Re: [tor-talk] Network diversity [was: Should I warn against Tor?]

[Jens Lechtenboerger <tortalk@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>]

On Sa, Jul 20 2013, Jens Lechtenboerger wrote: 

> On Fr, Jul 19 2013, Gregory Maxwell wrote: 
>
> > On Fri, Jul 19, 2013 at 10:03 AM, Jens Lechtenboerger 
> > <tortalk@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> 
> > wrote: 
> > > > but going much further than that may well decrease your 
> > > > security. 
> > >
> > > How, actually?  Iâm aware that what Iâm doing is a departure 
> > > from network diversity to obtain anonymity.  Iâm excluding 
> > > what I consider unsafe based on my current understanding.  It 
> > > might be that in the end Iâll be unable to find anything that 
> > > does not look unsafe to me.  I donât know what then. 
> >
> > Because you're lowering the entropy of the nodes you are 
> > selecting maybe all the hosts themselves are simply NSA 
> > operated, or if not now, they be a smaller target to 
> > compromise. 
>
> I donât buy the entropy argument.  If the NSA compromises Tor 
> nodes, wouldnât they target as many nodes as possible, 
> regardless of guard selection strategies? 
>
> Note that Iâm avoiding guards that they can monitor without 
> having compromised them. 

Let me expand upon that one.   Actually, Iâd like to consider two 
aspects separately: First, nodes may or may not be compromised. 
If they are, they should not be used by anyone.  Usually, we donât 
know, so we select randomly.  Of course, everybody may have more 
or less reason to trust individual operators or notâmy previous 
posts are unrelated to such reasoning.   Second, the *path* to a 
node may or may not be compromised.  Depending on where you live 
and where you connect to the Internet, different expectations 
apply.  This is the case Iâm talking about.  If I expect a path to 
be compromised then I donât want to use entry nodes that must use 
that path.  I donât care whether those nodes are compromised or 
not, they are out of scope.  Note that based on this criterion, 
Iâm probably using different guard nodes when I connect to the 
Internet
from different places.

To sum up: One-size-fits-all is not the best approach for node
selection.

So far, Iâve been arguing from a German perspective.  Letâs change
that.

Assume that you live under an oppressive regime that monitors
everything in your own country, and you use Tor to anonymize your
communication.  You must make sure that you always communicate via
foreign servers with your compatriots; otherwise, both ends of the
torified traffic are monitored in your country, and Tor fails.
You cannot avoid that your communication with your entry guard is
stored and analyzed.  Now, if Torâs standard path selection ever
chooses an exit node in your own country then also the exitâs
communication is stored and analyzed, and Tor fails.  Thus, you must
avoid national exits.  And you must avoid foreign exits with boomerang
routes into your own country.  (Itâs less obvious whether you should
avoid national guards.  Although those are monitored in your country
they offer protection against foreign adversaries if you care about
them.)

Finally, if you did not do so already ;) please re-read the previous
paragraph and pretend that I wrote âdemocratic governmentâ instead of
âoppressive regime.â

One-size-fits-all is not the best approach for node selection.

Best wishes
Jens
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk