[tor-talk] Stricter NEWNYM?
Robert Ransom
rransom.8774 at gmail.com
Fri Mar 4 18:17:30 UTC 2011
On Fri, 04 Mar 2011 13:21:22 +0100
anonym <anonym at lavabit.com> wrote:
> While I've been developing the LiveCDs Incognito and Tails I've got my
> fair share of feature requests/bug reports that really are about Tor.
> One recurring feature request is to make NEWNYM stricter.
>
> Users have observed that issuing a NEWNYM doesn't necessarily stop using
> the previous circuits, which is obviously the case for truly long lived
> connections like IRC and SSH, but I don't think that is what bothers
> them; web browsing connections also keep using the old circtuits, at
> least with certain web browser and intermediate proxy configurations
> that makes them "kinda" long lived (think http keep-alive timeouts).
> This confuses users when they get the same exit node after a NEWNYM (for
> instance by refreshing check.torproject.org afterwards).
This can happen even on a new circuit. Tor does not try to select a
different exit node after a NEWNYM has been issued, as that would make
users' streams before a NEWNYM more linkable to their streams after the
NEWNYM.
> Conclusion: NEWNYM doesn't do what the users expect.
>
> That's no good. Why don't we make NEWNYM ruthlessly kill all circuits,
> even the ones handling live connections, long lived or not? I strongly
> believe this stricter NEWNYM behaviour is (at least closer to) what the
> user expects from it. See the attached patch for a quick and dirty
> implementation -- a patch says more than a thousand words, I suppose.
>
> Of course, to use NEWNYM requires some caution from the user, e.g.
> clearing cookies, session id etc. if revisiting the same site, but that
> also affects the old NEWNYM approach. Maybe it's even the case that
> NEWNYM gives a false sense of a new identity, given all application
> level problems that Tor cannot (or at least shouldn't) do anything
> about, and thus we should give a shite?
Torbutton would also need a 'new identity' button. See
<https://trac.torproject.org/projects/tor/ticket/523> for some
discussion of what that would involve.
If you want to close all web-browsing streams while switching to a 'new
identity', the best currently possible options are to toggle Torbutton
off, then back on, or to quit Firefox entirely and restart it. (This
also requires that you restart Polipo or not be using it.) Perhaps
that should be documented better.
Alternatively, a user could use Vidalia's 'Network Map' to close all
open web-browsing streams.
> In any case, are there any new
> problems introduced by this more brutal approach that I haven't thought
> of which would make it worse than the previous one?
This approach would make it impractical for a user to use IRC or SSH on
a LiveCD while browsing without linking the IRC/SSH session to
his/her/its browsing activities. Please separate the 'kill all
streams' command from the NEWNYM command.
A 'kill all streams' command would be more useful if it came with an
implementation of proposal 171 and ended all streams sent by one
application (as determined by the application-separation criteria in
that proposal). Unfortunately, that won't become possible until
proposal 171 is implemented.
Robert Ransom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110304/962d9a64/attachment.pgp>
More information about the tor-talk
mailing list