64 lines
2.5 KiB
Markdown
64 lines
2.5 KiB
Markdown
# Connectivity
|
|
|
|
Cwtch makes use of Tor Onion Services (v3) for all inter-node communication.
|
|
|
|
We provide the [openprivacy/connectivity](https://git.openprivacy.ca/openprivacy/connectivity)
|
|
package for managing the Tor daemon and setting up and tearing down onion
|
|
services through Tor.
|
|
|
|
## Known Risks
|
|
|
|
### Private Key Exposure to the Tor Process
|
|
|
|
**Status: Partially Mitigated** (Requires Physical Access or Privilege Escalation to
|
|
exploit)
|
|
|
|
We must pass the private key of any onion service we wish to set up to the
|
|
connectivity library, through the `Listen` interface (and thus to the Tor
|
|
process). This is one of the most critical areas that is outside of our
|
|
control. Any binding to a rouge tor process or binary will result in
|
|
compromise of the Onion private key.
|
|
|
|
### Mitigations
|
|
|
|
Connectivity attempt to bind to the system-provided Tor process as the default,
|
|
*only* when it has been provided with an authentication token.
|
|
|
|
Otherwise connectivity always attempts to deploy its own Tor process
|
|
using a known
|
|
good binary packaged with the system (outside of the scope of the connectivity
|
|
package)
|
|
|
|
In the long term we hope an integrated library will become available and allow
|
|
direct management through an in-process interface to prevent the private key
|
|
from leaving the process boundary (or other alternative paths that allow us
|
|
to maintain full control over the private key in-memory.)
|
|
|
|
### Tor Process Management
|
|
|
|
**Status: Partially Mitigated** (Requires Physical Access or Privilege
|
|
Escalation to exploit)
|
|
|
|
Many issues can arise from the management of a separate process, including the
|
|
need to restart, exit and otherwise ensure appropriate management.
|
|
|
|
The [ACN](https://git.openprivacy.ca/openprivacy/connectivity/src/branch/master/acn.go)
|
|
interface provides `Restart`, `Close` and `GetBootstrapStatus` interfaces to
|
|
allow applications to manage the underlying Tor process. In addition the `SetStatusCallback`
|
|
method can be used to allow an application to be notified when the status of
|
|
the Tor process changes.
|
|
|
|
However, if sufficiently-privileged users wish they can interfere with this
|
|
mechanism, and as such the Tor process is a more brittle component
|
|
interaction than others.
|
|
|
|
## Testing Status
|
|
|
|
Current connectivity has limited unit testing capabilities and none of these
|
|
are run during pull requests or merges. There is no integration testing.
|
|
|
|
It is worth noting that connectivity is used by both Tapir and Cwtch in their
|
|
integration tests (and so despite the lack of package level testing, it is
|
|
exposed to system-wide test conditions)
|
|
|