Re: all traffic through a VPN on top of tor, done!

[Paul Syverson <syverson@xxxxxxxxxxxxxxxx>]

On Tue, Nov 17, 2009 at 06:43:58AM +0000, John Case wrote:
>
> On Fri, 13 Nov 2009, Paul Syverson wrote:
>
>>> But lets say one sets up X Tor nodes in X different locales and configure
>>> my Tor to use one of those X for my entry, and one of those X for my exit
>>> ... I'm still throttled by my middle hop, but the odds are much higher in
>>> my favor, and I may only need to rebuild my connection once or twice to get
>>> an acceptable speed.
>>
>> Ignoring what the underlying network can observe, the value to having
>> three hops is that the first and last ones don't know about each other
>> directly (so immediately know who to attack to completely deanonymize
>> a connection; they instead need to iterate such an attack). But if you
>> enter and leave the network via nodes you control, the only thing you
>> are getting from adding a "public" hop in the middle is a greater
>> chance of an adversary observing you. The problem with your design is
>> that if anyone discovers the nodes are under your control, then things
>> emerging from/entering them will be suspected of being associated with
>> you. (It was similar considerations that led us to recommend even in
>> the onion routing designs that predated Tor that the network not just
>> be run by/for the DoD.) Worse still, if you add just a middle hop that
>> is not yours, you make things worse, not better. Any time it is you
>> going to a destination observed by your adversary and via a middle hop
>> owned by the adversary, he will be right in guessing the connection is
>> more likely to be yours than are arbitrary connections through the
>> network. He will get this without needing to see your entry connection
>> into the network.
>
>
> Ok, that is perfectly sensible.  My immediate thought, however, is "if all 
> X of my nodes are in different locales (US, Canada, CH, DE, NZ, whatever) 
> wouldn't this correlation be awfully difficult, especially if service is 
> not directly under my name (company front, straw man purchase, fake signup 
> name, etc. ?)"
>
> It's just a thought - I realize your problem is the real-world assurances 
> that people need when they are really under survelliance, and not some rich 
> white guys IT hobby.
>

The more careful analysis still to be done will hopefully say
something more about how difficult such correlation is and whether
things like locale make a difference. (For a related but distinct
example, see my recent paper with Matt Edman "AS-awareness in Tor Path
Selection", available at www.cs.rpi.edu/~edmanm2/ccs159-edman.pdf )

But two related immediate concerns: Irrespective of network analysis
and usage finding relations among/with these relays, this all depends
on your ability to keep hidden exogenous information about those nodes
being related. (I'm talking about the sorts of management things you
just mentioned.) How hard that is probably depends both on how careful
you are (and how you are careful) and who you are trying to hide from.
Relatedly, you may face issues of what makes a good torizen since you
will not have disclosed your ability (or the ability of those who can
coerce/corrupt you) to de-anonymize by yourself their circuits that
start and end with your relays.

-Paul
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/