Tor proxy bypass

[abmoka]

Using gridsync 0.4.1 with a paid s4 account on GNU/Linux (BuildID[sha1]=28ba79c778f7402713aec6af319ee0fbaf3a8014). Tor is enabled and there are direct connections from the gridsync application to Amazon ec2 to the host ec2-52-6-180-137.compute-1.amazonaws.com.. The host name wormhole.leastauthority.com resolves to 52.6.180.137 and resources/config.txt defines relay = ws://wormhole.tahoe-lafs.org:4000/v1 as the wormhole server. This IP and port match the Tor proxy bypass on my system:

gridsync  18326 user   72u  IPv4 698349      0t0  TCP 10.0.0.6:50130->52.6.180.137:4000 (ESTABLISHED)
gridsync  18326 user   79u  IPv4 700071      0t0  TCP 10.0.0.6:50132->52.6.180.137:4000 (ESTABLISHED)
gridsync  18326 user   81u  IPv4 699385      0t0  TCP 10.0.0.6:50108->52.6.180.137:4000 (ESTABLISHED)

I understand that Tor support is experimental and wanted to warn others that the rendezvous process, as well as Gridsync, does not appear to be protected by Tor at this time. This is persistent even when magic-wormhole isn't in active use. It appears after the use of magic-wormhole and it persists until restarting gridsync.

[abmoka]

There is at least one magic-wormhole bug that may be relevant for this condition: magic-wormhole/magic-wormhole#272

[crwood]

Hello @abmoka,

Thank you so much for reporting this. You're right that Tor support is currently experimental and for testing-purposes only (which is why enabling it requires all the additional/annoying confirmation steps) but I very much appreciate the extra eyes on this.. As you (probably) know, the feature has not yet been audited in Gridsync (or in Tahoe-LAFS or in magic-wormhole, as far as I know) and so any extra attention/testing surrounding this is extremely valuable. Thank you!

I'm loosely combing through the upstream magic-wormhole source code right now and it looks like merely instantiating a wormhole "Boss" object will also start a RendezvousConnector (which is news to me -- and which probably accounts for the connections to that server that you're seeing). In any case, I'll be taking a closer look at this shortly and will update this Issue with any further news/information (and hopefully also deploy a fix) ASAP.

Thanks again!

[abmoka]

Happy to help. I also found some confusing Tor daemon selection in #170.

Does Least Authority or Gridsync have a bug bounty for this or other security issues?

[crwood]

Okay, I dove into this a little further and can confirm and elaborate on the above: Gridsync/magic-wormhole does -- or, soon, did -- indeed open an early connection to the relay/rendezvous server during initialization. The good news, I suppose, is that the connection was an idle one that would not actually be used for completing the wormhole transmission/exchange in the event that Tor was enabled. In other words, enabling the Tor checkbox would still cause Gridsync to create/use a new, Tor-only wormhole for the entered code and tunnel all related/subsequent traffic through it (which explains why the first/idle connection to the relay/rendezvous server could linger/remain independently of the second/tor connection). In practice, this means that, so long as the "Connect over the Tor network" checkbox was indeed enabled, the other party to the wormhole exchange (e.g., Least Authority -- or Bob when sending a grid-invite or folder-invite to Alice) would not learn the IP address of the person entering the code. The operator of the relay/rendezvous server, on the other hand, would potentially see an independent/idle connection (that would disconnect later and never be used).

Anyway, PR #171 fixes this by preventing the underlying wormhole object from being created (and hence from connecting to the relay/rendezvous server) until the connection is actually required; an additional/early/idle connection should no longer be present. I'll cut a new release soon-ish with this fix in place (probably in about week or so as I'd like to do some more testing and have a few other things I'd like to land with it) and will list/thank you in the changelog (as long as you're okay with it, of course!). :)

Regarding bug bounties, I'm not entirely sure what Least Authority's policy would be for this, honestly, but I will pass this Issue up and along and see what I can find out.. In the meantime, there a way that we/they could contact you privately?

[abmoka]

Thank you for the prompt acknowledgement, very detailed root cause analysis, and of course thank you very much for the speedy fix.

Please credit this finding as:

82b13dff1b5fee62eaaff6d483da66bb792a73cd @ Akomba Labs

Regarding bug bounties, I'm not entirely sure what Least Authority's policy would be for this, honestly, but I will pass this Issue up and along and see what I can find out.. In the meantime, there a way that we/they could contact you privately?

security at akomba dot com

[crwood]

Thank you for the prompt acknowledgement, very detailed root cause analysis, and of course thank you very much for the speedy fix.

You're very welcome. And thank you for the report. I very much appreciate it!

Please credit this finding as:

82b13dff1b5fee62eaaff6d483da66bb792a73cd @ Akomba Labs

Done.

security at akomba dot com

Excellent. Thank you. I've already forwarded a link to this issue onward at Least Authority but will follow-up again now that your email is attached. If you don't hear back from anyone within whatever timeframe you deem reasonable, please don't hesitate to shoot a message to contactus at leastauthority.com

Thanks again!