Re: [Tails-dev] new features coming in to be aware of

On 20/06/2023 19.19, richard wrote:
> Hi Tails devs,
>
> So the legacy tor daemon recently got two new features in alpha you
> should be aware of, proof-of-work and conflux circuits:

Thanks for the heads-up! This is very valuable!

> - proof-of-work: Onion service providers will be able to opt-in to a
> proof-of-work requirement for connecting clients as a ddos
> counter-measure. Legacy clients which do not support this feature will
> not be able to connect to onion services making use of it. This feature
> will be transparent to the user, though in Tor Browser we may surface
> custom ui notifying the user if they failed to complete the pow in-time
> (or other pow-specific errors). The details are still tbd, but any error
> would be surfaced to applications via a custom SOCKS5 error code
> (similar to how the tor daemon notifies applications that client auth is
> required to access an onion service)

Am I correct to assume that as long as we have a tor and Tor Browser
that supports this, and our Tor Browser's SocksPort has ExtendedErrors
enabled, then we are good to go for this feature, or is something more
needed?

> - conflux circuits: the network team has developed a multiple-circuit
> selection routing system whereby clients will open multiple circuits to
> an endpoint, and divide traffic between the circuits to increase network
> performance. Any ux that shows a user's circuit will need to be updated
> to account for this new conflux circuit reality. For the initial stable
> release, conflux circuits will only work with clearnet endpoints so
> onion services are unaffected. The browser team will be working with ux
> on any required ui changes during the next release cycle, so if Tails
> has an analogous thing outside of Tor Browser you can probably follow
> our lead there.

Tails has a simple Vidalia-esque circuit viewer where each circuit is
listed along with its streams, so (if I understand correctly) with
conflux circuits it can be the case that the same stream can be listed
under multiple circuits. Since (IIRC) pre-conflux streams associate with
a single circuit id it indeed sounds like there will be some work needed
here. And this circuit viewer uses Stem, which is unmaintained, which
could complicate things a bit further. :)

Tails also has a control port filter (that sits between tor and the
applications using the control port) that I believe will be affected:
since Tails runs a single system-wide tor instance there are concerns
about applications that have access to the control port snooping on
other circuits/streams (among other things), so the filter enforces
restrictions so a control port user only can see its own streams and
associated circuits. If streams can associate to multiple circuits then
Tails' control port filter must take that into account.

Again, thanks for the heads-up!

Cheers!