Re: Circuits still shared?

[Roger Dingledine <arma@xxxxxxx>]

On Sun, Feb 12, 2006 at 03:56:12AM -0600, Mike Perry wrote:
> Are multiple TCP connections still multiplexed across a single Tor
> circuit?

Yes.

> It would seem to me that this should be a serious compromise
> to anonymity. Frequently I am browsing sites that know who I am (or
> using AIM, etc) concurrent to accessing those that I'd prefer not to
> know me.

Right.

> >From reading the FAQ entry
> http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#RemainingAttacks
> it sounds like I am at risk for an exit server correlating the two
> traffic streams.

Yep.

> Are there any plans to disable this circuit sharing mechanism via a
> config option?

No, because a new circuit for every TCP connection is too expensive. For
example, you would open a new circuit for every little 1x1 pixel on the
cnn frontpage. This means it would dramatically slow down Tor for users,
and worse, the public key ops required for making these circuits would
overpower the CPUs of our volunteer servers.

But we've got a new tool for resolving this, if you want to start
experimenting. You can write a Tor controller that intercepts each stream
request and decides, for each destination, which circuit to use.

http://tor.eff.org/cvs/tor/doc/control-spec.txt
http://tor.eff.org/cvs/control/doc/howto.txt

And see Geoff's Blossom project for an example:
http://afs.eecs.harvard.edu/~goodell/blossom/

It may be best to first think hard about the tradeoffs of various
approaches to dividing streams over circuits, since optimizing for your
anonymity vs somebody else's donated CPU sounds like a pretty tough
graph to nail down. Let us know when you have some designs and we'll
start thinking about how to analyze and compare them.

--Roger