[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Relay flooding, confirmation, HS's, default relay, web of trust



Some further thoughts on an already mixed thread...

> Would this increase anonymity? As pointed out previously, not much.
> Attacks against Tor anonymity usually relate to entry-point/exit-point
> traffic correlation... Regardless of how many segments are in the
> middle, if your adversary can "corner the market" on exit nodes, it
> doesn't matter how many intermediate relay nodes you're using. (Correct
> me where I'm wrong, experts)

Ahh, ok, I see, entry-exit correlation/tagging/timing/confirmation...
interesting.

I guess a longer path length could only help a quite tiny amount
with that by adding some jitter, packet loss, dead circuit churn,
etc in between.
It certainly directly helps a lot against those entities trying to
do simple hop by hop flow/log requests.

Non-exit relay by default wouldn't help regarding the exit part as
no one's suggesting turning up new exit relays by default.
But it could add more guards making observing any useful subset of
them costlier. But also make the less traffic in them more likely
to be yours.

And what if the oponnent runs a hidden service trap?... seems that
then just watching or running the client's entry guard [1] is all that
is needed to confirm both connection and content? Yipes?!!!

I'm no expert. This sounds like a very hard and real problem. Thanks!

[1] One single lucky node, not two, the trap serves as the exit
watchpoint as well.


> Would this increase the health of the overall network? Yes*!

Are there anonymity drawbacks to having a glut of available bandwith?
Or a glut of legit nodes? Or both?

I've not yet considered that in my suggestion of a model in which
Tor can in fact be used for bulk/P2P transfer and remain resource
healthy.


> Or, as mentioned earlier, we can assign an OR a level of trust
> commensurate with its age?

Maybe there would also be benefit in a web of trust amongst nodes
not unlike a keysigning party. As with social networking, people
vouch for each other in various ways and strengths based on how
they feel that person meets them. I don't see any reason why node
operators [descriptors] could not keysign and have that web encoded
into the descriptors, directories, DHT, etc.

Degrees of separation could also be encoded, and no web is impenetrable.
So it would be just one more means of scoring nodes. The sigs would
be saying:

Hey, I know this operator in real life or online.
They have the skill to run an up to date, reasonably secure node
and at least check for cold compromise once in a while.
And I would be reasonably comfortable were my traffic to transit
their node, excepting of course lawful order or coercion.

As before, loose, just another means.


> Also, symmetry of up/down bandwidth can be an issue too... which is
> unfortunate.

Issue? A non-exit relay runs the same bitrate in and out of its interface,
bytes in, bytes out, over time, it's impossible not to. So your maximum
giveback is limited to the lower of your asymmetrical rates because you'll
saturate the slower side at any greater rate.
The unfortunate thing about it is that all four of economies, tech, policies
and outright supression conspire to make asymmetry what you see in
the consumer market. As opposed to cable (and various RF tech and fiber
PON's), fiber and dsl aren't really tech limited to asymmetry. So you're just
seeing the other three in action there. Protest, buy more, or co-op and
trench your own neighborhood :)

s/hit/hip/ ;)
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/