mirror of
https://github.com/torproject/torspec.git
synced 2024-12-13 21:48:45 +00:00
463 lines
21 KiB
Plaintext
463 lines
21 KiB
Plaintext
Filename: 260-rend-single-onion.txt
|
|
Title: Rendezvous Single Onion Services
|
|
Author: Tim Wilson-Brown, John Brooks, Aaron Johnson, Rob Jansen, George Kadianakis, Paul Syverson, Roger Dingledine
|
|
Created: 2015-10-17
|
|
Status: Finished
|
|
Implemented-In: 0.2.9.3-alpha
|
|
|
|
1. Overview
|
|
|
|
Rendezvous single onion services are an alternative design for single onion
|
|
services, which trade service-side location privacy for improved
|
|
performance, reliability, and scalability.
|
|
|
|
Rendezvous single onion services have a .onion address identical to any
|
|
other onion service. The descriptor contains the same information as the
|
|
existing double onion (hidden) service descriptors. The introduction point
|
|
and rendezvous protocols occur as in double onion services, with one
|
|
modification: one-hop connections are made from the onion server to the
|
|
introduction and rendezvous points.
|
|
|
|
This proposal is a revision of the unnumbered proposal Direct Onion
|
|
Services: Fast-but-not-hidden services by Roger Dingledine, and George
|
|
Kadianakis at
|
|
https://lists.torproject.org/pipermail/tor-dev/2015-April/008625.html
|
|
|
|
It incorporates much of the discussion around hidden services since April
|
|
2015, including content from Single Onion Services (Proposal #252) by John
|
|
Brooks, Paul Syverson, and Roger Dingledine.
|
|
|
|
2. Motivation
|
|
|
|
Rendezvous single onion services are best used by sites which:
|
|
* Don't require location anonymity
|
|
* Would appreciate lower latency or self-authenticated addresses
|
|
* Would like to work with existing tor clients and relays
|
|
* Can't accept connections to an open ORPort
|
|
|
|
Rendezvous single onion services have a few benefits over double onion
|
|
services:
|
|
|
|
* Connection latency is lower, as one-hop circuits are built to the
|
|
introduction and rendezvous points, rather than three-hop circuits
|
|
* Stream latency is reduced on a four-hop circuit
|
|
* Less Tor network capacity is consumed by the service, as there are
|
|
fewer hops (4 rather than 6) between the client and server via the
|
|
rendezvous point
|
|
|
|
Rendezvous single onion services have a few benefits over single onion
|
|
services:
|
|
|
|
* A rendezvous single onion service can load-balance over multiple
|
|
rendezvous backends (see proposal #255)
|
|
* A rendezvous single onion service doesn't need an accessible ORPort
|
|
(it works behind a NAT, and in server enclaves that only allow
|
|
outward connections)
|
|
* A rendezvous single onion service is compatible with existing tor
|
|
clients, hidden service directories, introduction points, and
|
|
rendezvous points
|
|
|
|
Rendezvous single onion services have a few drawbacks over single onion
|
|
services:
|
|
|
|
* Connection latency is higher, as one-hop circuits are built to the
|
|
introduction and rendezvous points. Single onion services perform one
|
|
extend to the single onion service's ORPort only
|
|
|
|
It should also be noted that, while single onion services receive many
|
|
incoming connections from different relays, rendezvous single onion
|
|
services make many outgoing connections to different relays. This should
|
|
be taken into account when planning the connection capacity of the
|
|
infrastructure supporting the onion service.
|
|
|
|
Rendezvous single onion services are not location hidden on the service
|
|
side, but clients retain all of the benefits and privacy of onion
|
|
services. (The rationale for the 'single' and 'double' nomenclature is
|
|
described in section 7.4 of proposal #252.)
|
|
|
|
We believe that it is important for the Tor community to be aware of the
|
|
alternative single onion service designs, so that we can reach consensus
|
|
on the features and tradeoffs of each design. However, we recognise that
|
|
each additional flavour of onion service splits the anonymity set of onion
|
|
service users. Therefore, it may be best for user anonymity that not all
|
|
designs are adopted, or that mitigations are implemented along with each
|
|
additional flavour. (See sections 8 & 9 for a further discussion.)
|
|
|
|
3. Onion descriptors
|
|
|
|
The rendezvous single onion descriptor format is identical to the double
|
|
onion descriptor format.
|
|
|
|
4. Reaching a rendezvous single onion service as a client
|
|
|
|
Clients reach rendezvous single onion services in an identical fashion
|
|
to double onion services. The rendezvous design means that clients do not
|
|
know whether they are talking to a double or rendezvous single onion
|
|
service, unless that service tells them. (This may be a security issue.)
|
|
|
|
However, the use of a four-hop path between client and rendezvous single
|
|
onion service may be statistically distinguishable. (See section 8 for
|
|
further discussion of security issues.)
|
|
|
|
(Please note that this proposal follows the hop counting conventions in the
|
|
tor source code. A circuit with a single connection between the client and
|
|
the endpoint is one-hop; a circuit with 4 connections (and 3 nodes) between
|
|
the client and endpoint is four-hop.)
|
|
|
|
5. Publishing a rendezvous single onion service
|
|
|
|
To act as a rendezvous single onion service, a tor instance (or cooperating
|
|
group of tor instances) must:
|
|
|
|
* Publish onion descriptors in the same manner as any onion service,
|
|
using three-hop circuits. This avoids service blocking by IP address.
|
|
Proposal #224 (next-generation hidden services) avoids blocking by
|
|
onion address.
|
|
* Perform the rendezvous protocol in the same manner as a double
|
|
onion service, but make the intro and rendezvous circuits one-hop.
|
|
(This may allow intro and rendezvous points to block the service.)
|
|
|
|
5.1. Configuration options
|
|
|
|
5.1.1 RendezvousSingleOnionServiceNonAnonymousServer
|
|
|
|
The tor instance operating a rendezvous single onion service must make
|
|
one-hop circuits to the introduction and rendezvous points:
|
|
|
|
RendezvousSingleOnionServiceNonAnonymousServer 0|1
|
|
If set, make one-hop circuits between the Rendezvous Single Onion
|
|
Service server, and the introduction and rendezvous points. This
|
|
option makes every onion service instance hosted by this tor instance
|
|
a Rendezvous Single Onion Service. (Default: 0)
|
|
|
|
Because of the grave consequences of misconfiguration here, we have added
|
|
'NonAnonymous' to the name of the torrc option. Furthermore, Tor MUST issue
|
|
a startup warning message to operators of the onion service if this feature
|
|
is enabled.
|
|
[Should the name start with 'NonAnonymous' instead?]
|
|
|
|
As RendezvousSingleOnionServiceNonAnonymousServer modifies the behaviour
|
|
of every onion service on a tor instance, it is impossible to run hidden
|
|
(double onion) services and rendezvous single onion services on the same
|
|
tor instance. This is considered a feature, as it prevents hidden services
|
|
from being discovered via rendezvous single onion services on the same tor
|
|
instance.
|
|
|
|
5.1.2 Recommended Additional Options: Correctness
|
|
|
|
Based on the experiences of Tor2Web with one-hop paths, operators should
|
|
consider using the following options with every rendezvous single onion
|
|
service, and every single onion service:
|
|
|
|
UseEntryGuards 0
|
|
One-hop paths do not use entry guards. This also deactivates the entry
|
|
guard pathbias code, which is not compatible with one-hop paths. Entry
|
|
guards are a security measure against Sybil attacks. Unfortunately,
|
|
they also act as the bottleneck of busy onion services and overload
|
|
those Tor relays.
|
|
|
|
LearnCircuitBuildTimeout 0
|
|
Learning circuit build timeouts is incompatible with one-hop paths.
|
|
It also creates additional, unnecessary connections.
|
|
|
|
Perhaps these options should be set automatically on (rendezvous) single
|
|
onion services. Tor2Web sets these options automatically:
|
|
UseEntryGuards 0
|
|
LearnCircuitBuildTimeout 0
|
|
|
|
5.1.3 Recommended Additional Options: Performance
|
|
|
|
LongLivedPorts
|
|
The default LongLivedPorts setting creates additional, unnecessary
|
|
connections. This specifies no long-lived ports (the empty list).
|
|
|
|
PredictedPortsRelevanceTime 0 seconds
|
|
The default PredictedPortsRelevanceTime setting creates additional,
|
|
unnecessary connections.
