namecoin / stemns Goto Github PK

View Code? Open in Web Editor NEW

7.0 5.0 9.0 89 KB

Implement Proposition 279 (Pluggable Naming) w/o changing Tor (Stem port)

Home Page: https://www.namecoin.org/

License: The Unlicense

Python 100.00%

tor hacktoberfest anonymity anticensorship civil-liberties dns free-speech human-rights internet-freedom pluggable

stemns's Introduction

Proposal 279

StemNS is an implementation of the "Tor side" of Proposal 279 ("naming layer API") so that actual naming plugins can be tested/prototyped "now" without changing Tor.

StemNS is a fork of the original TorNS by meejah, which is modified to use Stem instead of txtorcon, with some additional security features added.

Dependencies

Tor v0.4.5.1 Alpha or higher is preferred; older versions should still work.
Stem v1.9.0 or higher is preferred; older versions should still work.

Configuration and usage

StemNS loads configuration from the config directory. Example configurations are included; you can use them verbatim by renaming their extension from .py.example to .py. You can also use them as a guide to make your own configurations. You should include:

Any number of bootstrap configs.
- These are callbacks that run when Tor finishes bootstrap.
Any number of exit configs.
- These are callbacks that run when Tor disconnects its control port.
Exactly one port config.
- This is the Tor control port on localhost where StemNS connects to.
- Example configs are provided for system-wide Tor, Tor Browser, and ControlPort auto.
Any number of service configs.
- These are mappings between eTLD's and Prop279 providers.
- See "Name Resolution Services" below.

Tor must be configured with the following option before launching StemNS:

__LeaveStreamsUnattached 1

In a typical Tor Browser installation, torrc-defaults is the correct place to add this option. For Tor daemon installed in the system, the option can be added to /etc/tor/torrc.

If the flag is not enabled, StemNS will exit with an error.

Once the flag is enabled, the StemNS daemon must be running for Tor to work. The reason is that by default, with the flag disabled, Tor automatically attaches streams to circuits, but with the flag enabled, Tor instead waits for the controller (StemNS in this case) to attach them. StemNS does a REDIRECTSTREAM command on each .bit stream prior to attaching it to a circuit; this command is how it redirects .bit to .onion.

The choice to not make StemNS configure this option itself is deliberate; making StemNS configure the option itself would leave a short window during initial connect where name resolution is incorrectly forwarded to the exit relay, which would be a security issue.

Name resolution services

StemNS comes with two example name resolution services, invoked for resolving <something>.<service>.onion:

.pet.onion implemented in ns_petname.py resolves a predefined set of names (try, e.g., "http://txtorcon.pet.onion" in Tor Browser).
.demo.onion always remap to txtorcon's documentation hidden-service. So <anything>.demo.onion will redirect you to txtorcon's documentation.

You can implement custom services and add them via your own config files.

Naming Implementations

"banana" does naming based on /etc/hosts: https://github.com/pickfire/banana
"dns-prop279" does naming based on DNS TXT records: https://github.com/namecoin/dns-prop279
"ncprop279" does naming based on Namecoin: https://github.com/namecoin/ncprop279

License

Code specific to StemNS, and the code StemNS inherits from TorNS, is licensed under the Unlicense (see LICENSE). StemNS inherits some code from OnioNS-client, which is licensed under the Modified/New BSD License (see LICENSE.OnioNS).

StemNS is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

stemns's People

Contributors

Stargazers

Watchers

Forkers

jeremyrand radfish rllola yanmaani derbaltasar sts0mrg0 isabella232 raulmc123 xtrue999

stemns's Issues

Copy control connection management code from onion-grater

Currently, StemNS exits when the control port is disconnected. This is fine for Tor Launcher contexts, but is not desirable for service contexts such as Whonix, Tails, and winsvcwrap. It looks like onion-grater already has control connection management code that is reasonably battle-hardened; we should probably just copy that code.

Reject port 80 non-onion destinations

We should add an option (per eTLD) to reject destinations that are not .onion domains if they are using TCP port 80. This has the effect of guaranteeing that the eTLD will use a secure origin for HTTP traffic.

Consider renaming poc.py

The executable name poc.py is awful. It's legacy inherited from TorNS, and never should have entered production. I suspect that packagers will want it renamed. Perhaps stemns.py? Not sure what Debian's policies on capitalization are.

Investigate whether our Windows env workaround is a good idea

Spawned name services were breaking on Windows without 9d2a5c5 . We should figure out why upstream TorNS didn't pass-through env... was it intended to be a security feature?

Optionally resist fingerprinting

Tor Browser instances that use StemNS are vulnerable to fingerprinting, because a website can probe for StemNS-based eTLD's via subresource loading. This is arguably not a huge deal, since each supported naming system only adds 1 bit of fingerprintability. It is also arguably not a huge deal because we intend to make Namecoin support the default. However, IMO it's still a problem that we should fix, especially during the transitional period where Namecoin support isn't ubiquitous.

Tor Browser exposes the first-party eTLD+1 via the SOCKS username. We can thus resist fingerprinting like this:

If the SOCKS username eTLD matches the destination eTLD, resolve via Prop279 like we do now.
If the SOCKS username eTLD does not match the destination eTLD, leak the resolution to the exit relay (as though StemNS were not active).

This will prevent websites from fingerprinting StemNS-based eTLD's via subresource loading. It will not prevent websites from fingerprinting StemNS-based eTLD's via first-party redirects, but that's outside of Tor Browser's threat model anyway. It will cause some security degradation, in that websites with a DNS-based first-party domain who access subresources on Namecoin will be vulnerable to hijacking of those subresources by malicious exit relays.

Note that we do not simply return a resolution error in case 2, because that would be fingerprintable based on the delay taken for an error to happen while loading the subresource.

It should be noted that the .bit.onion eTLD will not have any security degradation from this, because Tor will see it as an invalid .onion domain, and not leak it to an exit relay. It should also be noted that .bit domains with TLS enabled will not be hijackable unless the exit relay is colluding with a compromised TLS CA, and ncp11 is not installed in Tor Browser. .bit domains that resolve via an IP address without TLS are vulnerable to hijacking either way, so that's not really a problem. The major source of security degradation is .bit domains that resolve via an onion service without TLS. I tend to think that the "right" way to handle this is to encourage usage of TLS with .bit domains, even when onion services are used (or else make it clear that .bit domains that resolve via non-TLS onion services should not be used as subresources of first-party non-.bit domains).

This behavior should be optional. Some users may prefer to never leak resolution to an exit relay, even if it makes fingerprinting easier.

StemNS interferes with directory fetching

When StemNS is active, Tor sometimes hangs during bootstrap (typically at Bootstrapped 40% (loading_keys): Loading authority key certs). This appears to be because StemNS tries to attach streams whose purpose is DIR_FETCH. Such streams are automatically attached by Tor even if __LeaveStreamsUnattached is set, which produces a race condition where the stream is attached twice.

# virtualenv venv
# source venv/bin/activate
# pip install --upgrade pip
# pip install stem
#
# Then you can run this:
# python3 poc.py

It has installed for me stem == 1.8.0 and it seems to fail silently when trying to compare the stream status

        if stream.status != stem.StreamStatus.CONTROLLER_WAIT:

Looking at the stem library I don't see a CONTROLLER_WAIT status? see documentation https://stem.torproject.org/api/control.html#stem.StreamStatus