search

freedomofpress / securedrop

GitHub repository for the SecureDrop whistleblower platform. Do not submit tips here!
https://securedrop.org/
Other
3.62k stars 686 forks source link

Enable Tor Proof-of-Work defenses for Onion Services #6933

Closed legoktm closed 4 months ago

legoktm commented 1 year ago

See https://blog.torproject.org/introducing-proof-of-work-defense-for-onion-services/ for details on the feature itself.

https://community.torproject.org/onion-services/advanced/dos/ contains documentation on the different configuration options we need to set.

One catch is that the PoW puzzles are LGPL, so a new --enable-gpl flag needs to be set at build time. There are 0.4.8.4 packages on deb.torproject.org now, but they don't have the GPL bits enabled, so we might need to do our own builds. I've commented on https://forum.torproject.org/t/proof-of-work-pow-defense-for-onion-service-is-released/8887 asking if they're going to provide GPL builds (my comment is still pending moderation).

In checklist form:

zenmonkeykstop commented 1 year ago

Looks like efforts to build with --enable-gpl are in progress: https://gitlab.torproject.org/tpo/core/debian/tor/-/commit/2ed69025aba31eb16c90c0782e756158edfeca4a

prateekj117 commented 9 months ago

@zenmonkeykstop I think for this one, we mainly only need to add the config params in the torrc file. Let me know when we decide on the values and I can help with that!

zenmonkeykstop commented 9 months ago

@prateekj117 there is probably a bit more there to do, as I'd expect this would be an optional setting that admins could enable/disable - and we'd have to apply it cleanly to existing instances. But very open to any thoughts/research you may have on appropriate parameters, I haven't looked to see how it's been working out for other onion service operators so far.

zenmonkeykstop commented 8 months ago

some useful docs here: https://gitlab.torproject.org/tpo/onion-services/onion-support/-/wikis/Documentation/PoW-FAQ#configuring-an-onion-service-with-the-pow-protection

The default config looks like this (added as part of a hidden service stanza):

HiddenServicePoWDefensesEnabled 1
# HiddenServicePoWQueueRate 250
# HiddenServicePoWQueueBurst 2500

PoWQueueRate is "The sustained rate of rendezvous requests to dispatch per second from the priority queue," so lower implies slower queue movement and more difficult client puzzles (0 just turns off queueing altogether, and it has no impact if PoW is disabled)

PoWQueueBurst is "The maximum burst size for rendezvous requests handled from the priority queue at once," so again lower => slower.

As per @legoktm's take, this would be applied on non-auth services only (so just the SI). Thinking on approaches to this from UX perspective:

add in sdconfig step.

this is relatively straightforward - there would be additional options to toggle PoW and set queue params in sdconfig, they'd get stored in site-specific, and configured as part of a subsequent ./securedrop-admin install run. The major downside here is that install runs can take a long while, and touch everything.

add a ./securedrop-admin pow-defenses command

This could look something like:

One extra-credit thing we could do here is actually check if the Tor version on the server supports PoW before configuring anything. Currently GPG-compatible Tor versions do, this macy change in the future or we may end up pushing a package without PoW support in error.

both!

cfm commented 4 months ago

I have this running on my QA instance from https://github.com/freedomofpress/securedrop/compare/ef9aad6^..9fd6f7e, defaulting to enabled on new securedrop-admin {sdconfig,install} runs.