Re: [Tails-dev] tordate: why is it safe to set timefromunver…

Delete this message

Reply to this message
Autore: anonym
Data:  
To: The Tails public development discussion list
Oggetto: Re: [Tails-dev] tordate: why is it safe to set timefromunverified-consensus?
01/21/2012 06:16 PM, intrigeri:
> intrigeri wrote (21 Jan 2012 15:24:19 GMT) :
>
>> anonym will update our design doc accordingly.
>
> ... next week.


Committed to the stable branch (cfeb7be). But I realized that this
results in an issue for I2P. From the commit:

Second, the same type of attacker as above could also try to forge a
completely new consensus, which would be unverifiable since the
attacker doesn't have access to the authorities' keys. We would still
set Tails' system time according to the unverifiable consensus, but
Tor would refuse to use the forged consensus, resulting in complete
denial-of-service. An attacker in that position could do
denial-of-service attacks in many other ways, so this doesn't make
the situation any worse.

... which is true for Tor-only users, yes, but it definitely makes the
situation worse for I2P users: since the attacker can set the time
arbitrarily, it could potentially use system time to uniquely identify a
Tails user using an application that leaks the system time over I2P. Of
course, I2P doesn't work if the time is too much off, but that just
reduces it to an extreme partition attack (i.e. the users anonymity set
is reduced to all other I2P users with approximately the same clock skew).

I think we need to make the i2p start script depend on that Tor works.

(BTW, while I were at it I also updated the the time sync design docs
w.r.t. recent htpdate improvements in the feature/more_resilient_htpdate
branch (commit f716c2f))

Cheers!