Anonymity questions

[Jens Lechtenboerger <lechten@xxxxxxxxxxxxxxxxxx>]

Dear Tor users,

Section 6.1 of the TorFAQ at
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ
states privacy problems that Tor solves, and Section 6.7 states
possible attacks.  I'm trying to understand some details.

Let's say Alice talks to Bob through Tor.  The attack by Murdoch and
Danezis (Low-Cost Traffic Analysis of Tor) allows to identify the
Tor nodes through which Alice's traffic is routed.  At first I
thought: So what?

First, Alice and Bob shouldn't care if the attacker knows all
intermediate nodes as long as neither of them is identified.
Second, when using cascades with predetermined nodes (such as JAP)
the nodes are trivially known to the attacker.  So in what way is
anonymity affected by the attack?

Here is what I'm thinking know.  The question is where Alice, Bob,
and the Tor nodes are located relatively to each other (as in
"Location Diversity in Anonymity Networks" by Feamster and
Dingledine, but with a coarser granularity than Autonomous Systems
(ASs)).

1. If Alice and Bob can be observed by Eve, then Eve can trace
their messages before entering and after leaving the Tor net based
on timing and message characteristics (without knowing anything
about the Tor nodes in between).  How likely is Eve's existence?
I guess that if you are in the US then NSA is your Eve, which means
that your communications anywhere within the US will be traced.
(Btw, I once read that BGP routing tables are set up to route as
much non-US traffic through US routers for tapping purposes as
possible.  Unfortunately, I can't find the source any more.  Any
references?)
Similarly, for me living in the EU, pretty soon all my traffic
within Europe might be traceable by law enforcement.  (Yesterday the
Council of the EU adopted the data retention directive passed by the
EU parliament last December.)
If Eve mounts the attack to identify the Tor nodes then she can
considerably reduce the volume of traffic she has to analyze when
looking for Alice and Bob: Alice sends traffic into Tor with a known
Tor destination IP address while Bob receives from a known Tor
source IP address.

2. What about traffic from Alice in the EU to Bob outside the EU,
say the US?  Assuming that US and EU do not cooperate in tracing
Alice and Bob, the EU can still trace them using the attack by
Murdoch and Danezis *if* Alice's exit node is in the EU: They
correlate the traffic leaving Alice with the traffic leaving the
exit node to find Bob's IP address.

3. With three Tor nodes in each circuit, we must neither have the
first and the third node both in the EU nor both in the US because
*all* such Tor communications are traceable: A non-Tor source IP
address in any Tor packet points to Alice, the packet's destination
IP address is the first Tor node.  The first node's output is
addressed to the second Tor node.  Now, Eve waits for traffic from
the second Tor node to enter the third node (which she monitors),
which outputs traffic to Bob.

4. Further ways to exploit the attack?

In view of (2.), EU citizens might want to restrict their ExitNodes
to those outside the EU.  Then, in view of (3.), EntryNodes might be
chosen inside the EU (Alice's own Tor server?).

Does that make sense as a general guideline?

How to choose the second tor node and a "good" exit node?
What is not clear to me is the following: Is it better to chose Tor
nodes such that packets between them traverse as few ASs a possible
(because each of them can monitor traffic) or do longer routes
provide more anonymity?  If short routes are better, then nodes in
ASs on the path from the entry node to Bob (according to BGP routing
information) are good candidates, which would also reduce latency.
How often would this be possible right now?

Thanks in advance for your insights

Jens