[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Is three hops enough? (was Re: Tor client over a SOCKS proxy, and Tor client running through another Tor Circuit)

On 4/28/06, glymr <glymr_darkmoon@xxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> Anthony DiPierro wrote:
> > On 4/27/06, Ringo Kamens <2600denver@xxxxxxxxx> wrote:
> >> I don't really see anything wrong with it if you really want to do it. It
> >> doesn't really increase anonymity, but it sounds good to me. I'm assuming
> >> that tor2 sees the ip address of the tor 1 exit node.
> >>
> >
> > The way I picture it it would basically be equivalent to adding extra
> > hops.  I remember reading this is possible to hack into the standard
> > tor software, but I believe it requires a recompile and not just a
> > config file tweak.
> >
> > Anyway, it is my understanding that the current default implementation
> > uses three hops.  Now am I correct that that includes the exit node?
> > Does it also include the entry node which is generally on the same
> > computer?
> this is incorrect, the entry node, middleman node and exit node are
> separate from the client. if one is running a tor server the entry
> node is indeed the same node but remember a tor server is shuffling
> every other packet from other circuits mixed in with yours, and thus
> it seems logical that it would improve anonymity

OK, thanks for the correction.  So the standard implementation (using
privoxy and firefox, for instance), would be:

firefox (local) -> privoxy (local) -> tor client (local) -> tor 1
(remote) -> tor 2 (remote) -> tor 3 (remote, exit node) -> webserver?

> > If so, it seems that in the current default implementation only one
> > compromised node, the middle node (working with the destination site),
> > is needed to significantly impact your anonymity.  The IP address of
> > the exit node is generally recorded in web logs along with the time
> > and date.  So if the middle node records the incoming and outgoing
> > node IP addresses, that can then be matched up with the web logs.  If
> > someone is using three hops the way I described it above, then the
> > incoming IP address would be the address of the tor user, right?
> > Sure, you'd have a little bit of plausible deniability, as there's no
> > proof your system was set up this way, but that's it.
> >
> > Now hopefully I'm just wrong about what constitutes three hops (or
> > that the default setting is three hops).  Or maybe I'm missing
> > something as to why this type of attack isn't possible.
> >
> > One thing seems almost certain, adding hops does increase the security
> > against a compromised node attack.
> >
> > Anthony
> a compromised node attack, on average, has to compromise 1/3 of the
> entire tor network to get somewhere approaching good odds of being
> able to identify the endpoints of circuits. possibly 2/3, but i'd say
> 1/3 of nodes being compromised would give usable violation of the
> system... as you may know, there is something like 300-400 servers in
> the tor network now, to compromise it they'd have to put up like
> 150-200 new compromised nodes, or hack and compromise 100-150, either
> task is not trivial at all.

Well, it's a matter of what type of odds are acceptable to you.  If
1/100th of circuits are compromised, I'd consider that too high.  Now
under the diagram I drew above, that'd require about 1/10 of the nodes
to be compromised.  If you add in another hop, then 1/10th of the
nodes being compromised would mean only 1/1000th of circuits were
compromised.

Or am I calculating something wrong?

Anthony