[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Is three hops enough? (was Re: Tor client over a SOCKS proxy, and Tor client running through another Tor Circuit)

On 4/28/06, glymr <glymr_darkmoon@xxxxxxx> wrote:
Anthony DiPierro wrote:
> Well, it's a matter of what type of odds are acceptable to you.  If
>  1/100th of circuits are compromised, I'd consider that too high.
> Now under the diagram I drew above, that'd require about 1/10 of
> the nodes to be compromised.  If you add in another hop, then
> 1/10th of the nodes being compromised would mean only 1/1000th of
> circuits were compromised.
> Or am I calculating something wrong?
> Anthony
yes, in fact more hops means almost nothing relative to the number of
compromised nodes. remember, the proportion of compromised nodes is
the pool the client picks its hops from, and thus given a random
distribution, the amount of compromise risk reduction accelerates
quickly to nothing with extra hops, and increases latency
unacceptably. The only way to defend against compromised nodes getting
two hops in your circuits would be to implement some kind of system to
register suspect nodes and instruct the client not to use them.

The way I understand it, an attacker would need to compromise all the nodes except for the exit node (and the start node, of course) - *not* that they need to compromise any two nodes in the chain.

If there is an attack that can be made, for example, over a 9 hop
chain where an attacker only has two nodes compromised, I'm not sure
what it is.  I suppose there could be some sort of timing attack, one
that can't be easily mitigated by cover traffic.  Maybe that's what
I'm missing.