[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Traffic retention of TOR-Relays in Denmark

Thus spake Andrew Lewman (andrew@xxxxxxxxxxxxxx):

> On Friday, July 15, 2011 10:05:36 AM bemoo129@xxxxxxxxxxxx wrote:
> > Hello,
> > recently I read about the danish law to log every 500. IP-Packet,
> > which is on wire between Customer and ISP. Allthough this Law
> > doesnt affect hostet Servers, i thin it is dangerous for Tor-Relays
> > which run on a normal PC at home.
> > 
> > What do you think abou this? If very much Packets from Tor-Servers
> > are logged due this law, are danish-Tor servers now very unsecure?
> Let's take this apart into some easy to digest pieces.  
> First, I belive the law is to record IP packet header information, not the 
> contents themselves.  While this is bad, it's the basis of traffic analysis and 
> exactly one scenario in which Tor can defend the user. In part, I'm basing my 
> understanding of this law from 
> https://secure.wikimedia.org/wikipedia/en/wiki/Telecommunications_data_retention#Denmark
> [Stuff about client threat model here]

Well, the original question seems to be "should we trust danish Tor
servers", not "are Tor users safe inside Denmark?" I think you
answered the client side well, but didn't touch the issue with tor
servers. I'll do my best to talk about the server side.

The risk for the server side comes from an adversary's ability to use
the connection log/sampled log to correlate traffic at the entrances to
the network (Guard nodes) with traffic exiting the network (Exit

Let's talk about Guards first.

In the event of Session Logging (2.2.1), there probably is not enough
information to be a serious threat against Guard nodes. Tor clients
use a fixed set of guards, and keep TCP connections open to these
guards for a long time, regardless of activity. 

However, packet sampling (2.2.2) is actually more of a threat.

I believe the closest we have in the research arena to answer this
question is Steven Murdoch's work on sampling Internet Exchange
http://www.cl.cam.ac.uk/~sjm217/papers/pet07ixanalysis.pdf (paper)
http://www.cl.cam.ac.uk/~sjm217/talks/pet07ixanalysis.pdf (slides)

Sections 4 and 5 are the relevant sections from the paper.

His results were best against very large, loud client flows. Small
flows (like web traffic) proved hard to accurately correlate even with
high frequency sampling rates.

So the answer is Danish tor servers are "probably" safe as Guard nodes
for web traffic.

However, Exits are a different story. 

Session Logging there probably will provide more information than
sampling for Exits. How serious is this threat? It seems bad to me. It
probably gives enough information that we may want to think about
avoiding using Danish exits with EU Guards, or building some more
general mechanism for dealing with cases of known data retention..

The simplest answer to all of these end-to-end statistical attacks is
"more network diversity" and "more users", though. Network diversity
helps to reduce the chance of picking an entry and an exit observed by
the same party. A larger userbase means that even when both ends are
visible, it is harder to correlate flows accurately. This is because
as the event rate of similar sized traffic goes up, correlation
accuracy goes down.

But I'd love to hear what Steven, Roger, Nick and Paul think about all
this, too. 

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgp3bzjHJJUCP.pgp
Description: PGP signature

tor-talk mailing list