Re: [T(A)ILS-dev] Stricter NEWNYM

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The Tails public development discussion list
Subject: Re: [T(A)ILS-dev] Stricter NEWNYM
Hi,

anonym wrote (17 Apr 2011 11:07:16 GMT) :
> 16/04/11 21:12, intrigeri:
>> sajolida wrote (14 Apr 2011 15:28:37 GMT) :
>>
>>> Vidalia's "New Identity" button forces Tor to use new circuits, thus
>>> addressing the first threat
>>
>> Wrong. It asks Tor to use new circuits **for new connections** only.
>> We've been discussing it on this mailing-list a few months ago, in the
>> thread about HTTP keep-alive. Also see recent activity about such
>> matters on Tor's bug tracker.


> Could you please provide some links?


Thread on this mailing-list:
https://boum.org/pipermail/tails-dev/2010-December/000061.html
https://boum.org/pipermail/tails-dev/2011-January/000099.html

Activity on Tor's bug tracker: I was indeed talking of your own
contributions you provided links for :)

>> In the current state of things, I think we should either not mention
>> this feature of Vidalia's, or tell it can **not** be accounted on to
>> address the first threat.


> I've been giving this whole issue some though in two instances, a
> post to or-talk discussing stricter newnym behaviour [0], and on my
> bug about changing bridge behaviour [1]. Essentially, I'm
> considering a more drastic approach that closes all circuits, even
> those handling streams.


> As this is a very important issue for our users, I think we should
> try thinking a bit of how we want this to work and do some lobbying
> on the Tor mailing lists and bug tracker. At this point it seems
> that NEWNYM is too unreliable to recommend using, or even that we
> should warn users about it, which is not good. What are your thought
> on the subject?


It seems to me we agreed at some point to patch Vidalia so that the
message displayed on successful NEWNYM makes it clear what's
happening, and especially what is *not* happening; i.e. long-living
streams are not closed, keep-alive does exist, etc. I am unable to
find any reference to this previous discussion that could back off my
claims, though.

Anyway, I don't think even a stricter NEWNYM feature in Tor would
allow us to let Tails users believe it allows them to (safely,
sequentially) use multiple contextual identities in a row without
rebooting Tails. Even if NEWNYM would close all existing streams, the
rest of the system would not be reset to a state that guarantees being
part of the "Tails users" anonymity set; I'm especially thinking of
the web browser's state (e.g. cookies) that may link separate
activities together, but there are probably a few other such issues
that I would not like us to deal with using a blacklist approach.
Trying to strictly get a system that has been running for hours back
into the "Tails users" anonymity set seems like a dangerous and very
time-consuming goal I would prefer we do not try to reach. But well,
this is my initial guts feeling to this problematic, and I could very
well change my mind if needed :)

In Tails context: I still think we need to patch the post-NEWNYM
message Vidalia displays to make this clear, and suggest rebooting...
stricter NEWNYM or not. I agree this is no perfect solution, but I
nevertheless think it's the only thing we can safely do wrt. Tails
users.

More generally, I'm unsure what would be good, or at least better, for
the whole Tor community. I've not put much thought into this yet and
no strong feelings lead me to prefer the stricter NEWNYM approach to
the current one or reciprocally. On the other hand I agree a strict
NEWNYM shall happen on some occasions such as when the list of bridges
being used changes.

Bye,
--
intrigeri <intrigeri@???>
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
| Then we'll come from the shadows.