Paying some attention to Arti.
“Rust is more secure than C. Despite our efforts, it’s all too simple to
mess up when using a language that does not enforce memory safety. We
estimate that at least half of our tracked security vulnerabilities would
have been impossible in Rust, and many of the others would have been very
unlikely.”
and also think of how it could replace the current Tor C implementation, in a “safe” way, eventually.
1 Like
After Arti 1.1.0, we’re going to focus on onion services in Arti 1.2.0. They’re a complex and important part of the Tor protocols, and will take a significant amount of effort to build. Making onion services work securely and efficiently will require a number of related protocol features, including support for congestion control, DOS protection, vanguards, and circuit padding machines.
After that, Arti 2.0.0 will focus on feature parity with the C tor client implementation, and support for embedding Arti in different languages. (Preliminary embedding work is promising: we have the beginnings of a VPN tool for mobile, embedding Arti in Java.) When we’re done, we intend that Arti will be a suitable replacement for C tor as a client implementation in all (or nearly all) use contexts.
Until a Debian package being available from deb.torproject.org and feature support such as onions and TransPort will probably take a while.
2 Likes
Quote David Goulet on Tor Project issue tracker:
It is not even clear that arti will actually have a ControlPort as we know it.
Quote Arti 1.1.5 is released: Onion Services, RPC, and a security patch | The Tor Project
work on a new RPC API (a successor to C Tor’s “control port”) that will give applications a safe and powerful way to work with Arti without having to write their code in Rust or link Arti as a library (unless they want to).
2 Likes
We probably shouldn’t wait to port to Arti until it fully replaces C-Tor. That would leave users using potentially unmaintained or less-maintained code for however long it takes us to port, which could take a long time depending on the complexity of everything. However, we can’t start porting until we have at least a bare minimum feature set. I went through our code and pieced together things from varying bits of documentation about Arti, this is what I currently think we’d need Arti to do versus what it already does.
- SOCKS proxy support.
- This is used by basically everything designed for or intentionally supporting Tor.
- Arti supports this.
- DNS support.
- Bridge support, for bypassing censorship.
- For feature parity with the part of C-Tor’s features we currently support, we would need obfs4, snowflake, and meek bridge support (according to tor-control-panel).
- Arti supports pluggable transports in general. Both obfs4proxy and snowflake-client are separate binaries from Tor in Whonix and should thus be transparently supported (possibly with some configuration work), but I cannot find the meek binary anywhere under
/usr in Whonix-Gateway 18, so I’m not sure if that will continue to work.
HTTP CONNECT proxy support. (EDIT: Not actually needed.)
I don’t think there’s actually anything in Whonix that uses this, but it was added for a reason, so presumably we want to keep it.
- Arti supports this, but in kind of a weird way; if you enable an
enable_http_connect setting, SOCKS proxy ports also double as HTTP proxy ports. I don’t expect this will be a problem for us.
- Transparent proxy support.
- Apps that aren’t aware of Tor needs to work within the workstation.
- I have not been able to find evidence that Arti supports this, and it may not be implemented in the future. The suggested workaround is to use onionmasq to create an entire network interface who’s traffic is tunneled over Tor, then route traffic through that. This sounds like it would probably work, and there is example config for it, but it’s also more complicated than what we have now.
- The ability to connect to onion services.
- The ability to host onion services.
- Control port like functionality.
- Many of our features rely on C-Tor’s control port to work. Arti uses an RPC mechanism instead. The best documentation I could find on the supported commands is at Arti RPC: methods and objects; it’s over a year old, but it does seem to more-or-less reflect the state of RPC in Arti at the moment based on what I found hunting through the Arti’s source code. Features we’d need are:
- Some way to create a new circuit on demand (needed for helper-scripts/usr/libexec/helper-scripts/tor_circuit_built_check.py at master · Kicksecure/helper-scripts · GitHub). This looks kinda supported; you can create an “isolated client” using
arti:new_isolated_client, any streams created with this “client” will not be shared with any other “client”. This then gives you an ObjectID that you can apparently “use as the target of a SOCKS stream” (I’m guessing that means that you can pass it as a username as documented here?), so presumably you could use that to force a new stream to be built to check if stream building works at all. But you (maybe?) need to initiate a connection to some online service via that ObjectID, which would probably be undesirable and unreliable…
- Maybe this isn’t really needed?
arti:get_client_status returns (among other things) a ready boolean, maybe this is more reliable than the equivalent that C-Tor provided?
- Some way to tell when the current Tor consensus starts and stops being valid (needed for helper-scripts/usr/libexec/helper-scripts/tor_consensus_valid-after.py at master · Kicksecure/helper-scripts · GitHub, helper-scripts/usr/libexec/helper-scripts/tor_consensus_valid-until.py at master · Kicksecure/helper-scripts · GitHub, and sdwdate/usr/lib/python3/dist-packages/sdwdate/timesanitycheck.py at master · Kicksecure/sdwdate · GitHub). This doesn’t seem to be supported.
- Some way to determine Arti’s bootstrap progress (needed for helper-scripts/usr/libexec/helper-scripts/tor_bootstrap_check.py at master · Kicksecure/helper-scripts · GitHub). This is supported via
arti:get_client_status.
- Some way to determine if a stream succeeded (needed by helper-scripts/usr/libexec/helper-scripts/tor_stream_success_check.py at master · Kicksecure/helper-scripts · GitHub). This doesn’t seem to be supported.
arti:get_client_status’s ready return may be useful here too.
- Some way to make all application requests go through new circuits (the equivalent of
SIGNAL NEWNYM, needed by tor-control-panel/usr/lib/python3/dist-packages/tor_control_panel/tor_control_panel.py at master · Kicksecure/tor-control-panel · GitHub). This doesn’t seem to be supported.
Some way to determine if Arti is allowing connections at all or not (needed by tor-control-panel/usr/lib/python3/dist-packages/tor_control_panel/tor_bootstrap.py at master · Kicksecure/tor-control-panel · GitHub and anon-connection-wizard/usr/lib/python3/dist-packages/anon_connection_wizard/anon_connection_wizard.py at master · Kicksecure/anon-connection-wizard · GitHub). (EDIT: not actually needed.) Unlike C-Tor, there doesn’t seem to even be a configuration option to disable network access in Arti, so presumably one can say “Arti running = network access allowed”, i.e. the ability to connect to the RPC port at all indicates that network access is allowed.
- Some way to tell Arti to allow connections if it isn’t already (needed by anon-connection-wizard/usr/lib/python3/dist-packages/anon_connection_wizard/anon_connection_wizard.py at master · Kicksecure/anon-connection-wizard · GitHub). This may require implementing something custom on our end; if the only way to prevent Arti from allowing connections is to terminate it, the only way to get it to start allowing connections is to start it, and obviously you can’t tell a not-running Arti to start itself unless you can talk to something other than Arti.
- Some way to get detailed information about active Tor circuits (needed by tor-ctrl/usr/bin/tor-ctrl-circuit at master · Kicksecure/tor-ctrl · GitHub). This doesn’t seem to be supported.
- Some way to monitor stream events (needed by tor-ctrl/usr/bin/tor-ctrl-observer at master · Kicksecure/tor-ctrl · GitHub and tor-ctrl/usr/bin/tor-ctrl-stream at master · Kicksecure/tor-ctrl · GitHub). This doesn’t seem to be supported.
- Some way to create and manage onion services (needed by tor-ctrl/usr/bin/tor-ctrl-onion at master · Kicksecure/tor-ctrl · GitHub). This doesn’t seem to be supported, but see the note below about being able to do this without RPC support potentially.
- Note that
tor-ctrl will end up going away; this is basically a Bash adapter for using the Tor control protocol more easily. If we need something like this for the Arti RPC protocol, we’ll probably need to use their RPC client library via Python and turn that into something you can access from Bash. The sub-programs of tor-ctrl mentioned above however should ideally keep working.
It’s worth noting that not all functionality that we previously used Tor’s control port for needs to be implemented in Arti; there is a feature of Arti that will hot-reload its configuration file if it notices a change, so we could implement our own cross-VM communications channel for making whitelisted changes to Arti’s config in a safe manner for things like setting up onion services.
Another question is how onion-grater would work with this. Arti might not need onion-grater anymore, since its RPC mechanism has the concept of a “superuser” mode and privileged and unprivileged commands. Depending on what is considered unprivileged, we might be able to just allow the workstation to directly access Arti, but not give it whatever it needs to run superuser-level commands. Note that right now no superuser-level RPC commands are implemented, or at least that’s what the docs say.
In summary, I think I could probably get a proof-of-concept made that uses Whonix with Arti; the basics would work, probably everything that uses the control port would not work. It’s not to the point where we could migrate to it though, even if we did have a deb package for it. It looks like it’s heading down a trajectory that will work for us eventually.
3 Likes
Great!
Not important. History:
Tor can now serve as http proxy - HTTPTunnelPort
Some applications use Tor control protocol. Most of them are opt-in and related to their use of Tor onion. One exception is Tor Browser, which uses this for signal newnym.
Not a blocker as this feature is broken also in C-Tor. History:
Connect to public Tor network by default / avoid Anon Connection Wizard (ACW) popup at first boot
1 Like
We’re using Tor 0.4.9.8 according to Nyx on my sys-whonix VM, so I think we’re safe there.
1 Like
True, I was going to mention that but then forgot.
2 Likes