[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Commercial tor offering?

Hash: SHA1

Lots of words to say that you do not want the system analyzed by outsiders.

Arrakis wrote:
> Robert,
>> At first glance your statement above could be taken to suggest that Onyx 
>> provides provably better anonymity than Tor. A second reading suggests 
>> that you are merely claiming Onyx deploys additional techniques that are 
>> regularly investigated for their anonymity properties, while at the same 
>> time overcoming certain attacks that Tor is still susceptible to.
> As there is no metric for measuring anonymity, it would be accurate to say
> that it is not going to be provable. What we can do is say such a property
> reasonably appears to exist, and make our determinations from there.
>> Would you agree that:
>> - Onyx has not been the subject of independent analysis thus far, so its 
>> anonymity properties are an open question.
> One problem with the idea of "independent analysis" when applied to
> technology,  is that it requires that there is an independent analyst with
> equivalent or superior knowledge to the system provider and tools with
> which to measure a test, and a metric for measurement. Anything less and
> you end up with an estimation that is less matched to the analyst's
> ability, and more synchronized to the analyst himself.
> If you are providing a system with young technologies implemented in a
> unique manner, you are unlikely to find an independent analyst with
> mastery in these implementations, or the ability to test, much less
> measure the veracity of such claims. The use of independent analysis will
> probably come down to warm fuzzies regarding your trust of the reputation
> / authority of the analyst, instead of measurement of the system itself.
> Even then, he can only say at best that it *appears* to have these
> properties.
> However, logically it is possible to disprove claims. If we could agree
> on the mastery of the analyst, and his/her independence, then I don't see
> why we wouldn't allow such attempts.
> Unfortunately, the best possible result you can hope for from the analyst
> is "I couldn't break the system, it appears to be what is purports" which
> isn't going to be an affirmative response, and would be the same response
> given by any less-than-qualified analyst.
> This is where we get back to needing a metric to measure anonymity,
> otherwise we are snipe-hunting for warm fuzzies. Would you agree?
>> - Some of the features you describe are not proven to provide better 
>> anonymity (e.g. traffic padding).
> As there is no metric of measuring anonymity, it would be a moot point
> to say there is a technically "better" anonymity. What we can say is this
> provides what appears to be better anonymity because of a sound design.
> In this specific instance, the matter is that padding increases the
> opacity of the context of a transmission. This generally assumes that the
> less accurate data an adversary has to perform traffic analysis, the
> weaker the signal intelligence and thus the better the anonymity will be.
> Perhaps an analogy would be two gifts under a Christmas tree. One is
> shrink-wrapped and you can clearly see the outline of the object and the
> other is padded in a box. To a casual observer, I could estimate that it
> is easier to determine the contents of the shrink-wrapped item rather
> than the item in the box. Probably not the best analogy, but just at the
> top of the mind.
>> - Onyx's immunity to sybil attacks and exit node injection is not explicit 
>> in its design. This immunity depends on the behaviour of the network 
>> operators.
> That is correct, we verify the integrity of the nodes and extend
> commensurate trust to the operators of those nodes, which is based
> on a reputation system. A pertinent difference is that operators do not
> volunteer, they are only invited, so there is little opportunity for
> malicious nodes.
>> - Are there plans afoot to open Onyx to independent investigation without 
>> becoming a paying customer? Does the design of the Onyx network allow such 
>> investigation?
> If a metric for measuring anonymity is established, I think we would
> gladly welcome such an investigation.
>> - Isn't the use of a small number of privately, centrally owned servers to 
>> provide an anonymity network inherently problematic? Doesn't the anonymity 
>> of the client on such a network depend almost completely on the integrity 
>> of the network operator (i.e. xerobank)?
> The network node ownership and operation is completely decentralized and
> distributed. Nodes are owned and operated by different corporations in
> unique jurisdictions, differing from the location of the nodes they operate.
>> Apologies if some of my questions/assumptions above could be answered or 
>> contradicted by reading the whitepaper in full, but I'm sure they 
>> represent the sentiments of many readers on this list who are a little 
>> skeptical of what kind of beast Onyx actually is but aren't prepared to 
>> analyse it in any depth. This would certainly be a good opportunity for 
>> clearing such matters up with or-talk cynics such as myself.
> It's my pleasure. These are complicated subjects to say the least.
> Steve

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org