[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #3678 [Tor Client]: Disallow more than one relay per country in a circuit
#3678: Disallow more than one relay per country in a circuit
-------------------------+--------------------------------------------------
Reporter: cypherpunks | Owner:
Type: enhancement | Status: needs_information
Priority: major | Milestone:
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Comment(by nickm):
Replying to [comment:15 hellais]:
[...]
> I don't think it's a good idea for The Tor Project to ship an 'official'
list. People should build one based on their own needs and independent
organizations will be responsible for explaining the reasoning behind them
and to what sort of case scenario they apply to.
The anonymity implications of this idea are very worrisome: see the
"Anonymity Loves Company" paper that I did with Roger for the basic
argument here.
In brief: if we're going to push the responsibility for mapping global
backbone eavesdropping and data aggregation onto our users, then we'd
better make sure that this is something they can be reasonably expected
to do, and we had better make sure that having everybody do so in their
own way will not partition the network traffic in a way that actually
makes the attacker's job easier.
> > If we shouldn't ship an âofficialâ list, how will users find a list to
use with their Tor client? If different users choose different lists,
will Tor's anonymity set be partitioned further?
> >
> > And last, but not least, ''what attack does this defend against''?
>
> I believe this feature will not be used by everybody, just by people
that are worried about a large scale targeted attack. Let me further
explain:
> It is a fact that the technology exists and it is being deployed capable
of collection information on Terabit networks [2] . It is not so far
fetched to believe that if a big government wishes to target a specific
individual he will request information on that person from various other
countries with which they are allied. By making circuit building sensible
to the relationships that exists amongst countries, you are making this
information sharing much harder (e.s. would it be easy for the Swiss
government to get traffic dumps from Ukraine?).
>
> So to synthesize we are trying to prevent traffic analysis and
correlation when allied countries collude against one individual.
So let's analyze that.
Say, for example, that the EU countries are all out to get me, and they
are going to do so by eavesdropping all the communications under their
control and doing full traffic correlation. Suppose that I know this, and
declare that my circuits must never have more than one node in the EU.
Does the proposed routing change '''actually help'''?
It doesn't help much if I'm in the EU: when my exit node is in the EU,
they can correlate me fine. And it doesn't help if I'm outside of the EU
and visiting EU websites: if my entry node is in the EU, then correlation
will still work fine.
So, let's suppose that I'm not in the EU and I never visit EU websites,
otherwise this whole business is hopeless.
Even then, I'm still not in the clear: sometimes the path to my first hop
will travel through the EU and I'll wind up with an EU exit node; or the
path from my last hop to my destination will travel through the EU and
I'll wind up with an EU entry node. (Or even if I just say "ExcludeNodes
{..all the EU..}", sometimes I'll wind up having both the path from me to
my entry ''and'' from my exit to my destination pass through the EU.) So
it still seems that the attack will still succeed pretty often if the
attacker can see a reasonably large (geographic) portion of the backbone.
Now, I don't deny that this option is a ''cosmetic'' improvement: I can
easily see a person (say) in the US worried about EU snooping being more
comfortable with a circuit that goes {client in US} -> {DE} -> {JP} ->
{RU} -> {website in IE} than with a circuit that goes {client in US} ->
{DE} -> {US} -> {DE} -> {website in IE}. But -- and here's the important
point -- I think that this increased comfort is probably ''only''
cosmetic. If the EU exchanges are eavesdropped, then the US->DE and
RU->IE last hop are quite likely to pass through some exchanges in common.
So a large fraction of my circuits will still get snooped. If we believe
in statistics, then having a random sample of my stuff get snooped is
approximately as bad as having the whole thing get snooped.
And that's why I'm not convinced. I'm not interested only in an improved
''sense'' of security unless it materially increases actual resistance
against a real attacker. So in order to argue for any feature like this,
I want to see the analysis that shows that I'm wrong in my above and there
''is'' a real improvement, or I want to see an improved routing algorithm
that doesn't fall to the analysis above.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3678#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs