[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal 188: Bridge Guards and other anti-enumeration defenses



On 2011-10-20, Nick Mathewson <nickm@xxxxxxxxxxxxxx> wrote:

> 4.3. Separate bridge-guards and client-guards
>
>    In the design above, I specify that bridges should use the same
>    guard nodes for extending client circuits as they use for their own
>    circuits.  It's not immediately clear whether this is a good idea
>    or not.  Having separate sets would seem to make the two kinds of
>    circuits more easily distinguishable (even though we already assume
>    they are distinguishable).  Having different sets of guards would
>    also seem like a way to keep the nodes who guard our own traffic
>    from learning that we're a bridge... but another set of nodes will
>    learn that anyway, so it's not clear what we'd gain.

Any attacker who can extend circuits through a bridge can enumerate
the set of guard nodes which it routes its clients' circuits through.
A malicious middle relay can easily determine the set of entry guards
used by a hidden service, and over time, can determine the set of
entry guards used by a user with a long-term pseudonym.  If a bridge
uses the same set of entry guards for its clients' circuits as it does
for its own, users who operate bridges can be deanonymized quite
trivially.


Robert Ransom
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev