[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Circuits still shared?



Wouldn't concurrent connections actually be of benefit to security, at least in circumstances where the attacker doesn't know the traffic of the entire network as a whole, or at least not of what's going on at the requesting client end? Also, are there any plans to implement a 'dummy ping' system like Jap uses, where a packet will be sent every X or <X< seconds, just to enhance entropy during times of low or no traffic? Also, just for reference, do you know of any docs that compare Jap and Tor in terms of what their methods are and how secure they are against various attacks?

Thanks,
Andrew

Roger Dingledine wrote:
On Sun, Feb 12, 2006 at 03:56:12AM -0600, Mike Perry wrote:
  
Are multiple TCP connections still multiplexed across a single Tor
circuit?
    

Yes.

  
It would seem to me that this should be a serious compromise
to anonymity. Frequently I am browsing sites that know who I am (or
using AIM, etc) concurrent to accessing those that I'd prefer not to
know me.
    

Right.

  
>From reading the FAQ entry
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#RemainingAttacks
it sounds like I am at risk for an exit server correlating the two
traffic streams.
    

Yep.

  
Are there any plans to disable this circuit sharing mechanism via a
config option?
    

No, because a new circuit for every TCP connection is too expensive. For
example, you would open a new circuit for every little 1x1 pixel on the
cnn frontpage. This means it would dramatically slow down Tor for users,
and worse, the public key ops required for making these circuits would
overpower the CPUs of our volunteer servers.

But we've got a new tool for resolving this, if you want to start
experimenting. You can write a Tor controller that intercepts each stream
request and decides, for each destination, which circuit to use.

http://tor.eff.org/cvs/tor/doc/control-spec.txt
http://tor.eff.org/cvs/control/doc/howto.txt

And see Geoff's Blossom project for an example:
http://afs.eecs.harvard.edu/~goodell/blossom/

It may be best to first think hard about the tradeoffs of various
approaches to dividing streams over circuits, since optimizing for your
anonymity vs somebody else's donated CPU sounds like a pretty tough
graph to nail down. Let us know when you have some designs and we'll
start thinking about how to analyze and compare them.

--Roger