|
|
|
|
High-churn / quick-failover RSOS using descriptor competition strategies
|
|
should consider setting the following option:
|
|
|
|
RendPostPeriod 600 seconds
|
|
Refresh onion service descriptors, choosing an interval between
|
|
0 and 2*RendPostPeriod. Tor also posts descriptors on bootstrap, and
|
|
when they change.
|
|
(Strictly, 30 seconds after they first change, for descriptor
|
|
stability.)
|
|
|
|
XX - Reduce the minimum RendPostPeriod for RSOS to 1 minute?
|
|
XX - Make the initial post 30 + rand(1*rendpostperiod) ?
|
|
(Avoid thundering herd, but don't hide startup time)
|
|
|
|
However, we do NOT recommend setting the following option to 1, unless bug
|
|
#17359 is resolved so tor onion services can bootstrap without predicted
|
|
circuits.
|
|
|
|
__DisablePredictedCircuits 0
|
|
This option disables all predicted circuits. It is equivalent to:
|
|
LearnCircuitBuildTimeout 0
|
|
LongLivedPorts
|
|
PredictedPortsRelevanceTime 0 seconds
|
|
And turning off hidden service server preemptive circuits, which is
|
|
currently unimplemented (#17360)
|
|
|
|
5.1.4 Recommended Additional Options: Security
|
|
|
|
We recommend that no other services are run on a rendezvous single onion
|
|
service tor instance. Since tor runs as a client (and not a relay) by
|
|
default, rendezvous single onion service operators should set:
|
|
|
|
XX - George says we don't allow operators to run HS/Relay any more,
|
|
or that we warn them.
|
|
|
|
SocksPort 0
|
|
Disallow connections from client applications to the tor network
|
|
via this tor instance.
|
|
|
|
ClientOnly 1
|
|
Even if the defaults file configures this instance to be a relay,
|
|
never relay any traffic or serve any descriptors.
|
|
|
|
5.2. Publishing descriptors
|
|
|
|
A single onion service must publish descriptors in the same manner as any
|
|
onion service, as defined by rend-spec.
|
|
|
|
5.3. Authorization
|
|
|
|
Client authorization for a rendezvous single onion service is possible via
|
|
the same methods used for double onion services.
|
|
|
|
6. Related Proposals, Tools, and Features
|
|
|
|
6.1. Load balancing
|
|
|
|
High capacity services can distribute load and implement failover by:
|
|
* running multiple instances that publish to the same onion service
|
|
directories,
|
|
* publishing descriptors containing multiple introduction points
|
|
(OnionBalance),
|
|
* publishing different introduction points to different onion service
|
|
directories (OnionBalance upcoming(?) feature),
|
|
* handing off rendezvous to a different tor instance via control port
|
|
messages (proposal #255),
|
|
or by a combination of these methods.
|
|
|
|
6.2. Ephemeral single onion services (ADD_ONION)
|
|
|
|
The ADD_ONION control port command could be extended to support ephemerally
|
|
configured rendezvous single onion services. Given that
|
|
RendezvousSingleOnionServiceNonAnonymousServer modifies the behaviour of
|
|
all onion services on a tor instance, if it is set, any ephemerally
|
|
configured onion service should become a rendezvous single onion service.
|
|
|
|
6.3. Proposal 224 ("Next-Generation Hidden Services")
|
|
|
|
This proposal is compatible with proposal 224, with onion services
|
|
acting just like a next-generation hidden service, but making one-hop
|
|
paths to the introduction and rendezvous points.
|
|
|
|
6.4. Proposal 246 ("Merging Hidden Service Directories and Intro Points")
|
|
|
|
This proposal is compatible with proposal 246. The onion service will
|
|
publish its descriptor to the introduction points in the same manner as any
|
|
other onion service. Clients will use the merged hidden service directory
|
|
and introduction point just as they do for other onion services.
|
|
|
|
6.5. Proposal 252 ("Single Onion Services")
|
|
|
|
This proposal is compatible with proposal 252. The onion service will
|
|
publish its descriptor to the introduction points in the same manner as any
|
|
other onion service. Clients can then choose to extend to the single onion
|
|
service, or continue with the rendezvous protocol.
|
|
|
|
Running a rendezvous single onion service and single onion service allows
|
|
older clients to connect via rendezvous, and newer clients to connect via
|
|
extend. This is useful for the transition period where not all clients
|
|
support single onion services.
