Disable Guard usage for Tor2webMode.

Tor2webMode is fingerprintable by hidden services through repeated usage of the same three guard nodes for its rend and intro points.
2024-11-10 13:13:44 +01:00 · 2012-09-17 18:45:10 -07:00 · 2012-09-17 18:45:10 -07:00 · acda1735fd
commit acda1735fd
parent 704fd8bb02
2 changed files with 20 additions and 0 deletions
--- a/changes/bug6866
+++ b/changes/bug6866
@ -2,3 +2,7 @@
    - Convert an assert in the pathbias code to a log message. Assert
      appears to only be triggerable by Tor2Web mode. Fixes bug 6866;
      bugfix on 0.2.3.17-beta.
+    - Disable the use of Guard nodes when in Tor2WebMode. Guard usage
+      by Tor2Web clients allows hidden services to identity tor2web
+      clients through their repeated selection of the same rendezvous
+      and introduction point circuit endpoints (their guards).
--- a/src/or/config.c
+++ b/src/or/config.c
@ -2522,6 +2522,22 @@ options_validate(or_options_t *old_options, or_options_t *options,
    options->LearnCircuitBuildTimeout = 0;
  }

+  if (options->Tor2webMode && options->UseEntryGuards) {
+    /* Tor2WebMode is incompatible with EntryGuards in two ways:
+     *
+     * - Tor2WebMode uses its guard nodes as rend and intro points.
+     *   This makes tor2web users fingerprintable by their continued
+     *   selection of the same 3 nodes for these circuits (their guard
+     *   nodes).
+     *
+     * - Tor2WebMode makes unexpected use of circuit path lengths
+     *   in ways that prevent us from applying the PathBias defense.
+     */
+    log_notice(LD_CONFIG,
+               "Tor2WebMode is enabled; disabling UseEntryGuards.");
+    options->UseEntryGuards = 0;
+  }
+
  if (!(options->LearnCircuitBuildTimeout) &&
        options->CircuitBuildTimeout < RECOMMENDED_MIN_CIRCUIT_BUILD_TIMEOUT) {
    log_warn(LD_CONFIG,