[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #3678 [Tor Client]: Disallow more than one relay per country in a circuit



#3678: Disallow more than one relay per country in a circuit
-------------------------+--------------------------------------------------
 Reporter:  cypherpunks  |          Owner:                   
     Type:  enhancement  |         Status:  needs_information
 Priority:  major        |      Milestone:                   
Component:  Tor Client   |        Version:                   
 Keywords:               |         Parent:                   
   Points:               |   Actualpoints:                   
-------------------------+--------------------------------------------------

Comment(by hellais):

 Replying to [comment:7 rransom]:
 > Replying to [comment:6 ioerror]:
 > > It seems to me that it's a reasonable option. I've long advocated that
 this should be a switch to flip, even if we're not sure it's safe to flip
 it by default.
 >
 > This switch would change a client's path-selection behaviour in a way
 that both entry nodes and exit nodes might be able to observe.  If this
 option is not turned on by default, it's not safe to turn this option on
 at all.
 >
 > And so far, I have seen several people say that we should add this
 option, but I have not seen anyone propose an actual reason to turn this
 option on.  What attack does this option defend against?
 >
 > The !EnforceDistinctSubnets feature was added because of an actual
 incident in which one ISP's customers ran a large portion of the Tor
 network within one /16 (or smaller?) network.  The reason that it's an
 option at all (rather than hard-coded in the Tor source code like Tor's
 refusal to build normal circuits that end at !BadExits or that have two
 hops in the same âfamilyâ) is that developers and researchers who run
 testing Tor networks on a LAN need to be able to turn it off.  It's not
 there just as a pistol for users who think they need âmore anonymityâ to
 shoot themselves in their feet with.
 >

 This feature is necessary because this attack is not something that will
 be easy to detect as it is highly passive and done on backbones.

 > > I think that it's important to consider that countries should be
 grouped - so if we exclude canada more than once, we should also exclude
 the USA at the same time - they're too close. I think I suggested the name
 "PoliticallyAwareCircuits" or something similar.
 >
 > Who do you think should produce and maintain a list of groups of
 countries that are âtoo closeâ?
 >
 > Do you think some European countries are âtoo closeâ to the U.S.?  If
 so, how do you think they would react to being labeled as such?
 >
 > Should The Tor Project ship an âofficialâ list specifying which
 countries are âtoo closeâ?  If two or more groups publish different lists,
 and each group tells us that theirs is âbetterâ than the others, how
 should we choose which one to ship?
 >

 I believe a good starting point to for grouping countries could be the
 current active military alliances, this usually implies that there is some
 level of sharing of information between these countries [1]

 I don't think it's a good idea for The Tor Project to ship an 'official'
 list. People should build one based on their own needs and independent
 organizations will be responsible for explaining the reasoning behind them
 and to what sort of case scenario they apply to.

 > If we shouldn't ship an âofficialâ list, how will users find a list to
 use with their Tor client?  If different users choose different lists,
 will Tor's anonymity set be partitioned further?
 >
 > And last, but not least, ''what attack does this defend against''?

 I believe this feature will not be used by everybody, just by people that
 are worried about a large scale targeted attack. Let me further explain:
 It is a fact that the technology exists and it is being deployed capable
 of collection information on Terabit networks [2] . It is not so far
 fetched to believe that if a big government wishes to target a specific
 individual he will request information on that person from various other
 countries with which they are allied. By making circuit building sensible
 to the relationships that exists amongst countries, you are making this
 information sharing much harder (e.s. would it be easy for the Swiss
 government to get traffic dumps from Ukraine?).

 So to synthesize we are trying to prevent traffic analysis and correlation
 when allied countries collude against one individual.

 [1]
 https://secure.wikimedia.org/wikipedia/en/wiki/List_of_military_alliances#Active_alliances.
 [2] https://secure.wikimedia.org/wikipedia/en/wiki/NarusInsight

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3678#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs