Delivery-Date: Mon, 09 Feb 2015 21:17:33 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 9813A1E0B00
	for <archiver@seul.org>; Mon,  9 Feb 2015 21:17:31 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id D2CF3325FB;
	Tue, 10 Feb 2015 02:17:21 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id CB283325F6
 for <tor-talk@lists.torproject.org>; Tue, 10 Feb 2015 02:17:18 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id qLb1bgZklnTd for <tor-talk@lists.torproject.org>;
 Tue, 10 Feb 2015 02:17:18 +0000 (UTC)
Received: from khazad-dum.seul.org (khazad-dum.csail.mit.edu [128.31.0.47])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "moria.seul.org", Issuer "moria.seul.org" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id B077E3181C
 for <tor-talk@lists.torproject.org>; Tue, 10 Feb 2015 02:17:18 +0000 (UTC)
Received: by khazad-dum.seul.org (Postfix, from userid 501)
 id 1B2C91E0CEB; Mon,  9 Feb 2015 21:17:16 -0500 (EST)
Date: Mon, 9 Feb 2015 21:17:16 -0500
From: Roger Dingledine <arma@mit.edu>
To: tor-talk@lists.torproject.org
Message-ID: <20150210021715.GJ37920@moria.seul.org>
References: <54D4FA72.2010402@riseup.net>
 <54D5432A.4080005@whonix.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <54D5432A.4080005@whonix.org>
User-Agent: Mutt/1.5.20 (2009-12-10)
Subject: Re: [tor-talk] Using Tor Hidden Services as Time Source
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Fri, Feb 06, 2015 at 10:41:46PM +0000, Patrick Schleizer wrote:
> We want to get rid of SSL and make use of the strong security properties
> of Tor's end-to-end encryption for Hidden Services in order to safeguard
> against clearnet SSL MITM attacks, which are within reach of powerful
> adversaries.
> 
> Our plan is to contact hidden service operators, adding multiple
> trustworthy hidden services to the list for both redundancy and load
> distribution. Our estimated user base is 5000. The requests will only
> involve fetching an HTTP header from the server, similar to `curl --head
> atlas777hhh7mcs7.onion`.
> 
> Before simply implementing this feature and hoping Tor handles the load
> without issue, we'd like expert (deep knowledge of Tor internals,
> network size, paths, etc) and (hopefully) official responses to our idea.

Hi Patrick,

The first problem you're going to have here is that hidden services
don't work unless your time is approximately correct. So you will have a
chicken-and-egg problem using them to get an accurate time if you don't
already have one.

I really think the right thing to do is to teach Tor how to export what
time it thinks it is (via the control port), and to teach Tor to go get
some extra opinions from the directory authorities if it suspects that
your time is wrong. These are those two tickets:
https://trac.torproject.org/projects/tor/ticket/2628
https://trac.torproject.org/projects/tor/ticket/3652
Tor relays know what time it is, and some of them are quite trusted and
trustworthy, and your Tor already talks to them and learns the time in
a secure way.

There's some design work to be done still though.

Also, there are apparently some bugs in Tor where if you start Tor with
a wrong clock, and then something externally fixes the clock to be right,
Tor doesn't notice, or doesn't notice for a while.
https://trac.torproject.org/projects/tor/ticket/8766
I've just explored that one a bit more and posted a partial fix, but
more issues likely remain.

--Roger

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

