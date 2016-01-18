Hacker News new | comments | show | ask | jobs | submit login
Tor in a safer language: Network team update from Amsterdam (torproject.org)
98 points by QUFB 1 hour ago | hide | past | web | 25 comments | favorite





When I read safer language, 'Rust' came into mind automatically.. Not sure if 'Rust' will ever be as popular as golang but certainly see a future with it popping up everywhere mission critical / super safe software is required.

reply


As a mere average user of computer languages, every time I play around with Go I start wondering how a language like this became so popular.

It feels like it was invented in a universe where Haskell, OCaml, Erlang, Smalltalk, Lisp and so many more languages and research in languages never happened.

reply


Sometimes I think the syntactical difference of functional languages alone is the reason they're unpopular.

Iterative languages seem to match more closely how people speak/think in verbal language.

reply


This is either a horrible timed announcement or a joke written very seriously. I have no idea which.

reply


This is exciting not only because of the Tor project itself but because this will set an example for other projects to follow.

reply


This creates also an opportunity to engage Mozilla into contributing

reply


If any of the developers are reading this, converting the existing C code to SaferCPlusPlus[1] (a memory safe subset of C++) is probably a more expedient solution (if that's what they're looking for). (And speaking of contributing, an automatic translation (assistance) tool is in early development, and could maybe be functional in short order with a little extra motivated talent... :)

[1] shameless plug: https://github.com/duneroadrunner/SaferCPlusPlus

reply


This seems to be today's most believable April 1st joke.

reply


I am curious why they were advised not to use Go. Probably not a safety concern.

Edit: cgo != Go. Thanks for the responses. I have done a bit of Go, but just pure Go.

reply


They were not advised against Go but against cgo. Part of what they want is incremental conversion and cgo is at the same time not-go[0], costly[1] and complex[2], and then you still need to manage the Go runtime (GC & al) from within your C system. That makes integrating the two difficult, especially when you want to replace the existing system piecemeal.

A pure-Go rewrite might be an option (in fact Tor seems pretty firmly in Go's use cases), but that's not what the Tor team is trying to do.

[0] https://dave.cheney.net/2016/01/18/cgo-is-not-go

[1] a cgo->c call is ~100 times more expensive than a go->go call, and ~400 times more expensive than a c->c or rust->c call https://www.reddit.com/r/golang/comments/3oztwi/from_python_...

[2] https://www.cockroachlabs.com/blog/the-cost-and-complexity-o...

reply


Go needs a garbage collector that needs to be set up. Using Go code within C code is possible, but it creates additional hurdles.

Therefore a slow transition of rewriting parts of the code in a safer language and having the core still in C is much less feasible with Go. With Rust you can easier just compile some object files and link them into your application.

reply


They were advised against cgo. In my not so recent experience, it is a huge PITA.

reply


Go and Rust are very different languages. Rust is, by design, well-suited to Tor's use case, where they have a large C or C++ program and they need to incrementally rewrite parts of it (and maybe never all of it!) in a better language.

It turns out (or so I hear) that Google statically links everything in production, and has been using C++ as a language to implement HTTP endpoints for a long time. So Go is a better C++ for what they want out of a better C++; for the rest of us, it looks more like a compiled language along the lines of Python/Ruby/etc. with a nice deployment story. If you want that out of your better C++, Go is great. If you want to reimplement all of Tor from scratch, Go certainly seems like a reasonable choice.

But as a result of these priorities, Go basically doesn't have interoperability with the platform ABI as a goal. (For some combination of historical reasons and the lack of complicated features in C, the platform ABI on just about every platform these days is a C ABI.) Rust does; it uses a standard compiler toolchain (LLVM) instead of what's basically a custom one (Plan 9), and the standard toolchain knows how to generate calls that follow the C ABI. Rust doesn't have a runtime of its own, and it's safe to directly call into a Rust program from some arbitrary point in a C program. Rust's allocator doesn't care if you do stupid things with pointers it allocates, as long as you give them back eventually. Rust doesn't create threads on its own unless you ask. Rust functions use the normal stack. Rust on UNIX uses the platform libc. And so forth.

It's possible to call C code from Go and vice versa, just as it's possible to call C code from Python and vice versa. But Go is not best tool for this particular job.

reply


Here's what I'd have told them:

https://news.ycombinator.com/item?id=14013617

reply


I don't know much about Tor. But I hope I can route all of my home network traffic through it. That or route everything through VPN. I'll bet you can guess why I'm suddenly interested.

reply


Founder of https://easyvpnrouter.com/ ask me anything or how to build one yourself if you want a project

reply


You really don't want to do that. Any exit node could be recording or tampering with your network traffic, e.g. using sslstrip or worse.

reply


Couple of things. With Tor, you cannot control your exit in a sense. Since some websites are really shoddy (a lot of application portals are) and don't have / support SSL, you would be transmitting your entire application profile through TOR unencrypted. Somehow, I trust my ISP more than some random TOR exit when it comes to this.

Second, many websites (sadly) do not work if you are using a VPN (like Netflix).

reply


you can, but it's not really nice, because TOR is relatively slow, it only makes sense for heavily text based sites and not images/video etc.

reply


*This and almost every CDN starts popping up 'Captchas' atleast the last time I tried.. I find it easier to setup a VPN server and use one.

reply


Since bitexploder asked, I'll add what I wrote on this on other forums. If it's about secrets or anonymity, make sure you always use a safe language that supports careful control and reasoning about both memory and CPU time. The reason is that this enables covert, channel analysis for vulnerabilities that leak secrets through storage and timing. It's why I wanted Freenet to ditch Java aside from the obvious reasons. It's also why GC languages such as Go are better not used. Although, memory management where programmer controls timing & it's simple to analyze might be used. Reference counting comes to mind.

The other thing you want is proven, successful use in high-assurance systems. That is, systems that either didn't fail or provably couldn't in certain ways. These are almost all written in a subset of C or Ada/SPARK. The advantage of using those is you can combine them with a vast array of proprietary or open-source tooling to catch about any error you can think of if it's implementation. There's also formal specification and protocol analysis tools that combined with expert review can catch the rest. Rust, although a good choice for increased safety/security, doesn't have such tooling yet. That means they will get less correctness overall and over time vs MISRA-C or Ada/SPARK unless similar ecosystem in industry and CompSci emerges for Rust. That's why I recommend against it for high-assurance security for now.

It does seem good for medium-assurance security where you want to knock out low hanging fruit in systems code. It will avoid serious errors in C while providing additional benefits with type system and other features. Ada 2012 + SPARK 2014 are the standard for safe systems since they systematically eliminate all kinds of errors with a consistent design and tooling with decades of field success. I haven't seen a direct comparison with Rust on each protection to see if it matches it already or not. The main advantages Rust has over them are its borrow-checker for temporal safety, more usable method for safe concurrency, and (best for last) highly-active community to provide libraries or help. Go has similar benefits if its GC works with your use case but a lower, learning curve & possibly lower efficiency. Due to ecosystem benefits, these are main two I'm recommending for medium assurance if Ada/SPARK are too much to learn.

reply


It's unlikely that the cost of whole-program side channel resistance is worth it for an application like Tor. Side-channel-resistant cryptography is almost certainly sufficient for most reasonable threat/cost models.

reply


I'm disappointed they did not consider COBAL given its vast superiority and flawless track record for April first rewrites.

reply


Fri Mar 31 21:23:27 UTC 2017

reply


I believe there is a crate they can use to prevent date bound out of bounds fun leaks. (can't find the link atm)

reply




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: