The Case for Banning Reduced Hop Count Implementations

[Lucky Green <shamrock@xxxxxxxxxxxxxx>]

Folks,
I have followed various discussions lately about the creation of reduced
hop Tor clients that implement fewer than the three hops considered by
Tor's design. Such clients represent an attack on Tor as a whole.
Indeed, defenses against reduced hop clients leveraging the Tor network
should be built into Tor's design to defend against this attack.

Today and for the foreseeable future, Tor's network latency relates to
the maximum latency that Tor users are willing to accept. As Tor gets
faster, it attracts more users and more traffic, which in turn increases
latency. As the Tor network increases in latency, it loses users for
whom the latency becomes unacceptably high.

Latency in turn relates to the number of hops. The more hops, the higher
the latency. Which not coincidentally is why some with lower anonymity
requirements may prefer fewer hops. Here is the catch: as traffic from
those with lower anonymity and hop requirements increases, it drives the
latency of three hop connections above the latency acceptable for those
seeking higher anonymity. The end state, if lower than three hop
implementations are permitted to use the Tor network, is that Tor's
network performance will acceptable only to users of lower hop clients.

This fact alone drives a need to block reduced hop clients from the
network. But it gets worse.

Many of those that would be satisfied with fewer hops engage in
comparatively low risk behavior (which is why they are satisfied with
lower anonymity), such as downloading large files of questionable
origin. The protocols commonly used for such downloads can accept higher
latency than the interactive protocols needed by the part of the user
population seeking higher anonymity levels. Pushing the latency of three
hop clients farther out of the usability envelope.

Though the above is more than sufficient cause to block reduced hop
clients from corrupting the Tor network, it deserves mention that single
hop clients in particular remove the protection that Tor's design until
now afforded to exit node operators. If only three hop clients can use
the Tor network, the Tor exit node operator can be confident that
capture of an exit hop's connection log will fail to provide the
attacker with useful tracking information. This discourages both legal
and illegal attacks on Tor exit hops and thus increases the overall
number and capacity of Tor exits.

Removing this protection will lead to an increase in attacks on exit
hops, which in turn will lead to decreased exit capacity. Further
negatively impacting Tor network latency.

In summary, reduced hop clients are deleterious to Tor a whole and users
with the level of anonymity that Tor was design to provide in
particular. Users with lower anonymity needs should be guided towards
the many other systems available today that provide lower anonymity than
Tor.

Most importantly, Tor should implement a (potentially blinded) hop
verification that ensures that lower hop count clients cannot abuse the
Tor network.

--Lucky Green

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/