vector?
--------------------------------------+------------------------------------
     Reporter:  saint                 |      Owner:  saint
         Type:  enhancement           |     Status:  accepted
     Priority:  normal                |  Milestone:
    Component:  - Select a component  |    Version:
   Resolution:                        |   Keywords:  tor-hs, Debian, Stormy
Actual Points:                        |  Parent ID:
       Points:                        |
--------------------------------------+------------------------------------

Comment (by proper):

 * [http://popcon.debian.org/README popcon readme]
 * [http://popcon.debian.org/FAQ popcon faq]
 * [http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=popularity-contest
 popcon bugs]
 * [http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/popcon-
 developers popularity contest mailing list]
 * [http://lists.alioth.debian.org/pipermail/popcon-
 developers/2012-October/002172.html popularity contest mailing list: Drop
 atime and ctime for privacy reasons possible?]
 * The connection would obviously need to go over its own Tor circuit
 (stream isolation). At the moment popcon tries to go through http and if
 it fails (no internet connectivity) it goes into the mail queue.
 (sendmail) Sendmail probably works though TransPort, but we don't know if
 it can be torified for proper stream isolation or if you want to implement
 TransPort.
 * (From the popcon readme) "''Each popularity-contest host is identified
 by a random 128bit uuid (MY_HOSTID in /etc/popularity-contest.conf).''" -
 This would allow to enumerate a quite good guess about the amount number
 of users.
 * If you were to ship a VM image, MY_HOSTID would probably get created at
 build time and all users would have the same MY_HOSTID, which would make
 it useless. A new MY_HOSTID would have to be created at first boot. But as
 long you are using a script, that won't be an issue.
 * Popcon runs at a random day. Good.
 * If the machine is powered on: it runs at 6:47, which is bad, because a
 local adversary (ISP or hotspot) could guess popcon runs over Tor (traffic
 pattern).
 * If the machine is powered off at 6:47, it sends the report later, only
 if anachron is installed. It shouldn't run instantly after powering on,
 also for fingerprinting reasons. The time would have to be truly
 randomized.
 * As long as the transmission is not encrypted, see
 [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480860 popularity-
 contest should encrypt contents] Malicious Tor exit relays could modify
 the transmission, but this is only a minor issue. Such malicious Tor exit
 relays could send fake transmissions on their own. Encryptoin has been
 added (see debian bug ticket), but I am not sure it landed in the repos
 yet.
 * It's questionable if and if yes, how long Debian will accept popularity
 contest transmissions from Tor exit relays. There is potential for
 electoral fraud.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13154#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list