|
|
|
|
6.6. Proposal 255 ("Hidden Service Load Balancing")
|
|
|
|
This proposal is compatible with proposal 255. The onion service will
|
|
perform the rendezvous protocol in the same manner as any other onion
|
|
service. Controllers can then choose to handoff the rendezvous point
|
|
connection to another tor instance, which should also be configured
|
|
as a rendezvous single onion service.
|
|
|
|
7. Considerations
|
|
|
|
7.1 Modifying RendezvousSingleOnionServiceNonAnonymousServer at runtime
|
|
|
|
Implementations should not reuse introduction points or introduction point
|
|
circuits if the value of RendezvousSingleOnionServiceNonAnonymousServer is
|
|
different than it was when the introduction point was selected. This is
|
|
because these circuits will have an undesirable length.
|
|
|
|
There is specific code in tor that preserves introduction points on a HUP,
|
|
if RendezvousSingleOnionServiceNonAnonymousServer has changed, all circuits
|
|
should be closed, and all introduction points must be discarded.
|
|
|
|
7.2 Delaying connection expiry
|
|
|
|
Tor clients typically expire connections much faster than tor relays
|
|
[citation needed].
|
|
|
|
(Rendezvous) single onion service operators may find that keeping
|
|
connections open saves on connection latency. However, it may also place an
|
|
additional load on the service. (This could be implemented by increasing the
|
|
configured connection expiry time.)
|
|
|
|
7.3. (No) Benefit to also running a Tor relay
|
|
|
|
In tor Trac ticket #8742, running a relay and hidden onion service on the
|
|
same tor instance was disabled for security reasons. While there may be
|
|
benefits to running a relay on the same instance as a rendezvous single
|
|
onion service (existing connections mean lower latency, it helps the tor
|
|
network overall), a security analysis of this configuration has not yet
|
|
been performed. In addition, a potential drawback is overloading a busy
|
|
single onion service.
|
|
|
|
7.4 Predicted circuits
|
|
|
|
We should look whether we can optimize further the predicted circuits that
|
|
Tor makes as an onion service for this mode.
|
|
|
|
8. Security Implications
|
|
|
|
8.1 Splitting the Anonymity Set
|
|
|
|
Each additional flavour of onion service, and each additional externally
|
|
visible onion service feature, provides oportunities for fingerprinting.
|
|
|
|
Also, each additional type of onion service shrinks the anonymity set for
|
|
users of double onion (hidden) services who require server location
|
|
anonymity. These users benefit from the cover provided by current users of
|
|
onion services, who use them for client anonymity, self-authentication,
|
|
NAT-punching, or other benefits.
|
|
|
|
For this reason, features that shrink the double onion service anonymity
|
|
set should be carefully considered. The benefits and drawbacks of
|
|
additional features also often depend on a particular threat model.
|
|
|
|
It may be that a significant number of users and sites adopt (rendezvous)
|
|
single onion services due to their benefits. This could increase the
|
|
traffic on the tor network, therefore increasing anonymity overall.
|
|
However, the unique behaviour of each type of onion service may still be
|
|
distinguishable on both the client and server ends of the connection.
|
|
|
|
8.2 Hidden Service Designs can potentially be more secure
|
|
|
|
As a side-effect, by optimizing for performance in this feature, it
|
|
allows us to lean more heavily towards security decisions for
|
|
regular onion services.
|
|
|
|
8.3 One-hop onion service paths may encourage more attacks
|
|
|
|
There's a possible second-order effect here since both RSOS
|
|
and double onion services will have foo.onion addresses and it's
|
|
not clear based on the address which one the service uses:
|
|
if *some* .onion addresses are easy to track down, are we encouraging
|
|
adversaries to attack all rendezvous points just in case?
|
|
|
|
9. Further Work
|
|
|
|
Further proposals or research could attempt to mitigate the anonymity-set
|
|
splitting described in section 8. Here are some initial ideas.
|
|
|
|
9.1 Making Client Exit connections look like Client Onion Service Connections
|
|
|
|
A mitigation to this fingerprinting is to make each (or some) exit
|
|
connections look like onion service connections. This provides cover for
|
|
particular types of onion service connections. Unfortunately, it is not
|
|
possible to make onion service connections look like exit connections,
|
|
as there are no suitable dummy servers to exit to on the Internet.
