Connections drop on Tor 0.4.8.9

Patrick · November 25, 2023, 9:10am

Qubes bug report:

Tor 0.4.8.9 broken in combination with vanguards in Qubes Debian templates

opened 09:10AM - 25 Nov 23 UTC

T: bug P: default

### Qubes OS release Qubes R4.2 ### Summary Downloads over Tor (with va…nguards enabled) get interrupted after a few seconds. This bug was introduced between Tor version `0.4.7.16-1` (from Debian `bookworm` security repository) and Tor version `0.4.8.9-1~d12.bookworm+1` (from `deb.torproject.org`). I am certain that I could pinpoint it to it. The issue is only reproducible if `vanguards` is installed. The older Tor version from Debian `bookworm` security repository version `0.4.7.16-1` does not have this issue. ### Steps to reproduce: 1. Get Qubes. 2. Use a Qubes Debian `bookworm` Template. 3. Enable `deb.torproject.org` 4. `sudo apt update` 5. `sudo apt install --no-install-recommends vanguards tor` 6. Edit `/etc/tor/vanguards.conf` and change `control_socket =` to `control_socket = /run/tor/control` ([related ticket](https://github.com/mikeperry-tor/vanguards/issues/47)) 7. `sudo systemctl enable vanguards` ([potential Debian bug not being enabled by default](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948975)) 8. `sudo systemctl restart tor@default` 9. `sudo systemctl restart vanguards` 10. (In App Qube) 11. `torsocks curl --fail --output /tmp/test.tar.xz https://dist.torproject.org/torbrowser/13.0.5/tor-browser-linux-x86_64-13.0.5.tar.xz` ### What is the current bug behavior? Connection drops after a bit of continued file downloads. torsocks curl --fail --output /tmp/test.tar.xz https://dist.torproject.org/torbrowser/13.0.5/tor-browser-linux-x86_64-13.0.5.tar.xz ``` % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 3 107M 3 3624k 0 0 24100 0 1:17:51 0:02:34 1:15:17 29815 curl: (18) transfer closed with 108874640 bytes remaining to read zsh: exit 18 torsocks curl --fail --output /tmp/test.tar.xz ``` ### What is the expected behavior? No connection drops. ### Environment * Qubes R4.2 * Debian based App Qube * Tor version `0.4.8.9-1~d12.bookworm+1` * `deb.torproject.org` `bookworm` repository * vanguards version `0.3.1-2.3` from `packages.debian.org` Also reproducible in Qubes-Whonix and Non-Qubes-Whonix (Whonix for VirtualBox). I wasn't able to reproduce this yet on a real (non-Qubes) Debian `bookworm` yet. ### Additional information `sudo systemctl stop vanguards && sudo systemctl restart tor@default` fixes this issue. This shows that this issue is only happening if Tor is combined with vanguards. ### Tor bug Is this a Tor bug? Possibly, yes. Reported upstream: * https://gitlab.torproject.org/tpo/core/tor/-/issues/40892 * https://github.com/mikeperry-tor/vanguards/issues/100 Why am I reporting this against Qubes? Because in the past there was a similar Qubes bug: * https://github.com/QubesOS/qubes-issues/issues/2840 (a Qubes kernel upgrade randomly broke SSL connections) Since this issue is reproducible in VMs (Qubes Debian App Qube) and in VirtualBox (Whonix) but not reproducible on real (non-Qubes) Debian, this implies that this might be a Qubes specific issue. ### For issue tracking * cause by Whonix: no * except maybe if arguing vanguards should be installed but then still most likely no Whonix specific source code causing this * affects Qubes-Whonix yes:

apparatius · November 25, 2023, 9:19am

I’ve tested this in debian-12 VM in KVM and I can reproduce the issue.
Check if vanguards is running, the service is not enabled by default when it’s installed.
Also the issue seems to be occurring after some time will pass when you visit a few sites or wait a few minutes.

extraextra · November 25, 2023, 12:20pm

Maybe only VMs are causing this but hardware doesn’t?

tempest · November 26, 2023, 4:16pm

I can confirm that this is also an issue in KVM Whonix as well.

apparatius · November 27, 2023, 11:32am

I’ve reproduced this issue on bare metal debian as well.

c4c56543 · January 6, 2024, 10:36am

Any updates on the issue? I did not see progress on the bug reports since last month, however, the problem still persists and it makes Whonix completely unusable to be honest.

extraextra · January 6, 2024, 12:02pm

Then you’re suffering from this issue for no reason. Solution available for a long time already.

Patrick · February 12, 2024, 8:15am

No, not really. From public sources only. Quote from that Bug report:

Mike Perry assigned to @mikeperry 2 weeks ago

Mike Perry added Next label 2 weeks ago

Patrick · February 16, 2024, 5:54am

Patrick · February 17, 2024, 1:45pm

Newer Tor version and vanguards disabling is now in the testers repository.

misvan · September 19, 2024, 11:26pm

There was a recent incident where a Tor user (a bad one, but not relevant to the technical discussion) was deanonymized due to timing attacks. This was only possible because the police were able to trace the user’s connections back to the guard relay due to the lack of second-layer Tor relay protection (Vanguard), as he was using an outdated version of Ricochet without Vanguard enabled.

This shows that Vanguard is absolutely necessary to avoid being deanonymized on Tor. The deanonymization attack is still complicated and not trivial to pull off, but it is possible.

For this reason, I would like to ask what the current state of Whonix’s missing Vanguard problem is, and recommend that efforts to find a working solution be intensified. As far as I know, Whonix does not have Vanguard protection because it is no longer compatible. This cannot be the case with Vanguard-Lite, which is used in Tor Browser. So why not at least patch Vanguard-Lite back into Whonix?

At the same time, I hope Mr. Perry will step up his efforts on the “Next” label (which has been attached for 9 months now…).

You can find a recent blog post about the timing/deanonymization attack on the Tor Project website. I am not able to attach the link here, maybe an admin can do that. The blog post is titled: “Is Tor still safe to use?”

extraextra · September 20, 2024, 9:11am

Congratulations to the second duplicate of the same topic.

Because it already is.

misvan · September 20, 2024, 8:37pm

Thanks for your reply. I wasn’t aware of the other post. How can I verify that Vanguard-Lite is enabled? Also, does Vanguard-Lite work when I connect to bridges, or just in Tor’s default configuration?

extraextra · September 20, 2024, 9:51pm

If you need to ask such basic questions you will also unfortunately also lack the skills to do any meaningful analysis.

Wrong forum. You can ask Tor directly.

Patrick · September 20, 2024, 9:56pm

This issue was resolved. Closing.

For anything on vanguards, there is vanguards - Additional protections for Tor Onion Services.