[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Anonymity risks of 2 vs 3 hops



Having read the heated discussion regarding some people's suggestion
on the list to provide an option to reduce the number of hops in a
circuit, I'm curious about something and was wondering if someone
smarter than I could enlighten me.

Clearly smarter minds agree that 3 hops are necessary.  However, I'm
confused as to why, other than probability arguments.  Now I clearly
understand why 1 hop is bad.  However, with 2 instead of 3, I'm not
sure I see how it makes things that much worse.  I understand it makes
things a bit worse, but I don't understand how it makes things
overwhelmingly worse.

I understand that with 3 hops, the entry node and middle node have no
idea whether or not they are the beginning or middle of a circuit,
which means they can never assume that who they're sending information
to will be the exit.

I understand that when only 2 hops are used, an entry node actually
can assume that the traffic it relays will exit from the destination
it sends it to.  However, the entry node still doesn't know the final
destination, and the exit node doesn't know the origin.

Certainly a rouge entry node could be monitoring it's outgoing tor
traffic and correlating the destination information to, say, a website
owned by the operator to try and compromise people's anonymity.
Certainly this makes end-to-end monitoring a bit easier to accomplish
and correlate, but doesn't TOR already state that it makes no attempt
to protect from end-to-end monitoring attacks?

Clearly the experts think it makes things considerably easier here, so
maybe there's something I'm missing.  I appreciate all tutelage.

-- 
Sam Peterson
peabody@xxxxxxxxxxxxx
peabodyenator@xxxxxxxxx
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/