Tor Connection Padding

madaidan · June 1, 2019, 2:00pm

The Tor connection padding part in the Whonix-Gateway Security page should be removed or redone.

It says that setting it to 1 helps against traffic analysis attacks and the System Hardening Checklist says that it improves anonymity but this isn’t true. Connection padding is enabled by default with the “auto” option. This makes it send padding cells if the client and relay support it. Setting it to “1” will make it send it anyway which is basically useless as the relay doesn’t support it.

https://2019.www.torproject.org/docs/tor-manual.html.en#ConnectionPadding

I doubt there will be any benefits by setting it to 1.

Patrick · June 1, 2019, 4:46pm

Any quote which make you conclude that?

madaidan · June 1, 2019, 5:14pm

If the relay doesn’t support it then what benefit would it have?

It already does send padding cells if possible.

Most relays would use padding anyway unless they’re on a very outdated version of Tor.

HulaHoop · June 1, 2019, 9:04pm

Perhaps more defensive against an adversary external to the Tor network, while not effective inside Tor if the relay doesn’t support it.

madaidan · June 2, 2019, 1:59am

Wouldn’t an adversary see a few users sending those cells compared to the many others who don’t send them? Wouldn’t that decrease anonymity for those that do?

HulaHoop · June 2, 2019, 2:20am

An adversary in that position (running Tor nodes) can do a lot more damage than just that. We have a position to increase security even if it will make Whonix users stand out more think all the kernel hardening and its effects on the network.

There is middle hop pinning too that helps against guard enumeration attacks. Don;'t know if that;s optional or not, if it is let’s do it.

Patrick · June 2, 2019, 9:19am

If like that. What would the Tor Project’s rationale of adding such a feature?

madaidan · June 2, 2019, 9:46pm

An adversary doesn’t need to run Tor nodes to see the cells. They can monitor the packets sent from X IP to X Tor node. Because most Tor users likely won’t force them this means the ones that have enabled this option will send more packets to relays that don’t support it than other Tor users, singleing that user out.

Not sure. There are many other options that can decrease security too.

HulaHoop · June 2, 2019, 10:30pm

AFAIK connections to Tor relays are encrypted and opaque to outside observers. The cell signalling is only visible to Tor relays that act upon them. For example HS negotiation commands are not visible to your ISP but to relays which honor the request.

EDIT:
Newnym not a good example.

Patrick · June 2, 2019, 11:11pm

Newnym does not require the cooperation of any Tor relay. It is command understood by the Tor process which results in building another circuit for subsequent connections, except already established long-running connections (such as IRC).

madaidan · June 5, 2019, 6:37pm

But wouldn’t an adversary notice a difference in the intervals between sending packets or would that also be hidden?

Wouldn’t forcing them still bring no benefit and potentially single you out from the viewpoint of the entry node?

You said it may be helpful to adversaries external to Tor but you also said they couldn’t see the cells? How would that work?

HulaHoop · June 5, 2019, 8:02pm

If by adversary you mean ISP (outside Tor) then no becuase Tor cells have always been externally padded. The new work is focused onprotecting users from rogue actors in the network.

Yes users with the non default setting will stand out to the entry guard, but there are more bad things it can do and there are more ways to figure out one is a Whonix user.

The cells have always been padded and encrypted so external observers can’t see what’s inside them.

Nonetheless if you think this is important enough please ask upstream for an opinion. I am not an expert by any means.

madaidan · June 5, 2019, 8:14pm

This isn’t applied by default so only a few Whonix users will use it, this puts them into a much smaller subset. The problem isn’t finding out they’re a Whonix user.

I know they can’t see inside them but can’t they see differences in network traffic from other Tor users?

HulaHoop · June 6, 2019, 3:00am

And hence not

Patrick · June 10, 2019, 3:04pm

Next step required:

Asking The Tor Project about this.

Patrick · April 28, 2020, 12:12pm

Could you work on this one please? @HulaHoop

81a989 · August 1, 2020, 3:01pm

It’s for protection from external observers. Anyone watching a client to entry nodes should not be able to tell that the padding is forced. It does not apply as protection from relays.

HulaHoop · August 5, 2020, 12:21pm

Posted to tor-talk will link when it is approve

HulaHoop · August 7, 2020, 12:50pm

https://lists.torproject.org/pipermail/tor-dev/2020-August/014421.html

torjunkie · August 14, 2020, 7:05am

@HulaHoop - your follow up answer (looks like setting connection padding to 1 doesn’t make any difference)

https://lists.torproject.org/pipermail/tor-talk/2020-August/045634.html

On Sat, Aug 8, 2020 at 3:59 PM procmem at riseup.net wrote:

Hi. I was wondering if setting the connection padding setting in torrc
to 1 instead of auto has any benefit in protecting against a passive
adversary outside the Tor network.

I don’t think it’ll have much effect? The “auto” option means “pad
when padding is negotiated”; the “1” option means “pad even if the
relay doesn’t have padding support.” But all currently supported
relay versions ought to have padding support, so there shouldn’t be a
difference, in theory.

If I understand correctly (and Mike could correct me here), in its
current form, the ConnectionPadding option helps against ISPs who are
using common flow-logging settings on their internet routers, or
against after-the-fact adversaries who get access to these logs later
on. It isn’t so useful against an adversary who has set up better
logging in advance.

(Mike, did I get this right?)

cheers,

Nick

PS Good job on the Thunderbird email stuff.