The Tor connection padding part in the Whonix-Gateway Security page should be removed or redone.
It says that setting it to 1 helps against traffic analysis attacks and the System Hardening Checklist says that it improves anonymity but this isn’t true. Connection padding is enabled by default with the “auto” option. This makes it send padding cells if the client and relay support it. Setting it to “1” will make it send it anyway which is basically useless as the relay doesn’t support it.
I doubt there will be any benefits by setting it to 1.
Wouldn’t an adversary see a few users sending those cells compared to the many others who don’t send them? Wouldn’t that decrease anonymity for those that do?
An adversary in that position (running Tor nodes) can do a lot more damage than just that. We have a position to increase security even if it will make Whonix users stand out more think all the kernel hardening and its effects on the network.
There is middle hop pinning too that helps against guard enumeration attacks. Don;'t know if that;s optional or not, if it is let’s do it.
An adversary doesn’t need to run Tor nodes to see the cells. They can monitor the packets sent from X IP to X Tor node. Because most Tor users likely won’t force them this means the ones that have enabled this option will send more packets to relays that don’t support it than other Tor users, singleing that user out.
Not sure. There are many other options that can decrease security too.
AFAIK connections to Tor relays are encrypted and opaque to outside observers. The cell signalling is only visible to Tor relays that act upon them. For example HS negotiation commands are not visible to your ISP but to relays which honor the request.
Newnym does not require the cooperation of any Tor relay. It is command understood by the Tor process which results in building another circuit for subsequent connections, except already established long-running connections (such as IRC).
If by adversary you mean ISP (outside Tor) then no becuase Tor cells have always been externally padded. The new work is focused onprotecting users from rogue actors in the network.
Yes users with the non default setting will stand out to the entry guard, but there are more bad things it can do and there are more ways to figure out one is a Whonix user.
The cells have always been padded and encrypted so external observers can’t see what’s inside them.
Nonetheless if you think this is important enough please ask upstream for an opinion. I am not an expert by any means.
This isn’t applied by default so only a few Whonix users will use it, this puts them into a much smaller subset. The problem isn’t finding out they’re a Whonix user.
I know they can’t see inside them but can’t they see differences in network traffic from other Tor users?
It’s for protection from external observers. Anyone watching a client to entry nodes should not be able to tell that the padding is forced. It does not apply as protection from relays.
On Sat, Aug 8, 2020 at 3:59 PM procmem at riseup.net wrote:
Hi. I was wondering if setting the connection padding setting in torrc
to 1 instead of auto has any benefit in protecting against a passive
adversary outside the Tor network.
I don’t think it’ll have much effect? The “auto” option means “pad
when padding is negotiated”; the “1” option means “pad even if the
relay doesn’t have padding support.” But all currently supported
relay versions ought to have padding support, so there shouldn’t be a
difference, in theory.
If I understand correctly (and Mike could correct me here), in its
current form, the ConnectionPadding option helps against ISPs who are
using common flow-logging settings on their internet routers, or
against after-the-fact adversaries who get access to these logs later
on. It isn’t so useful against an adversary who has set up better
logging in advance.
