[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #3678 [Tor Client]: Disallow more than one relay per country in a circuit
#3678: Disallow more than one relay per country in a circuit
-------------------------+--------------------------------------------------
Reporter: cypherpunks | Owner:
Type: enhancement | Status: needs_information
Priority: major | Milestone:
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Comment(by hellais):
Replying to [comment:7 rransom]:
> Replying to [comment:6 ioerror]:
> > It seems to me that it's a reasonable option. I've long advocated that
this should be a switch to flip, even if we're not sure it's safe to flip
it by default.
>
> This switch would change a client's path-selection behaviour in a way
that both entry nodes and exit nodes might be able to observe. If this
option is not turned on by default, it's not safe to turn this option on
at all.
>
> And so far, I have seen several people say that we should add this
option, but I have not seen anyone propose an actual reason to turn this
option on. What attack does this option defend against?
>
> The !EnforceDistinctSubnets feature was added because of an actual
incident in which one ISP's customers ran a large portion of the Tor
network within one /16 (or smaller?) network. The reason that it's an
option at all (rather than hard-coded in the Tor source code like Tor's
refusal to build normal circuits that end at !BadExits or that have two
hops in the same âfamilyâ) is that developers and researchers who run
testing Tor networks on a LAN need to be able to turn it off. It's not
there just as a pistol for users who think they need âmore anonymityâ to
shoot themselves in their feet with.
>
This feature is necessary because this attack is not something that will
be easy to detect as it is highly passive and done on backbones.
> > I think that it's important to consider that countries should be
grouped - so if we exclude canada more than once, we should also exclude
the USA at the same time - they're too close. I think I suggested the name
"PoliticallyAwareCircuits" or something similar.
>
> Who do you think should produce and maintain a list of groups of
countries that are âtoo closeâ?
>
> Do you think some European countries are âtoo closeâ to the U.S.? If
so, how do you think they would react to being labeled as such?
>
> Should The Tor Project ship an âofficialâ list specifying which
countries are âtoo closeâ? If two or more groups publish different lists,
and each group tells us that theirs is âbetterâ than the others, how
should we choose which one to ship?
>
I believe a good starting point to for grouping countries could be the
current active military alliances, this usually implies that there is some
level of sharing of information between these countries [1]
I don't think it's a good idea for The Tor Project to ship an 'official'
list. People should build one based on their own needs and independent
organizations will be responsible for explaining the reasoning behind them
and to what sort of case scenario they apply to.
> If we shouldn't ship an âofficialâ list, how will users find a list to
use with their Tor client? If different users choose different lists,
will Tor's anonymity set be partitioned further?
>
> And last, but not least, ''what attack does this defend against''?
I believe this feature will not be used by everybody, just by people that
are worried about a large scale targeted attack. Let me further explain:
It is a fact that the technology exists and it is being deployed capable
of collection information on Terabit networks [2] . It is not so far
fetched to believe that if a big government wishes to target a specific
individual he will request information on that person from various other
countries with which they are allied. By making circuit building sensible
to the relationships that exists amongst countries, you are making this
information sharing much harder (e.s. would it be easy for the Swiss
government to get traffic dumps from Ukraine?).
So to synthesize we are trying to prevent traffic analysis and correlation
when allied countries collude against one individual.
[1]
https://secure.wikimedia.org/wikipedia/en/wiki/List_of_military_alliances#Active_alliances.
[2] https://secure.wikimedia.org/wikipedia/en/wiki/NarusInsight
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3678#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs