[tor-dev] [RELEASE] Torsocks 2.1.0

Yawning Angel yawning at schwanenlied.me
Thu May 28 13:11:13 UTC 2015


On Thu, 28 May 2015 14:55:07 +0200
anonym <anonym at riseup.net> wrote:

> On 05/27/2015 09:19 PM, David Goulet wrote:
> > - IsolatePID is a new option that will make torsocks set the SOCKS5
> >   username and password automatically to provide isolation on Tor
> > side.
> > 
> >   You can use this with the -i,--isolate command added or
> >   TORSOCKS_ISOLATE_PID env. variable.
> 
> Perhaps I'm overlooking the purpose of this option, but it doesn't
> look like something you can rely on to get stream isolation between
> separate torsocks invocations. For instance, on a POSIX-compliant
> system a PID can be reused as soon as the process using it has
> terminated. This implies that, for any purpose, a PID should only be
> used as a unique identifier for the duration of the process using it.
> 
> Assuming the purpose is to provide stream isolation between torsocks
> invocations, why not generate a big random numbers for the socks auth
> user/password instead? 256 bits should be enough even when taking the
> birthday paradox into account.
> 
> In practice PID resuage perhaps isn't a problem for any realistic use
> case, making my remarks into theoretical nitpicking, but YMMV.

Ah, this is a matter of "the feature is explained in a simple manner in
the abbreviated changelog".

What the flag actually does is:
 * Username set to 'torsocks-' PID ':' unixTime
 * Password set to '0'. (If one day torsocks wants to add something
   like a signal handler to get tor browser 'new circuit' type
   behavior, my plan was to increment this, not currently used).

While not as great as 256 bit random numbers, PID reuse within the same
second is rather unlikely, at least under Linux PIDs are only recycled
when the pid wraps (/proc/sys/kernel/pid_max), I assume most other
Unixes follow similar behavior.

The identifier was chosen such that it would be blatantly obvious in
circuit listings as to which torsocks instance things belong to.  There
is space in the username field, so appending a hexdecimal large random
number or something is certainly possible and quite trivial.

Regards,

-- 
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150528/57db900b/attachment.sig>


More information about the tor-dev mailing list