diff options
author | Roger Dingledine <arma@torproject.org> | 2008-07-02 23:00:54 +0000 |
---|---|---|
committer | Roger Dingledine <arma@torproject.org> | 2008-07-02 23:00:54 +0000 |
commit | 2af7078663a03b7e3b76fc32e2f13c8e80b2bfe0 (patch) | |
tree | a3d04c85424cc093fe97960d91a9bd6ae6da5f2c /proposals/148-uniform-client-end-reason.txt | |
parent | 77ee247de2f368c57816e2cc5d9d747daf7e31d9 (diff) | |
download | torspec-2af7078663a03b7e3b76fc32e2f13c8e80b2bfe0.tar.gz torspec-2af7078663a03b7e3b76fc32e2f13c8e80b2bfe0.zip |
add new proposal 148-uniform-client-end-reason.txt
svn:r15612
Diffstat (limited to 'proposals/148-uniform-client-end-reason.txt')
-rw-r--r-- | proposals/148-uniform-client-end-reason.txt | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/proposals/148-uniform-client-end-reason.txt b/proposals/148-uniform-client-end-reason.txt new file mode 100644 index 0000000..0ccfcd2 --- /dev/null +++ b/proposals/148-uniform-client-end-reason.txt @@ -0,0 +1,58 @@ +Filename: 148-uniform-client-end-reason.txt +Title: Stream end reasons from the client side should be uniform +Version: $Revision$ +Last-Modified: $Date$ +Author: Roger Dingledine +Created: 2-Jul-2008 +Status: Open + +Overview + + When a stream closes before it's finished, the end relay cell that's + sent includes an "end stream reason" to tell the other end why it + closed. It's useful for the exit relay to send a reason to the client, + so the client can choose a different circuit, inform the user, etc. But + there's no reason to include it from the client to the exit relay, + and in some cases it can even harm anonymity. + + We should pick a single reason for the client-to-exit-relay direction + and always just send that. + +Motivation + + Back when I first deployed the Tor network, it was useful to have + the Tor relays learn why a stream closed, so I could debug both ends + of the stream at once. Now that streams have worked for many years, + there's no need to continue telling the exit relay whether the client + gave up on a stream because of "timeout" or "misc" or what. + + Then in Tor 0.2.0.28-rc, I fixed this bug: + - Fix a bug where, when we were choosing the 'end stream reason' to + put in our relay end cell that we send to the exit relay, Tor + clients on Windows were sometimes sending the wrong 'reason'. The + anonymity problem is that exit relays may be able to guess whether + the client is running Windows, thus helping partition the anonymity + set. Down the road we should stop sending reasons to exit relays, + or otherwise prevent future versions of this bug. + + It turned out that non-Windows clients were choosing their reason + correctly, whereas Windows clients were potentially looking at errno + wrong and so always choosing 'misc'. + + I fixed that particular bug, but I think we should prevent future + versions of the bug too. + + (We already fixed it so *circuit* end reasons don't get sent from + the client to the exit relay. But we appear to be have skipped over + stream end reasons thus far.) + +Design: + + One option would be to no longer include any 'reason' field in end + relay cells. But that would introduce a partitioning attack ("users + running the old version" vs "users running the new version"). + + Instead I suggest that clients all switch to sending the "misc" reason, + like most of the Windows clients currently do and like the non-Windows + clients already do sometimes. + |