|
|
|
|
9.1.1 Making Client Exit connections perform Descriptor Downloads
|
|
|
|
(Some) exit connections could perform a dummy descriptor download.
|
|
(However, descriptors for recently accessed onion services are cached, so
|
|
dummy downloads should only be performed occasionally.)
|
|
|
|
Exit connections already involve a four-hop "circuit" to the server
|
|
(including the connection between the exit and the server on the Internet).
|
|
The server on the Internet is not included in the consensus. Therefore,
|
|
this mitigation would effectively cover single onion services which are not
|
|
relays.
|
|
|
|
9.1.2 Making Client Exit connections perform the Rendezvous Protocol
|
|
|
|
(Some) exit connections could perform a dummy rendezvous protocol.
|
|
|
|
Exit connections already involve a four-hop "circuit" to the server
|
|
(including the connection between the exit and the server on the Internet).
|
|
Therefore, this mitigation would effectively cover rendezvous single onion
|
|
services, as long as a dummy descriptor download was also performed
|
|
occasionally.
|
|
|
|
9.1.3 Making Single Onion Service rendezvous points perform name resolution
|
|
|
|
Currently, Exits perform DNS name resolution, and changing this behaviour
|
|
would cause unacceptable connection latency. Therefore, we could make
|
|
onion service connections look like exit connections by making the
|
|
rendezvous point do name resolution (that is, descriptor fetching), and, if
|
|
needed, the introduction part of the protocol. This could potentially
|
|
*reduce* the latency of single onion service connections, depending on the
|
|
length of the paths used by the rendezvous point.
|
|
|
|
However, this change makes rendezvous points almost as powerful as Exits,
|
|
a careful security analysis will need to be performed before this is
|
|
implemented.
|
|
|
|
There is also a design issue with rendezvous name resolution: a client
|
|
wants to leave resolution (descriptor download) to the RP, but it doesn't
|
|
know whether it can use the exit-like protocol with an RP until it has
|
|
downloaded the descriptor. This might mean that single onion services of
|
|
both flavours need a different address style or address namespace. We could
|
|
use .single.onion or something. (This would require an update to the HSDir
|
|
code.)
|
|
|
|
9.2 Performing automated and common queries over onion services
|
|
|
|
Tor could create cover traffic for a flavour of onion service by performing
|
|
automated or common queries via an onion service of that type. In addition,
|
|
onion service-based checks have security benefits over DNS-based checks.
|
|
See Genuine Onion, Syverson and Boyce, 2015, at
|
|
http://www.nrl.navy.mil/itd/chacs/syverson-genuine-onion-simple-fast-flexible-and-cheap-website-authentication
|
|
|
|
Here are some examples of automated queries that could be performed over
|
|
an onion service:
|
|
|
|
9.2.1 torcheck over onion service
|
|
|
|
torcheck ("Congratulations! This browser is configured to use Tor.") could
|
|
be retrieved from an onion service.
|
|
|
|
Incidentally, this would resolve the exitmap issues in #17297, but it
|
|
would also fail to check that exit connections work, which is important for
|
|
many Tor Browser users.
|
|
|
|
9.2.2 Tor Browser version checks over onion service
|
|
|
|
Running tor browser version checks over an onion service seems to be an
|
|
excellent use-case for onion services. It would also have the Tor Project
|
|
"eating its own dogfood", that is, using onion services for its essential
|
|
services.
|
|
|
|
9.2.3 Tor Browser downloads over onion service
|
|
|
|
Running tor browser downloads over an onion service might require some work
|
|
on the onion service codebase to support high loads, load-balancing, and
|
|
failover. It is a good use case for a (rendezvous) single onion service,
|
|
as the traffic over the tor network is only slightly higher than for
|
|
Tor Browser downloads over tor. (4 hops for [R]SOS, 3 hops for Exit.)
|
|
|
|
9.2.4 SSL Observatory submissions over onion service
|
|
|
|
HTTPS certificates could be submitted to HTTPS Everywhere's SSL Observatory
|
|
over an onion service.
|
|
|
|
This option is disabled in Tor Browser by default. Perhaps some users would
|
|
be more comfortable enabling submission over an onion service, due to the
|
|
additional security benefits.
|
|
|