[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] give us page numbers, cut some more

Update of /home2/or/cvsroot/tor/doc/design-paper
In directory moria.mit.edu:/home2/arma/work/onion/cvs/tor/doc/design-paper

Modified Files:
Log Message:
give us page numbers, cut some more

Index: challenges.tex
RCS file: /home2/or/cvsroot/tor/doc/design-paper/challenges.tex,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -d -r1.48 -r1.49
--- challenges.tex	8 Feb 2005 01:40:19 -0000	1.48
+++ challenges.tex	8 Feb 2005 01:57:19 -0000	1.49
@@ -30,7 +30,7 @@
   There are many unexpected or unexpectedly difficult obstacles to
@@ -891,16 +891,14 @@
 arrival times: as timing variance increases, timing correlation attacks
 require increasingly more data~\cite{e2e-traffic}. Can we improve Tor's
 resistance to these attacks without losing too much usability?
-%by introducing batching
-%and delaying strategies to the Tor messages?
 First, we need to learn whether we can trade a small increase in latency
 for a large anonymity increase, or if we'll end up trading a lot of
 latency for a small security gain. It would be worthwhile even if we
 can only protect certain use cases, such as infrequent short-duration
-transactions.  In order to answer this question, we might
-try to adapt the techniques of~\cite{e2e-traffic} to a lower-latency mix
-network, where instead of sending messages, users send batches
+transactions.  To answer this question, we might
+adapt the techniques of~\cite{e2e-traffic} to a lower-latency mix
+network, where the messages are batches
 of cells in temporally clustered connections.
 Once the anonymity questions are answered, we need to consider usability.  If
@@ -944,7 +942,6 @@
 we have always approached padding lest the overhead cost us too much
 performance or too many volunteers.
 \subsection{Measuring performance and capacity}
@@ -1114,7 +1111,6 @@
 of helper nodes. This insecurity means that they may not be suitable as
 a building block for Free Haven~\cite{freehaven-berk} or other anonymous
 publishing systems that aim to provide long-term security.
-%Also, they're brittle in terms of intersection and observation attacks.
 \emph{Hot-swap} hidden services, where more than one location can
 provide the service and loss of any one location does not imply a
@@ -1145,8 +1141,6 @@
 \subsection{Trust and discovery}
-[arma will edit this and expand/retract it]
 The published Tor design adopted a deliberately simplistic design for
 authorizing new nodes and informing clients about Tor nodes and their status.
 In the early Tor designs, all nodes periodically uploaded a signed description
@@ -1548,60 +1542,12 @@
-\section{Things to cut?}
-\subsection{Peer-to-peer / practical issues}
-[leave this section for now, and make sure things here are covered
-elsewhere. then remove it.]
-Making use of nodes with little bandwidth. How to handle hammering by
-certain applications.
-Handling nodes that are far away from the rest of the network, e.g. on
-the continents that aren't North America and Europe. High latency,
-often high packet loss.
+Making use of nodes with little bandwidth, or high latency/packet loss.
 Running Tor nodes behind NATs, behind great-firewalls-of-China, etc.
 Restricted routes. How to propagate to everybody the topology? BGP
 style doesn't work because we don't want just *one* path. Point to
 Geoff's stuff.
-\subsection{Caching stuff: If a topic's gotta go for space, I think this
-is the best candidate}
-The attacks in \cite{attack-tor-oak05} are also dependent on
-cooperation of the responding application or the ability to modify or
-monitor the responder stream, in order of decreasing attack
-effectiveness.  So, another way to slow some of these attacks
-would be to cache responses at exit nodes where possible, as it is with
-DNS lookups and cacheable HTTP responses.  Caching would, however,
-create threats of its own. First, a Tor network is expected to contain
-hostile nodes. If one of these is the repository of a cache, the
-attack is still possible. Though more work to set up a Tor node and
-cache repository, the payoff of such an attack is potentially
-%To be
-%useful, such caches would need to be distributed to any likely exit
-%nodes of recurred requests for the same data.
-%   Even local caches could be useful, I think. -NM
-%Added some clarification -PFS
-Besides allowing any other insider attacks, caching nodes would hold a
-record of destinations and data visited by Tor users reducing forward
-anonymity. Worse, for the cache to be widely useful much beyond the
-client that caused it there would have to either be a new mechanism to
-distribute cache information around the network and a way for clients
-to make use of it or the caches themselves would need to be
-distributed widely. Either way the record of visited sites and
-downloaded information is made automatically available to an attacker
-without having to actively gather it himself.  Besides its inherent
-value, this could serve as useful data to an attacker deciding which
-locations to target for confirmation. A way to counter this
-distribution threat might be to only cache at certain semitrusted
-helper nodes.  This might help specific clients, but it would limit
-the general value of caching.