[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Tor Connection Padding

The Tor connection padding part in the Whonix-Gateway Security page should be removed or redone.

It says that setting it to 1 helps against traffic analysis attacks and the System Hardening Checklist says that it improves anonymity but this isn’t true. Connection padding is enabled by default with the “auto” option. This makes it send padding cells if the client and relay support it. Setting it to “1” will make it send it anyway which is basically useless as the relay doesn’t support it.

https://2019.www.torproject.org/docs/tor-manual.html.en#ConnectionPadding

I doubt there will be any benefits by setting it to 1.

2 Likes

Any quote which make you conclude that?

1 Like

If the relay doesn’t support it then what benefit would it have?

It already does send padding cells if possible.

Most relays would use padding anyway unless they’re on a very outdated version of Tor.

1 Like

Perhaps more defensive against an adversary external to the Tor network, while not effective inside Tor if the relay doesn’t support it.

2 Likes

Wouldn’t an adversary see a few users sending those cells compared to the many others who don’t send them? Wouldn’t that decrease anonymity for those that do?

2 Likes

An adversary in that position (running Tor nodes) can do a lot more damage than just that. We have a position to increase security even if it will make Whonix users stand out more think all the kernel hardening and its effects on the network.

There is middle hop pinning too that helps against guard enumeration attacks. Don;'t know if that;s optional or not, if it is let’s do it.

2 Likes

If like that. What would the Tor Project’s rationale of adding such a feature?

1 Like

An adversary doesn’t need to run Tor nodes to see the cells. They can monitor the packets sent from X IP to X Tor node. Because most Tor users likely won’t force them this means the ones that have enabled this option will send more packets to relays that don’t support it than other Tor users, singleing that user out.

Not sure. There are many other options that can decrease security too.

1 Like

AFAIK connections to Tor relays are encrypted and opaque to outside observers. The cell signalling is only visible to Tor relays that act upon them. For example HS negotiation commands are not visible to your ISP but to relays which honor the request.

EDIT:
Newnym not a good example.

2 Likes

Newnym does not require the cooperation of any Tor relay. It is command understood by the Tor process which results in building another circuit for subsequent connections, except already established long-running connections (such as IRC).

2 Likes

But wouldn’t an adversary notice a difference in the intervals between sending packets or would that also be hidden?

Wouldn’t forcing them still bring no benefit and potentially single you out from the viewpoint of the entry node?

You said it may be helpful to adversaries external to Tor but you also said they couldn’t see the cells? How would that work?

1 Like

If by adversary you mean ISP (outside Tor) then no becuase Tor cells have always been externally padded. The new work is focused onprotecting users from rogue actors in the network.

Yes users with the non default setting will stand out to the entry guard, but there are more bad things it can do and there are more ways to figure out one is a Whonix user.

The cells have always been padded and encrypted so external observers can’t see what’s inside them.

Nonetheless if you think this is important enough please ask upstream for an opinion. I am not an expert by any means.

2 Likes

This isn’t applied by default so only a few Whonix users will use it, this puts them into a much smaller subset. The problem isn’t finding out they’re a Whonix user.

I know they can’t see inside them but can’t they see differences in network traffic from other Tor users?

And hence not :slight_smile:

1 Like

Next step required:

Asking The Tor Project about this.

Could you work on this one please? @HulaHoop

It’s for protection from external observers. Anyone watching a client to entry nodes should not be able to tell that the padding is forced. It does not apply as protection from relays.

Posted to tor-talk will link when it is approve

1 Like

https://lists.torproject.org/pipermail/tor-dev/2020-August/014421.html

1 Like

@HulaHoop - your follow up answer (looks like setting connection padding to 1 doesn’t make any difference)

https://lists.torproject.org/pipermail/tor-talk/2020-August/045634.html

On Sat, Aug 8, 2020 at 3:59 PM procmem at riseup.net wrote:

Hi. I was wondering if setting the connection padding setting in torrc
to 1 instead of auto has any benefit in protecting against a passive
adversary outside the Tor network.

I don’t think it’ll have much effect? The “auto” option means “pad
when padding is negotiated”; the “1” option means “pad even if the
relay doesn’t have padding support.” But all currently supported
relay versions ought to have padding support, so there shouldn’t be a
difference, in theory.

If I understand correctly (and Mike could correct me here), in its
current form, the ConnectionPadding option helps against ISPs who are
using common flow-logging settings on their internet routers, or
against after-the-fact adversaries who get access to these logs later
on. It isn’t so useful against an adversary who has set up better
logging in advance.

(Mike, did I get this right?)

cheers,

Nick

PS Good job on the Thunderbird email stuff.

2 Likes
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]