[tor-bugs] #24020 [Core Tor/Tor]: Can authorities use multihop circuits rather than direct connections to detect running routers?

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 26 18:40:47 UTC 2017 

#24020: Can authorities use multihop circuits rather than direct connections to
detect running routers?
------------------------------+------------------------------------
     Reporter:  nickm         |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: unspecified
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  durauth, bridge-bypass
Actual Points:                |  Parent ID:  #20532
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+------------------------------------
 So, I had an item on the roadmap to "Ensure dirauths check for incoming
 authentication when verifying ORPorts, if easy".

 Summary: It's not easy, but it's possible given effort.


 So, it looks like dirauths don't check for incoming authentication at all
 when verifying ORPorts.  All they do is look at the "last_reachable" or
 "last_reachable6" fields.  Those fields are set from
 dirserv_orconn_tls_done(), which triggers when we complete an outgoing TLS
 handshake.

 The reachability tests are launched with
 dirserv_single_reachability_test(), which only opens a channel -- it
 doesn't try to create a circuit at all.

 If we want to do a test for _incoming_ authentication, it's possible, but
 we'd need to write some more machinery and think of a workaround for an
 issue (below).  We would need to launch testing circuits through the
 targetted node, and notice whenever somebody authenticates to _us_ using
 the node's key.  If the circuit succeeds but the node has performed no
 authentication to us, it must be a bridge.  Such tests could be launched
 on a comparatively slow schedule.

 There's one other problem with the make-an-incoming-circuit approach: I
 think that the authority will authenticate to the bridge with its outgoing
 connection, and so the bridge will already have an authority connection to
 the authority.  I think that the bridge will, when asked to connect to the
 authority, use that connection instead of creating a new one.  Two
 possible fixes: first, the bridge could stop asking for authentication on
 incoming connections.  Second, the authority could stop providing
 authentication on outgoing testing connections that it launches for this
 purpose.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24020>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list